AWS WAF - Web Application Firewall

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.

The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge.

AWS WAF works as a first line of defence for AWS CloudFront, Application Load Balancer or Amazon API Gateway.

Benefits

Agile protection against web attacks
AWS WAF rule propagation and updates take under a minute, enabling you to quickly update security across your environment when issues arise. WAF supports hundreds of rules that can inspect any part of the web request with minimal latency impact to incoming traffic. AWS WAF protects web applications from attacks by filtering traffic based on rules that you create. For example, you can filter any part of the web request, such as IP addresses, HTTP headers, HTTP body, or URI strings. This allows you to block common attack patterns, such as SQL injection or cross-site scripting.

Save time with managed rules
With Managed Rules for AWS WAF, you can quickly get started and protect your web application or APIs against common threats. You can select from many rule types, such as ones that address issues like the Open Web Application Security Project (OWASP) Top 10 security risks, threats specific to Content Management Systems (CMS), or emerging Common Vulnerabilities and Exposures (CVE). Managed rules are automatically updated as new issues emerge, so that you can focus on building applications.

Improved web traffic visibility
AWS WAF gives near real-time visibility into your web traffic, which you can use to create new rules or alerts in Amazon CloudWatch. You have granular control over how the metrics are emitted, allowing you to monitor from the rule level to the entire inbound traffic. In addition, AWS WAF offers comprehensive logging by capturing each inspected web request’s full header data for use in security automation, analytics, or auditing purposes.

Ease of deployment & maintenance
AWS WAF is easy to deploy and protect applications deployed on either Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts all your origin servers, or Amazon API Gateway for your APIs. There is no need of additional software deployment, DNS configuration, SSL/TLS certificate to manage, or need for a reverse proxy setup. With AWS Firewall Manager integration, you can centrally define and manage your rules, and reuse them across all the web applications that you need to protect.

Cost effective web application protection
With AWS WAF you pay only for what you use. AWS WAF provides a customizable, self-service offering, and pricing is based on how many rules you deploy and how many web requests your web application receives. There are no minimum fees and no upfront commitments.

Security integrated with how you develop applications
Every feature in AWS WAF can be configured using either the AWS WAF API or the AWS Management Console. This allows your DevOps team to define application-specific rules that increase web security as they develop applications. This lets you put web security at multiple points in the development process chain, from the hands of the developer initially writing code, to the DevOps engineer deploying software, to the security administrators enforcing a set of rules across the organization.

Storm Reply Best Practice

Storm Reply, AWS Premier Consulting Partner since 2014, has developed a strong expertise on AWS WAF implementation. Thanks to years of projects, we have developed a set of best practices that enforce the highest level of defence and security. Over the years, our clients have continuously appreciated our methodology on AWS WAF and entrusted us to build and govern their first layer of defence against any external threats.

Governance
In some organizations, WAF configurations are managed centrally by a security team. In this case, the security team must audit and ensure that WAF is configured correctly across resources managed by application teams. In other organizations, WAF configuration and deployment is managed by the application teams so that the WAF rules deployed can be specific to the protected application. To simplify centralized management of AWS WAF, AWS Firewall Manager allows you to define security policies that automatically deploy WAF across accounts within your AWS Organization. AWS Firewall Manager provides you with visibility to ensure that resources have the appropriate WAF web ACL associated and are within compliance of the WAF policies.

Logging
WAF logging is a common requirement for security teams to meet their compliance and auditing needs. AWS WAF provides near-real-time logs through Amazon Kinesis Data Firehose. For each inspected request by AWS WAF, a corresponding log entry is written that contains request information such as timestamp, header details, and the action for the rule that matched. Currently, AWS WAF does not log the request body. You can use logs for debugging and additional forensics by integrating with your Security Information and Event Management (SIEM) or other log analysis tools. By default, logging is not enabled when you create a web ACL. To automate log enabling, you can use AWS Config to configure logging whenever a new WAF web ACL is created.

Monitoring
Having good visibility of what is being blocked by your web ACL is important for operating your WAF implementation. This visibility is useful for threat intelligence, hardening rules, troubleshooting false positives, and responding to an incident. There are multiple monitoring options available with AWS WAF. Monitoring using Amazon CloudWatch You can set up a dashboard for AWS WAF to display information about the activity of rules in your web ACL. For each rule, CloudWatch emits near-real-time metrics like AllowedRequests, BlockedRequests and PassedRequests which are recorded for a period of two weeks. In addition, you can set up alarms on CloudWatch metrics to receive notifications when a certain WAF rule is abnormally triggered based on predefined thresholds.

However, CloudWatch doesn’t provide you with information about the processed requests themselves. If you need to get more details more about inspected requests, you have two options:

• View a sample of the WAF log in the WAF console. For each sampled request, you can view detailed data about the request, such as the originating IP address and the headers included in the request. With this approach, you can quickly debug false positives in a staging environment. The sampled request works by randomly fetching 5,000 requests that the web ACL has processed over the time period that you chose (up to the previous three hours).
• Enable and process AWS WAF logs for full and detailed information. This approach more suitable for deeper troubleshooting in a production environment. For each request, AWS WAF logs provide raw HTTP/S headers along with information on which rules were triggered. In addition, AWS WAF logs provide the exact patterns that triggered SQLi and XSS rules in the ‘terminatingRuleMatchDetails’ field. AWS WAF logs are ingested using Amazon Kinesis Data Firehose and can be delivered in JSON format to multiple destinations, including Amazon S3. We recommend this approach for all production workloads for the best visibility and troubleshooting. It’s common to build custom dashboards based on AWS WAF logs, to provide a near real-time global view of your application security, and deep dive into request details when needed. With AWS WAF logs, you can build your own dashboard using AWS services, or use third-party services. If you are already using third-party monitoring services like Splunk, Datadog, or Sumo Logic, you can export WAF logs to these services. For example, Sumo Logic has a template to create a dashboard for examining WAF logs.

Costs
AWS WAF offers standalone pricing that is charged based on your usage of web ACLs, rules, and the number of requests that are inspected. For logging configurations, you will be charged based on your usage of Amazon Kinesis Data Firehose. If you choose to use WAF managed rules from the AWS Marketplace, you can subscribe to managed rules and pay only for what you use. There are no contracts or subscription commitments as managed rules are charged by the hour. For workloads with high volumes of requests, consider evaluating AWS Shield Advanced to reduce the per request charges. When AWS WAF is used with resources protected by AWS Shield Advanced, there is no additional charges for using AWS WAF and AWS Firewall Manager. You simply pay for the charges associated with AWS Shield Advanced. This approach can help optimize cost for request-heavy workloads.