Arun Kumar for AWS Community Builders

Posted on Jun 10, 2021

WAF for ALBs

#aws #waf #alb #security

Overview

WAF support for ALB is now available in many regions.

Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).

Clients want to minimise the maintenance footprint of adding WAF for many applications.

Architecture

Pricing Details

WAF Pricing

a. WAF

$5 per web ACL per month
$1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
$0.60 per million web requests

b. F5

Estimates

a. WAF Pricing

b. Market place pricing — 4x F5 managed rulesets

$480 for $80 per account per region per month x 6
$480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
$11,520 Annual cost

c. Total pricing estimate

Solutions

a. Author is AWS themselves

b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)

c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)

d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:

Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes
Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists
Bot lists also updated via a lambda.

Types of Rules

a. White/black listing (manual lists)

No automation setup around these lists — is the expectation you manage via AWS Console?

b. SQL Injection, XSS (patterns in URI, querystring, request body)

c. HTTP Flood (web-layer DDoS, brute force logins)

ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)

d. Scanners & Probes (abnormal amount errors from an origin)

e. IP Reputation Lists (3rd party lists hourly updated)

f. Bad Bot (honeypot to attract bots)

DEV Community