⬡ Hub
Skip to content

AWS WAF (Web Application Firewall)

Detailed Content

AWS WAF (Web Application Firewall) helps protect your web applications or APIs from common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns like SQL injection or cross-site scripting.

Core Concepts

  • Web ACL (Access Control List): The main resource in AWS WAF. A Web ACL is a collection of rules that you define to protect your web application or API. You associate a Web ACL with an Amazon CloudFront distribution, an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AWS AppSync GraphQL API. A Web ACL processes web requests based on the rules it contains.
  • Rules: Define the conditions that AWS WAF searches for in web requests and the action to take when a request matches the conditions. Rules are evaluated in the order of their priority. Rules can be based on various criteria:
    • IP addresses: Block or allow requests from specific IP addresses or CIDR ranges.
    • HTTP headers: Match patterns in headers like User-Agent, Referer, Origin, or custom headers.
    • HTTP body: Match patterns in the request body (e.g., for detecting malicious payloads).
    • URI strings: Match patterns in the URI path or query string.
    • SQL injection: Detect and block common SQL injection attempts.
    • Cross-site scripting (XSS): Detect and block common XSS attacks.
    • Size constraints: Block requests that are too large or too small (e.g., preventing large file uploads as a form of attack).
    • Geo-match: Block or allow requests based on the country of origin of the request.
    • Regex pattern matching: Use regular expressions to match complex patterns in various parts of the web request.
  • Rule Groups: A collection of rules that you can reuse across multiple Web ACLs. Rule groups help organize your WAF rules and promote reusability. There are different types:
    • AWS Managed Rule Groups: Pre-configured rule groups provided by AWS to protect against common threats (e.g., AWSManagedRulesCommonRuleSet for general threats, AWSManagedRulesSQLiRuleSet for SQL injection, AWSManagedRulesLinuxRuleSet for Linux-specific attacks). AWS automatically updates these rules.
    • AWS Marketplace Managed Rule Groups: Rule groups provided by third-party security vendors, offering specialized protection against various threats.
    • Custom Rule Groups: Rule groups that you create and manage yourself, allowing you to define your own specific security logic.
  • Actions: What AWS WAF does when a request matches a rule:
    • Allow: The request is forwarded to the protected resource. This is typically the default action for a Web ACL.
    • Block: The request is blocked, and an HTTP 403 (Forbidden) response is returned to the client.
    • Count: AWS WAF counts the requests that match the rule but doesn't block them. This is extremely useful for testing new rules or monitoring potential threats without impacting legitimate traffic.
    • CAPTCHA: Presents a CAPTCHA challenge to the client. If the client solves it, the request is allowed. Useful for mitigating bot traffic.
  • Rate-based Rules: Automatically block IP addresses that send a large number of requests in a short period (e.g., 5 minutes). This helps to mitigate DDoS attacks, brute-force attempts, and web scraping by limiting the request rate from a single source IP.
  • Logging: AWS WAF can send detailed logs of web requests that it inspects to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. These logs contain information about the request (IP, URI, headers) and how WAF evaluated it, which is crucial for monitoring, auditing, and troubleshooting.
  • Bot Control: A managed rule group that provides intelligent bot detection and mitigation. It can identify and categorize various types of bots (e.g., scrapers, search engine crawlers, malicious bots) and apply different actions based on their category.
  • Fraud Control: Managed rule groups designed to protect against specific types of fraud, such as account takeover attempts.

Use Cases

  • Protection Against Common Web Exploits: Use AWS Managed Rule Groups to protect against OWASP Top 10 vulnerabilities such as SQL injection (SQLi) and cross-site scripting (XSS).
  • Application-Layer DDoS Mitigation: Implement rate-based rules to automatically block IP addresses that exceed a defined request threshold, protecting against HTTP floods and other Layer 7 DDoS attacks.
  • Bot and Scraper Mitigation: Use the Bot Control managed rule group to identify and block or challenge unwanted bot traffic, preventing content scraping, credential stuffing, and inventory scanning.
  • Geographic Blocking: Restrict access to your application based on the geographic location of the request, which can be used for compliance or to block traffic from high-risk regions.
  • API Security: Protect your API Gateway or AppSync endpoints from malicious requests, ensuring that only legitimate traffic reaches your backend services.
  • Zero-Day Vulnerability Patching: Quickly deploy custom rules to block traffic patterns associated with newly discovered vulnerabilities (zero-day exploits) before your application code can be patched.

