Your first successful project on the AWS Cloud, perhaps a cloud résumé or a static website, marks a significant milestone. Yet, deployment is only half the battle. To fortify this new public endpoint, integrating a Web Application Firewall (WAF) isn't just an option; it is the standard best practice for maintaining a defensible security posture from day one.
WAF is an AWS security tool that helps protect your endpoints from web attacks. Through Web ACLs(Access Control List)/Protection packs, you can define rules by which traffic will be filtered before accessing your resources.
In this article, I walk you through setting up your first web ACL in the AWS environment. Let's get started!
Step 1
- In the AWS Management Console, in the search bar at the top, enter WAF, and under Services, click the WAF & Shield result:
AWS Shield is a subscription service from Amazon that protects your resources against denial of service (DOS) attacks. You will not use AWS Shield in this.
Step 2
- In the left-hand menu, under AWS WAF, click Protection packs (web ACLs):
Step 3
On the right-hand side, click create Protection packs (web ACLs):
You will see a multi-step wizard load.
Step 4
- In the App category section, select Other:
You can select multiple categories at once. Choose what applies best to your endpoint.
Step 5
- Click Add resources, followed by Add regional resources:
Step 6
- In the list, select the resource to protect ( an Elastic Load balancer, CloudFront distribution, API gateway etc) and click Add:
Step 7
- In Choose initial protections section, select Build your own pack from all of the protections AWS WAF offers:
Step 8
- Under Add rules section, select AWS-managed rule group , and click Next :
Managed rule groups are pre-configured sets of rules available either directly from AWS or through AWS Marketplace security vendors. They are designed to provide immediate protection without requiring you to write individual rules.
You have three main options for WAF rules:
Custom Rules: You can create and define your own rule groups containing rules tailored specifically for your application.
AWS-Managed Rules: AWS provides certain rule groups, some of which can be used at no extra charge.
Marketplace Rules: Rules offered by third-party sellers on the AWS Marketplace generally require a separate subscription fee and associated charges, which are billed in addition to your standard AWS WAF request fees.
Step 9
- You will see the list of AWS-provided rule groups. Find and select SQL Database:
The selection of this rule Group targeting SQL injection (SQLi) provides an immediate defense against one of the most common and damaging web attacks.
A SQL injection attack occurs when an attacker embeds malicious SQL code within a standard web request (like a form submission or URL parameter). If the targeted web application is poorly secured, it may execute this malicious code against its backend database.
Successful SQLi attacks grant the attacker unauthorized access to modify or delete data, and can potentially lead to full system compromise by enabling them to escalate privileges.
While modern, well-written applications employ safeguards (like parameterized queries) to prevent SQLi, information security experts strongly advocate for Defense in Depth. This strategy layers multiple security controls—like using a WAF in front of the application layer—to ensure that if one defense fails, the others remain active.
This specific type of Web ACL rule is invaluable when migrating legacy applications to the cloud. These older systems often have undocumented or vulnerable security models, making the WAF rule group an essential, compensating security control to protect the application while permanent code-level fixes are developed.
Step 10
- To finish adding managed rule groups, scroll to the bottom and click Add rule, leaving all other settings at their defaults:
Step 11
- To start adding your own rule, click Add rule > select Custom rule > click Next > select Custom rule once more > click Next:
The rule builder page will load.
Step 12
- In the Action field, select Count: When creating custom rules in WAF Web ACLs, it's recommended to start with Count mode as a critical security best practice focused on mitigating risk and preventing service disruption. Count mode acts as a non-terminating testing phase that allows you to evaluate your rules without blocking any legitimate user traffic.
Step 13
- In the Name field, enter the name of your rule:
Below the Rule name section, you will see If a request and a drop-down with matches the statement selected.
A rule can contain multiple statements. You can configure the rule to match when various conditions, including:
- At least one statement matches
- All statements match
- The statement doesn't match the request This allows for complex and sophisticated rules. You will configure one statement in this rule.
Step 14
- Fill out the following:
Inspect: select Body
Statement:
- Oversize handling: select Continue
- Match type: select Size greater than
- Size in bytes: type 512
You have configured the condition to match web requests where the body is greater than 512 bytes. Be aware that AWS WAF only checks the first 8192 bytes of requests that it processes.
At the end of the page, there are a few useful options you should be aware of:
Custom request: For Count actions, this allows you to add a header to a web request. When the action is Block, you can specify a custom HTTP response code, add headers, and define the response body.
Add label: Requests can be labelled by this rule, and then other rules can reference this rule by its label.
Leave both these options at their defaults.
Step 15
- Click Add rule:
You will be returned to the Add rules page. Here you can also specify the order in which rules are evaluated when the Web ACL is processing a web request.
Notice 200 WCU and 1 WCU next to each rule. Web ACLs have a budget measured in Web ACL Capacity Units (WCUs), which limits the number of rules that can be used in a single Web ACL. The capacity is a measure of how much computing resource is required to apply the rules. Individual rules can have different WCUs depending upon how complex the rule is.
WCUs do not affect pricing.
Step 16
- In the main Create protection pack (web ACL) page, scroll down to the Name and description section, and in the Name field, enter your preferred ACL name and description:
Step 17
- Click Create protection pack (web ACL):
Note: It may take up to a minute for the Web ACL to be created.
When complete, the Web ACLs list page will load and you will see a success notification:
Step 18
- Select the newly created web ACL, and then navigate to Manage resource:
Step 19
- Make sure your resource is populated as shown below. If not, click on Add regional resources and add your resource:
Congratulations, you have successfully created a web ACL with two rules! One rule for detecting web requests containing SQL injection attacks, and another rule for detecting web requests with a large body size.
Top comments (0)