- Application Engineering
- May 24, 2023
Sanchit Raj
What is AWS WAF ?
AWS WAF (Web Application Firewall) is a managed service provided by Amazon Web Services (AWS) that helps protect web applications from common web exploits, SQL injection, cross-site scripting (XSS), and other attacks. It allows customers to define rules to filter and block web traffic based on criteria IP addresses, HTTP headers, or URI strings.
AWS WAF operates as a layer 7 firewall, meaning it can inspect the content of HTTP requests and responses, the metadata associated with them
AWS WAF integrates with other AWS services, Amazon CloudFront, which is a content delivery network (CDN), and AWS Application Load Balancer, which is a load balancing service.
Why we need Custom Rate-Based Rule to Block IP In AWS WAF
AWS WAF has some limitations
1. Time-based rules: AWS WAF allows you to create rules that block traffic based on the time of day,
2. AWS WAF allows you to create rate-based rules that block traffic based on the number of requests made within a given time period.
3. You can configure the minimum rate as one request per five seconds..
4. You can configure the maximum rate as 5,000 requests per second..
5. AWS WAF uses a sliding window to track the number of requests being made, which can result in some inaccuracies.
Steps to implement the custom rate-based rule blocked IP solution.
Prerequisites:
Implementing the solution requires a few prerequisites.
- There must be an existing AWS WAF web ACL (REGIONAL or CLOUDFRONT)
- There must be an existing rate-based rule in the web ACL
- There must be an existing S3 bucket in the same region where the CloudFormation template
will be deployed. This S3 bucket is required to add the Lambda source code zip files and to store
the csv files that track the currently blocked originating IP addresses. - You must upload the Lambda source code zip files to the root of the S3 bucket.
- The IAM user running the CloudFormation must have permissions to create the various
resources deployed by the CloudFormation template. CloudFormation uses the IAM permissions
of the IAM user running the template by default if no service role has been configured for
CloudFormation to use.
Information Required for CloudFormation
- AWS WAF web ACL name
- AWS WAF web ACL ID
- Rate-based rule name
- The S3 bucket name where the Lambda source code zip files have been uploaded
- Block period (in seconds) – The period that you want the offending originating IP address to be
blocked: - To block an originating IP for 1 hour, enter 3600
- To block an originating IP permanently, enter 0
Files required for the implementation
- Lambda code zip files (LambdaCodeIPset.zip and LambdaCodeDBTable.zip)
- CloudFormation template (WAF-custom-rate-based-rule-block.template)
- Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html
- Reference: https://blog.nashtechglobal.com/how-to-use-infrastructure-as-code-for-efficient-finops/
Implementation
To implement the solution, perform the below steps:
- Download the provided files to the local computer.
- Upload the provided Lambda source code zip files (LambdaCodeIPset.zip
and LambdaCodeDBTable.zip) to the root of the S3 bucket that you want to use for this solution.
The same S3 bucket name will be specified in the Cloud Formation stack parameters. - Use the CloudFormation service to deploy a stack using the CloudFormation template provided
(WAF-custom-rate-based-rule-block.temp
Figure 1 – Deploying CloudFormation template using a local file
Steps required after the CloudFormation stack has deployed successfully
After deploying the CloudFormation stack, you must create a new WAF rule of type “Rule
group” in the web ACL that has the rate-based rule for the solution to be effective. The new rule
MUST reference the rule group created by the solution.
The exact priority of the new rule will vary depending on the existing WAF rules and your requirements.
Below are some recommendations:
a) In all situations, you must place the new rule after the rate-based rule that WAF blocks
originating IP address without having the rate-based rule re-evaluate the originating IP address again.
b) If you have any whitelist rules and you want to ensure that none of the whitelisted requests are blocked even
if the originating IP address sends requests above the configured threshold – The new rule must be
placed below the whitelist rules.
c) If you have any whitelist rules, you want the whitelisted requests to be blocked if the
originating IP address sends requests above the configured threshold. This may be necessary to prevent
a) DDoS from a trusted originating IP address misconfigurations a compromised device
Inside a trusted network, you must place the new rule above the whitelist rules. You can find the name and ID of the WAF rule group in the Outputs section of the CloudFormation
stack. Figure 2 below shows where to find the name of the WAF rule group.
