Web Application Security Using AWS WAF and AWS Shield

Estimated reading time: 6 minutes

This post was last updated on 3 September 2019.

As a modern enterprise, a single defense is not the only defense you need today. Hackers are continually reinventing ways and means to break through cyber defenses. There is a constant stream of news on data breaches such as the one at Equifax and attacks on cryptocurrency exchanges. Discussions of cybersecurity have now considering how it affects us all. In this three-part series, let’s take a closer look at how companies are safeguarding their assets from these attacks.

The DDoS attack is the weapon of choice for many intruders and has alarmingly risen in the recent past. Classic examples of the DDoS attack are the denial of service by DNS provider Dyn in 2016 and the attack on Github that took down its service for more than 10 minutes. Downtime has a widespread impact on businesses, not just in terms of money but also via reduced customer affinity. 8% of customers stopped using Dyn after the attack, and Equifax faced a bevy of lawsuits. 

AWS WAF and AWS Shield

Network layer firewalls and traditional security tools cannot detect and counter today’s sophisticated threats. To meet this growing need for advanced threat detection engines, AWS introduced the Web Application Firewall (WAF) and the AWS Shield. 
AWS WAF is a web application firewall service that monitors HTTP and HTTPS requests for Amazon CloudFront distributions and Application Load balancer to secure your traffic. It lets you filter web traffic with custom Rules, can block malicious requests and also monitor and tune web applications. For additional protection against DDoS attacks, AWS  offers AWS Shield Advanced. This service provides expanded DDoS attack protection for your CloudFront distributions, Amazon Route 53 hosted zones, and Elastic Load Balancers. AWS WAF offers easy AWS integration, affordability, and flexibility, among other benefits.
AWS WAF and Shield provides a list of vulnerabilities i.e., Rules. These rules are a set of conditions with predefined access control list actions (Block/Allow/Count). Users create a Rule and specify the conditions that AWS WAF searches for in incoming web requests.If you add more than one condition to a Rule, the web request must match ALL conditions in the Rule for AWS WAF to allow or block requests based on that ACL.
For instance, AWS WAF can watch for IP addresses from where the requests originate. It can also monitor strings in these requests, where they appear, or if they appear to contain malicious code.
AWS WAF works with Amazon CloudFront and Amazon ELB, i.e., Elastic Load Balancer. Essentially, to avoid web attacks, you need to monitor  HTTP and HTTPS requests. Using CloudFront or ELB helps analyze distributed network traffic for easy understanding.The Open Web Application Security Projects (OWASP) provides a list of standard vulnerabilities (threats) such as cross-site scripting, IP blocks, DDoS, Geo-location specification, etc. Top vulnerabilities include,

Cross-Site Scripting (XSS)

XSS occurs when the attacker uses a web application to send malicious code. This code can be in the form of browser-side scripts such as HTML tags – BODY, URL, Query String, or the HEADER of a Cookie to a different end-user.

Geo-location or Geographic Match Condition

Cybercriminals use Geolocation before expanding their attacks into a targeted region.

Bad-Bot Rule

Bad Bot can take data from websites without permission and allow misuse, high-speed abuse, and attacks on the websites and APIs. Most account thefts and frauds using user information that is available online.

SQL Injection

SQL injections are malicious SQL queries that attackers execute to harm and exploit a database server.

Scans Probes Rule

Port scanning is one of the predominantly used technique that attackers use to exploit and break into systems. With the help of this technique, they can find information about running services, which user owns those services and anonymous login details.
If your application is not able to handle these vulnerabilities, there are high chances of data loss and theft, resulting in massive damage to the business.

AWS WAF and AWS Shield Architecture

For you to be able to distribute the traffic of the web application, you must see the architecture of AWS WAF and use AWS ELB. You can use the same configuration for AWS Shield Advanced for protection against DDoS attacks.
As shown below, the WAF sits behind a load balancer. It works as per configured Rules and Access Control Lists (ACL) in the WAF. With this, it is easy to allow or block APIs requests using the access control list (ACL) in WAF.

Implementation of AWS WAF with CloudFront or ELB

The process is as follows:

  • Create ELB or Cloudfront for handling HTTP or HTTPS requests for network firewalls
    • If the user distributes traffic using ELB, then you need to select Application Load Balancer with S3 buckets
    • If you want to use CloudFront, then you need to choose Web and Originate from S3 bucket.
  • Create WAF Rules which could be a list of probable attacks, from web attackers, using automation solutions for AWS WAF template of CloudFormation. You can download the following templates:
    • AWS WAF security automation solution template for Cloudformation using CloudFront
    • And, the AWS WAF security automation solution template for Cloudformation using ELB
    • AWS recently announced a new feature of WAF integration with API Gateways to protect web applications and APIs from attacks governed by a set of web ACL rules. A detailed guide at the end of this post shows WAF integration for API gateways.
    • Cloudformation can use these downloaded templates. It takes approximately 10-15 minutes to create all the resources for use in WAF.
    • AWS’ default security template Rule list can configure nine Rules. Rules are predefined configurations for securing your web applications from standard vulnerabilities. Users can further customize these Rules based on their requirements.

Configure each Rule as per requirement. For example, Geo-location

  • List of Rules and predicting theft attacks also helps in deciding the choice of service to be used
    • Adding an ACL is dependent on whether you take action to allow or block the request. Based on this configuration, the load balancer either allows the request or blocks it with the message ‘HTTP 403 Status Code (Forbidden)’.
  • Testing customized Rules and manage Alerts for theft
    • You can test these Rules using JMeter or Postman
    • The user is made aware of attacks using Cloudwatch that can configure an Alert for a WAF metric

Implementation of AWS WAF Integration for API Gateways

Pre-requisites: API Gateways require regional web ACLs.

Associate an AWS WAF regional web ACL with an API Gateway API Stage using the API gateway console

To use the API Gateway console to associate an AWS WAF regional web ACL with an existing API Gateway API stage, use the following steps:

  1. Sign in to the API Gateway console
  2. In the APIs navigation pane, choose the API, and then Stages
  3. While on the Stages pane, choose the name of the stage
  4. In the Stage Editor pane, choose the Settings tab
  5. To associate a regional web ACL with the API stage:
    1. In the AWS WAF Web ACL dropdown list, choose the regional web ACL that you wish to associate with this stage. 
    2. Note: If the Web ACL you need doesn’t exist yet, choose Create WebACL and then choose Go to AWS WAFto open the WAF console in a new browser tab and create a regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage.
  6. Choose Save Changes.

In the next parts of this series, we talk about the newly launched AWS Firewall Manager. This Firewall Manager helps us centrally configure and manage AWS WAF rules across multiple accounts and applications. Later, we will cover testing for these vulnerabilities and ensure that our WAF works as intended. Stay tuned!


New call-to-action

Share this post

Table of Contents