DEV Community

Cover image for Trying Out Various Settings for AWS WAF Publishing
Yasunori Kirimoto for AWS Community Builders

Posted on • Edited on

Trying Out Various Settings for AWS WAF Publishing

img

I've been experimenting with various settings for AWS WAF publishing 🎉

Advance Preparation

  • Publishing with Amazon CloudFront and Amazon S3

Trying Out Various Settings for Amazon CloudFront Publishing - Publishing in combination with Amazon S3

Publishing with Amazon CloudFront

This is a method of publishing using a combination of AWS WAF and Amazon CloudFront.

AWS Console → Click “WAF & Shield.”
img

Click "Create web ACL."
img

Set an arbitrary name. Select CloudFront as the resource type. Select the target CloudFront distribution. Leave the other settings as default this time.
img
img
img
img

Confirm the settings → Click “Create web ACL.”
img

Click on the Web ACL that has been created.
img

You can check the details of the Web ACL.
img

Publishing only the specified IP

This is a method for publishing only the specified IP in AWS WAF.

As preliminary preparation, configure the Web ACL.

Click "IP sets."
img

Click "Create IP set."
img

Set an arbitrary name. Select CloudFront as the region, and select IPv4. Set the target IP address. → Click "Create IP set."
img

Click on the IP settings that has been created.
img

You can check the details of the IP settings.
img

Click "Web ACLs" → Click the target Web ACL.
img

Click "Rules" → Click "Add rules" → Click "Add my own rules and rule groups."
img

Select "IP set." Set an arbitrary name, select the IP setting configured in the IP set, select the Source IP address, set "Allow" in "Action," and click "Add Rule."
img

Click "Save," and you will see the rules are set. Next, click "Edit" for the default rule.
img
img

Select Block as the Default action, set 403 as the Response code, and click "Save."
img

Confirm that the settings have been made.
img

If you access the URL from the IP you set, the WebSite will be displayed. WebSite will not be displayed except for the specified IP.
img

Basic authentication public

This is the method to publish with Basic authentication in AWS WAF.

As preliminary preparation, configure the Web ACL.

Click "Web ACLs" → Click the target Web ACL.
img

Click "Rules" → Click "Add rules" → Click "Add my own rules and rule groups."
img

Select "Rule builder." Set an arbitrary name. Select "Regular rule" for the type, set "Statement" to the captured content, set the value of the user name and password converted to the base64 in “String to Match,” set "Block" for the Action, set "Custom response" to the captured content, and click "Add rule."
img
img

Click "Save".
img

Click on the created rule.
img

You can see the details of the rule.
img

When you access the URL, a dialog for entering the user and password will appear.
img

When enter the configured user and password, the WebSite will be displayed.

Request Restriction

This is how to restrict requests with AWS WAF.

As preliminary preparation, configure the Web ACL.

Click "Web ACLs" → Click the target Web ACL.
img

Click "Rules" → Click "Add rules" → Click "Add my own rules and rule groups."
img

Select "Rule builder." Set an arbitrary name. Select "Rate based rule" as the type, set the rate limit to 100 in the Request rate details, set Block as the Action, and click "Add rule."
img

Click "Save".
img

Click on the rule that has been created.
img

You can see the rule details.
img

Try to access the site dynamically at least 100 times within 5 minutes.
img

If there are more than the specified number of accesses in 5 minutes, it will be blocked. When the number of accesses is less than the set number, the access is allowed.
img

By using AWS WAF, it is possible to publish in combination with Amazon CloudFront and configure various settings other than the IP restrictions, basic authentication, and request restrictions that we tried this time 💡

In my next article, I would like to introduce the way combined with Amazon Route 53.

Related Articles


Top comments (3)

Collapse
 
aditmodi profile image
Adit Modi

Hi @dayjournal ,
It almost feels like a series now, if you can make use of Series under post option.
Give the series a unique name. (Series visible once it has multiple posts) that would be great.
I would also recommend posting video series for these articles since it contains a lot of pictures.

Collapse
 
dayjournal profile image
Yasunori Kirimoto

Thank you!

Collapse
 
sydneylevy profile image
SydneyLevy

This is useful when you want to confirm you are not blocking valid requests inadvertently. spell to separate lovers