Note: please refer to your CloudFormation Outputs section for the correct name.
Figure 2 – CloudFormation Outputs section where the names of the resources can be located
Steps to create the new WAF rule:
To add the new rule which uses the rule group to the web ACL from the AWS console:
Open the correct web ACL —-> Select Rules —> Add my own rules and rule groups
Select “Rule group” as the rule type –> Provide and appropriate name for the rule —> Select the WAF rule group from the dropdown menu
Save the web ACL
Change the priority of the new rule as recommended above according to your requirements.
To add the new rule which uses the rule group to the web ACL from the AWS CLI, use the “aws wafv2
update-web-acl” command below. In the example below, the waf-rule.json is the file that contains all
the rules which must be in the web ACL
please only use the CLI method if you are confident of using this method as there is a potential to delete all
your existing WAF rules if used incorrectly
Replace all the specific details in the CLI command with those that match your resources.
aws wafv2 update-web-acl \
–name TestWebAcl –scope REGIONAL \
–id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
–lock-token 2294b3a1-0000-0000-0000-a3ae04329de9 \
–default-action Block={} \
–visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=NewMetricTestWebAcl \
–rules file://waf-rule.json \
–region us-west-2
Procedure to delete the implementation
- The rule which uses the rule group must be delete first from the web ACL attempting to
delete the CloudFormation stack. This is CloudFormation will not be able to delete the
If the web ACL is using the rule group, you must delete the rule from the web ACL before,
you will see an error message similar to the one below in the CloudFormation Events:
“AWS WAF couldn’t perform the operation your resource is being used by
resource it’s associated with resource.” - After deleting the rule from the web ACL, you can proceed to delete the CloudFormation stack.
Deleting the CloudFormation stack will delete all associated resources.
Handling false positives
Considering a false positive, if a rate-based rule blocks a legitimate originating IP address and adds it to the AWS WAF blocking IP set for long-term blocking. You can resolve any false
positives by deleting the IP address item directly from the DynamoDB table. This will result in
DynamoDB streams triggering the Lambda function to remove the IP address from the csv file
the WAF IP set.
Note: If the IP address is deleted directly from the IP set, the IP address will be blocked
the IP set is next updated. This is the IP address will be in the csv file which stores all the
currently blocked IP addresses that are the DynamoDB table. We use this CSV file to update
IP set each time there is update in the DynamoDB table.
The name of the DynamoDB table can be located in the Outputs section of the CloudFormation stack as
shown in Figure 2 above.
Below are the steps to delete the IP address item from the DynamoDB table:
- Start by searching for the name of the DynamoDB table
- 2. Follow the numbers in the screen shots below showing each step. In this example, the IPv6
address 2600:1f18:235a:cf10:39c8:a57a:dc21:8b91/128 is the false positive IP address that must
be deleted from the table.
Suggested Article
Sanchit Raj
Suggested Article
AWS WAF CUSTOMISATION
BySanchit Raj 24th May 2023 Application Engineering
Advanced Guide to Service Worker Communication, Notifications, and Configuration in Angular (Part-2)
ByAlka Vats 24th May 2023 Application Engineering
ByAlka Vats 24th May 2023 Application Engineering,Application Management Services
FAQs
How do you analyze AWS WAF logs? ›
Analyzing AWS WAF access logs with CloudWatch Logs insights
In the navigation pane, choose Logs, and then choose Log Insights. For Select log group(s), choose one or more log groups to query that consist of AWS WAF access logs. (Optional) Choose a time range for the period that you want to query.
To create a rule group
Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/ . In the navigation pane, choose Rule groups, and then Create rule group.