Integration Points

AWS WAF can be deployed in front of various AWS services that expose web applications or APIs: * Amazon CloudFront distributions: To protect websites and APIs delivered globally through CloudFront. This provides protection at the edge, closer to your users. * Application Load Balancers (ALBs): To protect web applications running on EC2 instances, containers (ECS, EKS), or serverless functions (Lambda via ALB). WAF inspects traffic before it reaches your backend servers. * Amazon API Gateway REST APIs: To protect your RESTful APIs from common web exploits and unwanted traffic. This is crucial for securing serverless APIs. * AWS AppSync GraphQL APIs: To protect your GraphQL APIs, ensuring that only legitimate queries and mutations reach your backend.

Interview Questions

Conceptual Questions

  1. What is AWS WAF and what types of attacks does it protect against?
    • AWS WAF (Web Application Firewall) is a web application firewall that helps protect your web applications or APIs from common web exploits and bots. It protects against a wide range of attacks, including:
      • OWASP Top 10 threats: Such as SQL injection, cross-site scripting (XSS), broken authentication, sensitive data exposure, etc.
      • DDoS attacks: Specifically Layer 7 (application layer) DDoS attacks using rate-based rules.
      • Bot traffic: Malicious bots, scrapers, and unwanted automated activity.
      • Known vulnerabilities: Using managed rule groups.
  2. Explain the concept of a Web ACL and how it relates to rules and rule groups.
    • A Web ACL (Web Access Control List) is the primary resource in AWS WAF. It's a collection of rules that you define to protect your web application or API. When a web request arrives, WAF evaluates it against the rules in the associated Web ACL in a specified order.
    • Rules define the conditions that WAF searches for in web requests (e.g., specific IP addresses, HTTP headers, URI patterns) and the action to take when a request matches (Allow, Block, Count, CAPTCHA).
    • Rule Groups are reusable collections of rules. They can be AWS Managed Rule Groups (pre-configured by AWS), AWS Marketplace Managed Rule Groups (from third-party vendors), or Custom Rule Groups (created by you). Rule groups simplify management and allow for consistent application of security policies.
  3. What is the difference between an AWS Managed Rule Group and a custom rule? When would you use each?
    • AWS Managed Rule Groups: These are pre-configured sets of rules provided and maintained by AWS (or AWS Marketplace sellers) to protect against common threats (e.g., SQL injection, XSS, common vulnerabilities). They are easy to deploy and automatically updated by AWS. Use them for broad, general protection against known attack vectors.
    • Custom Rules: These are rules that you define yourself to address specific application vulnerabilities, business logic, or unique traffic patterns. Use them when managed rules don't cover your specific needs, such as blocking specific user agents, IP ranges, or custom request headers.
  4. How does AWS WAF help mitigate DDoS attacks?
    • AWS WAF primarily helps mitigate Layer 7 (application layer) DDoS attacks. It does this through rate-based rules, which automatically block IP addresses that send a large number of requests (exceeding a configurable threshold) within a short, rolling time window (e.g., 5 minutes). This effectively throttles or blocks malicious traffic sources that are attempting to overwhelm your application with a high volume of requests.
  5. Describe the different actions AWS WAF can take when a rule matches a request.
    • Allow: The request is permitted to proceed to the protected resource.
    • Block: The request is denied, and WAF returns an HTTP 403 (Forbidden) response to the client.
    • Count: WAF logs the request as matching the rule but allows it to proceed. This is useful for testing new rules or monitoring potential threats without affecting legitimate traffic.
    • CAPTCHA: WAF presents a CAPTCHA challenge to the client. If the client successfully solves it, the request is allowed; otherwise, it's blocked. This is effective against automated bot traffic.
  6. What are the integration points for AWS WAF? Where can you deploy it?
    • AWS WAF can be deployed in front of:
      • Amazon CloudFront distributions: For global protection of websites and APIs at the edge.
      • Application Load Balancers (ALBs): To protect web applications running on EC2, ECS, or EKS.
      • Amazon API Gateway REST APIs: To secure your RESTful APIs.
      • AWS AppSync GraphQL APIs: To protect your GraphQL APIs.

