Overview:

AWS Web Application Firewall (WAF) is a firewall designed to protect web applications and APIs against usually found web exploits that may compromise security, affect high availability, consume excessively, and exhaust existing resources.

By setting up a WAF, you would not only monitor and track the requests reaching your AWS resources, but you could also block or allow them to pass based predetermined set of rules. As a result, it would lead to cleaner server application logs, common attacks mitigation, less traffic on the server instances, and most importantly, cost-cutting.

Image source: aws.amazon.com

AWS CloudFront allows the use of custom origins to serve content, which means you can have a WAF protect any server, even those not hosted on AWS. Additionally, the API Gateway can act as an HTTP proxy allowing a WAF to protect any non-hosted AWS API as the traffic routes through the gateway.

At the top level, the WAF consists of a Web ACL assigned to one or more supported AWS resources. The Web ACL contains a collection of rules which determine whether a given request should be allowed or blocked. Those rules can be your own rules or provided by a 3rd party.

The protected AWS Resource forwards the request it receives to the WAF. If the WAF determines the request should be blocked based on rules applied, the AWS resource will generate a 403 response back to the client. If allowed, the request is forwarded onwards. The 403 response varies based on the AWS resource type. Some resources, such as CloudFront, allow you to customize the default message. There will be no indication to an attacker that the WAF is the one who explicitly blocked the request.

Monitoring WAF allows you to log requests through a Kinesis Firehouse to various AWS services such as an S3 Bucket, Redshift, or the Elastic Search Service. Every rule or rule group can create CloudWatch metrics enabling you to track the number of blocked, allowed, or counted requests in the CloudWatch dashboard.

Procedure to Setup WAF:

Step 1: Verify IAM user has the proper access to AWS managed WAF policies:

Take necessary permissions from the administrator for AWS managed WAF policies

Step 2: Search WAF & Shield service in the search bar:

Click on WAF & Shield to open the service.

Step 3: Create a Web ACL:

1. To create a web ACL
   
2. Choose to Create web ACL.
3. On Name Block, enter the name you want to use to identify this web ACL
   
4. On Description block – type a description for the web ACL
5. On CloudWatch metric name block, type the name you want. Then, check the guidance on the console for valid characters.
6. On the resources type block, select CloudFront distributions or regional resources based on your requirement from the below options.
7.  For Associated AWS resources – choose Add AWS resources if you select regional resources. In the dialog box, select the resources that you want to use, and then select Add.
   
8. Choose Next.
   

Step 4: Add an AWS Managed Rules rule group

To add an AWS Managed Rules rule group.

1. On the Add rules and rule groups page, choose Add rules and add managed rule groups.
   
2. On the Add managed rule groups page, view the AWS managed rule groups listing. (You can also choose listings offered for AWS Marketplace sellers. You can subscribe and use them in the same way as for AWS Managed Rules rule groups.)
   
3. For the rule group that you want to add. In the Action column, turn on the Add to web ACL toggle.
   
4. Select Edit and, in the rule group’s Rules listing, turn on the set all rule actions to count toggle. It sets the action for all rules in the rule group to count only. It lets you see how all the rules in the rule group behave with your web requests before you put any of them to use.
5. Choose Save rule. In the Add managed rule groups page, choose Add rules. It returns you to the Add rules and rule groups page.
   

Step 5: Finish your Web ACL configuration:

1. To finish your web ACL configuration
2. On the Add rules and rule groups page, choose Next.
3. You can see the processing order for the rules and rule groups in the web ACL on the Set rule priority page. AWS WAF processes them starting from the top.
   
4. Choose Next.
5. On the Configure metrics page, you can see the planned metrics for your rules and rule groups and you can see the web request sampling options
   
6. Choose Next.
7. On the Review and create web ACL page, click on Create web ACL.
   
8. The wizard returns you to the Web ACL page, where your new web ACL is listed.
   
   

Step 6: Monitor WAF Metrics:

1. Open the CloudWatch page and click on Metrics from the left column.
   
2. Select the AWS WAF metrics and select the rules for the required graph.

Conclusion:

With a growing business and a more prominent user base, security concerns grow alarming. Hence the need for high-level protection of business environments running in the public cloud is paramount. AWS WAF leverages various security rules to strengthen the cloud firewall before the application to ensure that its uptime is intact even if a malicious attack occurs.

Learn more about security in this blog

Let me know if you have any queries, and I will answer them quickly. Stay Tuned for more on Security, Cloud, and other advanced technologies.

WRITTEN BY Anil Reddy