HTTP response codes are standard responses sent by a server in response to a client request. When AWS WAF blocks a request, the default response code sent back to the client is HTTP 403 (Forbidden).
How often does AWS WAF report CloudWatch metrics? ›Amazon CloudWatch is a monitoring and observability service. CloudWatch receives specific metrics from AWS WAF every 5 minutes.
How do I analyze WAF logs with CloudWatch logs insights? ›In the CloudWatch console, choose Contributor Insights, and then choose Create rule. In the Create rule wizard, choose Custom rule. Under Log group(s), select the name of the WAF log group that you created earlier (eg: aws-waf-logs-xxxx). For Log format, choose JSON.
What are the important fields in WAF logs? ›- Baseline rule groups.
- Use-case specific rule groups.
- IP reputation rule groups.
- Bot Control rule group.
- Account takeover prevention rule group.
Azure Web Application Firewall (WAF) with Front Door allows you to control access to your web applications based on the conditions you define. A custom WAF rule consists of a priority number, rule type, match conditions, and an action. There are two types of custom rules: match rules and rate limit rules.
How are WAF rules evaluated? ›When AWS WAF evaluates any web ACL or rule group against a web request, it evaluates the rules from the lowest numeric priority setting on up until it either finds a match that terminates the evaluation or exhausts all of the rules.
How do you write a rule for WAF? ›To create a rule and add conditions
Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/ . If you see Switch to AWS WAF Classic in the navigation pane, select it. In the navigation pane, choose Rules. Choose Create rule.
Typical responses from WAF will either be allowing the request to pass through, audit logging the request, or blocking the request by responding with an error page.
What are the three deployment options for WAF? ›
Web application firewall basics: Three deployment options
WAFs are available in three rather broad categories: network-based, application-based and cloud-hosted.
401 Unauthorized errors usually occur when a required token is missing or isn't validated by the authorizer's token validation expression.
What is the default timeout for AWS WAF? ›The idle timeout value, in seconds. The default is 60 seconds. Blocks internet gateway (IGW) access to the load balancer, preventing unintended access to your internal load balancer through an internet gateway.
What traffic does WAF monitor? ›A web application firewall (WAF) is a firewall that monitors, filters and blocks Hypertext Transfer Protocol (HTTP) traffic as it travels to and from a website or web application. A WAF can be network based, host based or cloud based.
What is the difference between AWS WAF and AWS Shield? ›AWS WAF focuses on Layer 7 protection, while Shield protects against DDoS attacks. Firewall Manager manages the protection. Learn their key features, pricing and use cases. Application owners must ensure a secure exchange of information.
How do you check errors in CloudWatch logs? ›- Set up CloudWatch API access logging using the API Gateway console. ...
- Run the filter-log-events AWS CLI command on the API Gateway access logs using your preferred search utility. ...
- Check the response to your filter-log-events command to identify errors.
A log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream. A log group is a group of log streams that share the same retention, monitoring, and access control settings.
What is included in CloudWatch log insights? ›CloudWatch Logs Insights provides sample queries, command descriptions, query autocompletion, and log field discovery to help you get started. Sample queries are included for several types of AWS service logs.
Which two statements are true about WAF? ›Which two statements are true about Web Application Firewall (WAF)? It intercepts HTTP traffic only and filters it against the set rules applied. It blocks HTTPS requests only and responds with an error page.
How many layers does WAF provide? ›WAF provides protection at seven layers, namely, the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer.
Which of the following is a limitation of a WAF? ›
Limited protection: A WAF only protects against web-based attacks and may not be effective against other types of attacks, such as SQL injection or cross-site scripting (XSS). It is important to have a multi-layered security approach that includes other types of security measures in addition to a WAF.
What is the difference between WAF Classic and WAF v2? ›- WAFv2 API is a bit easier to use than WAF classic (IMO). For example, you can simply enter IPV4 addresses in your API calls rather than having to specify "IPV4". - WAFv2 supports both regional and global (CloudFront) resources, as opposed to WAF classic being split into WAF and WAF regional.