Scenario-Based Questions

  1. You have a public-facing e-commerce web application hosted on EC2 instances behind an Application Load Balancer. You want to protect it from common web exploits, known bad bots, and prevent SQL injection attacks. How would you implement this using AWS WAF?
    • I would create an AWS WAF Web ACL and associate it with the Application Load Balancer. Within the Web ACL, I would add:
      • AWS Managed Rule Groups: Specifically, AWSManagedRulesCommonRuleSet (for general threats), AWSManagedRulesSQLiRuleSet (for SQL injection), and AWSManagedRulesBotControlRuleSet (for known bad bots).
      • Rate-based rules: To mitigate Layer 7 DDoS attacks and brute-force attempts.
      • Custom rules: If there are specific IP ranges to block or allow, or unique patterns in request headers/bodies that need to be addressed.
      • I would configure logging to CloudWatch Logs or S3 to monitor WAF activity.
  2. Your API Gateway endpoint is experiencing a high volume of requests from a specific country that you do not serve, and you also suspect some automated scraping activity. How can you use AWS WAF to address these issues?
    • To block requests from a specific country, I would add a Geo-match rule to the Web ACL associated with the API Gateway. This rule would specify the country code to block and set the action to Block.
    • To address automated scraping, I would enable the AWS Managed Rule Group for Bot Control. This rule group intelligently detects and categorizes various types of bots, allowing me to block or challenge known scrapers. Additionally, I could implement a rate-based rule to block IP addresses that exceed a certain request threshold, which would catch simple scraping bots.
  3. You are deploying a new web application and want to test your custom WAF rules thoroughly without impacting legitimate user traffic. How would you approach this testing phase?
    • During the testing phase, I would configure the action for all new or modified custom WAF rules to Count instead of Block or Allow. This allows AWS WAF to evaluate the requests against these rules and log the matches without taking any blocking action. I would then enable WAF logging to Amazon CloudWatch Logs or S3. By analyzing these logs, I can verify that my rules are matching the intended traffic (and not legitimate traffic) before changing their action to Block or Allow in a production environment.
  4. You have an application that is frequently targeted by credential stuffing attacks. How can AWS WAF help protect against this?
    • I would utilize the AWS WAF Fraud Control Account Takeover Prevention (ATP) managed rule group. This rule group is specifically designed to detect and mitigate credential stuffing attacks by analyzing login attempts, identifying suspicious patterns, and applying actions like blocking or CAPTCHA challenges. It can also integrate with your application's login endpoint to provide enhanced protection.

Coding/CLI Examples

Here are some common AWS WAF operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Create a Web ACL and associate it with an Application Load Balancer: ```bash # Replace with your actual values WEB_ACL_NAME="MyWebAppACL" ALB_ARN="arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188" REGION="us-east-1" ACCOUNT_ID="123456789012"

    1. Create a Web ACL

    WEB_ACL_ARN=$(aws wafv2 create-web-acl \ --name "$WEB_ACL_NAME" \ --scope REGIONAL \ --default-action Allow={} \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName="${WEB_ACL_NAME}Metric" \ --query 'Summary.ARN' --output text) echo "Created Web ACL: $WEB_ACL_ARN"

