AWS Web Application Firewall WAF
AWS WAF is a web-application firewall that protects web applications from attacks. It allows rules to be configured that allow, block or count web requests based upon defined conditions.
AWS WAF protects against common attacks such as SQL injection and Cross-Site Scripting. Conditions include IP addresses, HTTP bodies, HTTP headers, HTTP bodies, and URI strings.
AWS WAF is tightly integrated with CloudFront API Gateway, AppSync, and the Application Load Balancingr (ALB), services used for delivering content to their websites and applications. AWS WAF rules are available in all AWS Edge locations, located around the globe close to the end users.
Blocked requests are blocked before they reach the web servers.
Supports custom origins other than AWS.
AWS WAF with Application load balancerWAF rules runs in the region. It can be used to protect both internal and internet-facing load balancers.
AWS WAF with API GatewayCan help protect and secure REST APIs.
AWS WAF protects applications and can inspect web requests sent over HTTPS or HTTPS.
AWS WAF offers Managed Rules, which are preconfigured rules that protect applications from common threats such as OWASP, bots, Common Vulnerabilities and Exposures.
AWS WAF supports the following behaviours:Allow all requests, except those specified – blacklisting to e.g all IP addresses other than those specified
All requests other than those specified will be blocked – whitelisting is for e.g IP addresses from which the request originated
Count the requests that match specified properties – This allows you to count the requests that match defined properties. This can be useful for testing whether or not new properties allow or block requests. Once you have confirmed that the config didn’t block all traffic to the website, you can apply the configuration to modify the behavior to allow or block requests.
WAF allows you to control the behavior of web requests by creating conditions and rules (web ACLs).
Conditions
Conditions are the basic characteristics you should be looking for in a web requestMaliciousScript – Cross Site Scripting – Attackers embed scripts to exploit vulnerabilities in web applications
Requests originate from IP addresses or ranges of addresses.
Size – The length of the requested parts, such as the query string, is measured in inches.
Malicious SQL – SQL injection – Attackers attempt to extract data from the database using malicious SQL code embedded in a web request
Geographic match – Requests can be allowed or blocked based on the country they originate.
Some conditions can take multiple values.
The AWS WAF rule outlines how to inspect HTTP(S), web requests, and what action to take if it meets the inspection criteria.
Each rule requires one top level statement. This statement may contain nested statements depending on the type of rule.
AWS WAF supports logic statements for AND, OR and NOT. These statements can be combined in a rule.
For example, based upon recent requests from an attacker, you might create the following rule: The requests come from 192.0.2.44.
They contain the BadBot value in the User-Agent header.
They may contain malicious SQL code in their query string.
All three conditions must be met for the Rule to be passed.
A Web Access Control List (Web ACL), provides fine-grained control of all HTTP(S) requests that the protected resource responds.
Web ACLs allows you to combine rules OR group them together
Action – Allow, Block or Count to Perform for Each RuleWAF