AWS WAF - keshavbaweja-git/guides GitHub Wiki

WAF protects

  1. CloudFront distributions
  2. ALB
  3. API Gateway
  4. AppSync (GraphQL)

WAF Concepts

  1. Web ACLs: container for firewall rules. Web ACL has a default action for either Allow or Block
  2. Rules
  3. Rule groups

Web ACL associations

  1. Each AWS resource can be associated with only one web ACL.
  2. One web ACL can be associated with multiple AWS resources of different types, however, if a web ACL is associated with a CloudFront distribution it can’t be associated with any other resource type.

Web ACL capacity units

WCU are used to calcite and control operating resources that are required to run your rules, rule groups and web ACLs. Maximum WCU for a web ACL and rule group in 1500 units.

Web ACL rule and rule group evaluation

  1. Rules and rule groups insides a web ACL are evaluation in order of numeric priority setting.
  2. Allow and Block are terminating actions
  3. Count is a non terminating action
  4. CAPTCHA can be a terminating or non-terminating action

Rule/rule group action override to count

  1. You can override actions of one or all rules in a rule group
  2. You can override action at rule group level to count

If you want to test rules in a rule group before activation, recommended approach is to override rule action to count to all rules in the rule group. This ensures that all rules in the rule group are evaluated. However if you configure override at rule group level, it means that not all rules are evaluated.

Default action for web ACL

If none of the rules with a terminating action in web ACL are evaluated, default action for web ACL is triggered. Most managed rule groups are configured to block requests.

Managed Rule Groups

  1. AWS Managed Rules rule groups are mostly available for free to AWS WAF customers. AWS WAF Bot Control and AWS WAF Fraud Control account takeover prevention hav additional fees.
  2. Updates to managed rule groups are applied automatically
  3. To protect IP of rule group providers, and avoid security breaches by malicious actor, you can’t view rules inside managed rule groups

Managed Rule Groups, version lifecycle

  1. Managed rule group provider provides release and update notifications to an Amazon SNS topic.
  2. Expiration scheduling - A version can be scheduled for expiration, once scheduled for expiration a rule group version can’t be added to your web ACL
  3. Version expiration - When a version expires, for AWS Managed Rule Groups, AWS WAF moves the web ACL to the default version of rule group.

Scope down

Scope down statement narrows the scope of requests that are evaluated. Scope down statements can be used with Managed Rule Group statements and Rate-based statements.

Rate-based statements

  1. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior 5 minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it.
  2. AWS WAF can block up to 10,000 IP addresses. If more than 10,000 IP addresses send high rates of requests at the same time, AWS WAF will only block 10,000 of them.

Labels on web requests

Rules can add labels to a web request, these labels can then be matched against by subsequent rules. Use cases -

  1. Evaluate a web request against multiple rule statements before taking an action
  2. Reuse common logic across multiple rules. E.g. have a high priority rule to evaluate and label a request as login request. Subsequent rules can match against the label to execute evaluation for a login request
  3. Override rules in managed rule groups by placing them in count mode and have them apply a label which can be subsequently evaluated.

AWS WAS Logging Destinations

  1. Amazon CloudWatch Logs
  2. Amazon S3
  3. Amazon Kinesis Data Firehose

With Shield Advanced, you pay

  1. one monthly subscription fee for all accounts created under a consolidated billing payer account, plus
  2. usage fees based on GB of data transferred out

When to use Shield Advanced

Guaranteed availability for the users of the application. Rapid access to DDoS mitigation experts if the application is affected by a DDoS attack. Awareness by AWS that the application might be affected by a DDoS attack and notification of attacks from AWS and escalation to your security or operations teams. Predictability in your cloud costs, including when a DDoS attack affects your use of AWS services.

Example DDoS attacks

  1. UDP reflection attacks
  2. TCP SYN flood
  3. DNS query flood
  4. HTTP flood/cache-busting (layer 7) attacks.

AWS Shield Advanced protected resources

  1. Amazon Route 53 hosted zones
  2. Amazon CloudFront distributions
  3. AWS Global Accelerator
  4. ELB
  5. EIP
  6. EC2 though association to EIP

AWS Shield Advanced capabilities and options

  1. WAF integration
  2. Automatic layer 7 DDoS protection
  3. Health-based detection
  4. Protection groups
  5. Enhanced visibility into DDoS events and attacks - Shield Advanced API and Console, CloudWatch metrics
  6. Centralised management of Shield Advanced protections by AWS Firewall manager
  7. Shield Response Team
  8. Cost protection opportunities