    2. Add an AWS Managed Rule Group (e.g., AWSManagedRulesCommonRuleSet)

    First, get the current Web ACL details to obtain the LockToken

    WEB_ACL_DETAILS=$(aws wafv2 get-web-acl --name "$WEB_ACL_NAME" --scope REGIONAL --id $(echo $WEB_ACL_ARN | cut -d'/' -f3)) WEB_ACL_ID=$(echo $WEB_ACL_DETAILS | jq -r '.WebACL.Id') LOCK_TOKEN=$(echo $WEB_ACL_DETAILS | jq -r '.LockToken')

    aws wafv2 update-web-acl \ --name "$WEB_ACL_NAME" \ --scope REGIONAL \ --id $WEB_ACL_ID \ --lock-token $LOCK_TOKEN \ --default-action Allow={} \ --rules "[ { \"Name\": \"AWS-Managed-CommonRuleSet\", \"Priority\": 1, \"Statement\": {\"ManagedRuleGroupStatement\": {\"VendorName\": \"AWS\", \"Name\": \"AWSManagedRulesCommonRuleSet\"}}, \"Action\": {\"Block\": {}}, \"VisibilityConfig\": {\"SampledRequestsEnabled\": true, \"CloudWatchMetricsEnabled\": true, \"MetricName\": \"AWSManagedRulesCommonRuleSetMetric\"}} ]" \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName="${WEB_ACL_NAME}Metric" echo "Added AWS Managed Rule Group to Web ACL."

    3. Associate the Web ACL with the ALB

    aws wafv2 associate-web-acl \ --web-acl-arn $WEB_ACL_ARN \ --resource-arn $ALB_ARN echo "Associated Web ACL $WEB_ACL_ARN with ALB $ALB_ARN" ```

  2. Create a rate-based rule to block IPs exceeding a certain request threshold: ``bash # Replace with your actual values WEB_ACL_NAME="MyWebAppACL" WEB_ACL_ID="your-web-acl-id" # Get this from previous step oraws wafv2 list-web-aclsLOCK_TOKEN="your-lock-token" # Get this fromaws wafv2 get-web-acl`

    aws wafv2 update-web-acl \ --name "$WEB_ACL_NAME" \ --scope REGIONAL \ --id $WEB_ACL_ID \ --lock-token $LOCK_TOKEN \ --default-action Allow={} \ --rules "[ { \"Name\": \"RateLimitRule\", \"Priority\": 2, \"Statement\": {\"RateBasedStatement\": {\"Limit\": 2000, \"AggregateKeyType\": \"IP\"}}, \"Action\": {\"Block\": {}}, \"VisibilityConfig\": {\"SampledRequestsEnabled\": true, \"CloudWatchMetricsEnabled\": true, \"MetricName\": \"RateLimitRuleMetric\"}} ]" \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName="${WEB_ACL_NAME}Metric" echo "Added Rate-based Rule to Web ACL." ```

  3. Add a Geo-match rule to block requests from a specific country: ```bash # Replace with your actual values WEB_ACL_NAME="MyWebAppACL" WEB_ACL_ID="your-web-acl-id" LOCK_TOKEN="your-lock-token"

    aws wafv2 update-web-acl \ --name "$WEB_ACL_NAME" \ --scope REGIONAL \ --id $WEB_ACL_ID \ --lock-token $LOCK_TOKEN \ --default-action Allow={} \ --rules "[ { \"Name\": \"BlockChinaRule\", \"Priority\": 3, \"Statement\": {\"GeoMatchStatement\": {\"CountryCodes\": [\"CN\"]}}, \"Action\": {\"Block\": {}}, \"VisibilityConfig\": {\"SampledRequestsEnabled\": true, \"CloudWatchMetricsEnabled\": true, \"MetricName\": \"BlockChinaMetric\"}} ]" \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName="${WEB_ACL_NAME}Metric" echo "Added Geo-match Rule to Web ACL." ```

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Create a Web ACL and add a managed rule group: ```python import boto3

    wafv2_client = boto3.client('wafv2')

    web_acl_name = "MyBoto3WebAppACL" scope = "REGIONAL" metric_name = f"{web_acl_name}Metric"

    try: # 1. Create Web ACL create_response = wafv2_client.create_web_acl( Name=web_acl_name, Scope=scope, DefaultAction={'Allow': {}}, VisibilityConfig={ 'SampledRequestsEnabled': True, 'CloudWatchMetricsEnabled': True, 'MetricName': metric_name }, Description="Web ACL created with Boto3" ) web_acl_arn = create_response['Summary']['ARN'] web_acl_id = create_response['Summary']['Id'] print(f"Created Web ACL: {web_acl_arn}")