What is the difference between reverse proxy and WAF? ›Is a WAF a Reverse Proxy? A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. While proxies generally protect clients, WAFs protect servers, and are deployed to protect a specific web application.
What are the different types of rules in WAF? ›- Baseline rule groups.
- Use-case specific rule groups.
- IP reputation rule groups.
- Bot Control rule group.
- Account takeover prevention rule group.
False negatives are attacks that were not caught by your WAF and require you to harden your rules. False positives represent legitimate requests that were considered by WAF wrongly as attacks and blocked as a consequence.
Which attacks can a WAF prevent? ›A web application firewall (WAF) protects web applications from a variety of application layer attacks such as cross-site scripting (XSS), SQL injection, and cookie poisoning, among others.
What are custom rules in WAF policy? ›Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF. These rules hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions.
Should a WAF be in front or behind firewall? ›Ideally, you'll deploy a WAF behind your load balancing tier. This optimizes for utilization, performance, and reliability while providing the protection necessary for all apps – but particularly for those exposed on the Internet.
What is WAF rule capacity? ›The maximum capacity for a rule group is 5,000 WCUs. Each rule group has an immutable capacity setting, which the owner assigns at creation. This is true for managed rule groups and rule groups that you create through AWS WAF.
What is the success rate of WAF? ›Based on the calculation of balanced accuracy the WAF is approximately 94.3% effective in providing protection against SQL Injection attacks.
Is AWS WAF layer 4 or 7? ›
AWS WAF is a web application firewall (WAF) that helps you protect your websites and web applications against various attack vectors at the application layer (OSI Layer 7 ).
What is WAF positive vs negative? ›The positive model WAF has a “whitelist” that specifies what IS permitted. Any requests that deviate from the whitelist are blocked. The negative model WAF has a “blacklist” that specifies what is NOT permitted. Any requests that match these signatures are considered evil and summarily dropped.
What is the difference between WAF and cloud WAF? ›When it comes to web application firewalls (WAFs), cloud-based WAF and on-premise WAF are the 2 most common types found in the market. On-premise WAFs involve hardware being set up within your physical server environment, whereas cloud-based WAFs provide protection over the cloud.
Which of the following is not a function of WAF? ›The answer is D. Brute force cracking protection for elastic cloud servers.
What is the difference between WAP and WAF? ›WAF has more settings and complex keys while WAP is basically an on and off service, you can use if you want to route your services through the Microsoft Proxy at a one-time loading." Kohler explains.
What is 500 response code in WAF? ›“The 500-error status code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request.”
What is response code 200 in WAF? ›Code 200 means a successful hit to your site. If you're worried about something being malicious in these connections, you can go to Firewall > All Firewall Options > Whitelisted URLs.
What is the difference between response code 401 and 403? ›401 Unauthorized is the status code to return when the client provides no credentials or invalid credentials. 403 Forbidden is the status code to return when a client has valid credentials but not enough privileges to perform an action on a resource.
What is the maximum timeout in AWS? ›If you work on a serverless project, you have probably run into the issue of AWS Lambda timeouts handling. Lambda functions are short lived; the Lambda max timeout is 900 seconds (15 minutes). This can be difficult to manage and can cause issues in production applications.
What is the range of AWS WAF IP set? ›AWS WAF supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128. To specify an individual IP address, you specify the four-part IP address followed by a /32 , for example, 192.0. 2.0/32.
What is the connection timeout in WAF? ›
The default timeout period for connections from a browser to WAF is 120 seconds. The value varies depending on your browser settings and cannot be changed on the WAF console page. The default timeout duration for connections between WAF and your origin server is 60 seconds.
Does WAF have IP address? ›IP addresses used in AWS WAF Bot Control
The Bot Control managed rule group verifies bots using the IP addresses from AWS WAF. If you use Bot Control and you have verified bots that route through a proxy or load balancer, you need to explicitly allow them using a custom rule.