    # 2. Get current Web ACL details to obtain LockToken for update
get_response = wafv2_client.get_web_acl(Name=web_acl_name, Scope=scope, Id=web_acl_id)
lock_token = get_response['LockToken']

# 3. Add an AWS Managed Rule Group (e.g., Common Rule Set)
update_response = wafv2_client.update_web_acl(
    Name=web_acl_name,
    Scope=scope,
    Id=web_acl_id,
    LockToken=lock_token,
    DefaultAction={'Allow': {}},
    Rules=[
        {
            'Name': 'AWS-Managed-CommonRuleSet',
            'Priority': 1,
            'Statement': {
                'ManagedRuleGroupStatement': {
                    'VendorName': 'AWS',
                    'Name': 'AWSManagedRulesCommonRuleSet'
                }
            },
            'Action': {'Block': {}},
            'VisibilityConfig': {
                'SampledRequestsEnabled': True,
                'CloudWatchMetricsEnabled': True,
                'MetricName': 'AWSManagedRulesCommonRuleSetMetric'
            }
        },
    ],
    VisibilityConfig={
        'SampledRequestsEnabled': True,
        'CloudWatchMetricsEnabled': True,
        'MetricName': metric_name
    }
)
print("Added AWS Managed Rule Group to Web ACL.")

    except Exception as e: print(f"Error creating/updating WAF Web ACL: {e}") ```

  2. Associate a Web ACL with an Application Load Balancer: ```python import boto3

    wafv2_client = boto3.client('wafv2')

    web_acl_arn = "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyBoto3WebAppACL/a1b2c3d4-e5f6-7890-1234-567890abcdef" # REPLACE with your Web ACL ARN resource_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188" # REPLACE with your ALB ARN

    try: wafv2_client.associate_web_acl( WebACLArn=web_acl_arn, ResourceArn=resource_arn ) print(f"Associated Web ACL {web_acl_arn} with resource {resource_arn}") except Exception as e: print(f"Error associating Web ACL: {e}") ```

  3. Add a Rate-based Rule to an existing Web ACL: ```python import boto3

    wafv2_client = boto3.client('wafv2')

    web_acl_name = "MyBoto3WebAppACL" scope = "REGIONAL" web_acl_id = "a1b2c3d4-e5f6-7890-1234-567890abcdef" # REPLACE with your Web ACL ID

    try: # Get current Web ACL details to obtain LockToken and existing rules get_response = wafv2_client.get_web_acl(Name=web_acl_name, Scope=scope, Id=web_acl_id) lock_token = get_response['LockToken'] current_rules = get_response['WebACL']['Rules']

    # Define the new rate-based rule
new_rate_rule = {
    'Name': 'HighRateIPBlocker',
    'Priority': len(current_rules) + 1, # Ensure unique priority
    'Statement': {
        'RateBasedStatement': {
            'Limit': 500, # Requests per 5 minutes
            'AggregateKeyType': 'IP'
        }
    },
    'Action': {'Block': {}},
    'VisibilityConfig': {
        'SampledRequestsEnabled': True,
        'CloudWatchMetricsEnabled': True,
        'MetricName': 'HighRateIPBlockerMetric'
    }
}

# Add the new rule to the existing rules list
updated_rules = current_rules + [new_rate_rule]

# Update the Web ACL
update_response = wafv2_client.update_web_acl(
    Name=web_acl_name,
    Scope=scope,
    Id=web_acl_id,
    LockToken=lock_token,
    DefaultAction={'Allow': {}},
    Rules=updated_rules,
    VisibilityConfig=get_response['WebACL']['VisibilityConfig']
)
print("Added Rate-based Rule to Web ACL.")

    except Exception as e: print(f"Error adding rate-based rule: {e}") ```