It is true that AWS WAF can filter web requests based on IP addresses, HTTP headers, HTTP body, or URI strings, to block common attack patterns, such as SQL injection or cross-site scripting.
How do I monitor WAF logs? ›Open the Amazon CloudWatch console. In the navigation pane, choose Logs, and then choose Log Insights. For Select log group(s), choose one or more log groups to query that consist of AWS WAF access logs. (Optional) Choose a time range for the period that you want to query.
Is WAF outdated? ›The WAF in its traditional form (a physical or virtual appliance) is obsolete. But obviously, organizations still need the benefits that a WAF is designed to provide. These benefits can, and should, be provided in a different form than appliances.
Does a WAF replace a firewall? ›Choosing an Application or Network Firewall
So without an application firewall, businesses could leave their broader network open to attack through web application vulnerabilities. However, a WAF cannot protect from attacks at the network layer, so it should supplement a network firewall rather than replace it.
To protect an application layer resource, Shield Advanced uses an AWS WAF web ACL with a rate-based rule as a starting point.
How do I read AWS logs? ›- In the navigation pane, choose Log groups.
- For Log Groups, choose the log group to view the streams.
- In the list of log groups, choose the name of the log group that you want to view.
- In the list of log streams, choose the name of the log stream that you want to view.
- Turn on server access logging for your S3 bucket, if you haven't already. ...
- Open the Amazon Athena console.
- In the Query editor, run a DDL statement to create a database: ...
- Create a table schema in the database.
Log analytics is a common big data use case that allows you to analyze log data from websites, mobile devices, servers, sensors, and more for a wide variety of applications such as digital marketing, application monitoring, fraud detection, ad tech, games, and IoT.
What AWS service can be used to analyze Amazon S3 server access logs? ›
Query logs from S3 using Athena :: AWS Well-Architected Labs.
What are the different types of logs in AWS? ›Configure service and application logging
Enable logging of AWS services: Enable the logging of AWS services to meet your requirements. Logging capabilities include the following: VPC Flow Logs, ELB logs, S3 bucket logs, CloudFront access logs, Route 53 query logs, and Amazon RDS logs.
Open the CloudTrail console at https://console.aws.amazon.com/cloudtrail/ . In the navigation pane, choose Event history. Choose Create Athena table. For Storage location, use the down arrow to select the Amazon S3 bucket where log files are stored for the trail to query.
How do I extract data from CloudWatch logs? ›Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ . In the navigation pane, choose Log groups. On the Log Groups screen, choose the name of the log group. Choose Actions, Export data to Amazon S3.
What is the difference between Athena and CloudWatch logs? ›Unlike the CloudWatch Logs querying interface, which is non standard, Athena provides a SQL interface. Anyone familiar with SQL can use it. Athena provides the ability to do joins across any tables that are backed by S3 or other data sources include those that support JDBC and ODBC.
How do you check who accessed S3 bucket? ›- Use Amazon S3 server access logging to see information about requests to your buckets and objects. You can use Amazon Athena to analyze your server access logs.
- Use AWS CloudTrail to track API calls to your Amazon S3 resources.
You can do that in Athena. You need to create an s3 bucket first and then store all the files in a folder and upload the folder in your s3 bucket. Now when you are creating your table in Athena at that time set the path till your folder.
What is the difference between log analysis and log monitoring? ›Log analysis - putting the log files to use
Log monitoring involves aggregating log files and providing alerts/notifications for particular log messages and events. This is then followed by the process of log analysis when necessary.
- Normalization. Normalization is a data management technique wherein parts of a message are converted to the same format. ...
- Pattern recognition. ...
- Classification and tagging. ...
- Correlation analysis.
You can send your logs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.
What AWS service is responsible for monitoring and log collection? ›
Amazon CloudWatch monitors your AWS resources and the applications that you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify.