This presentation intends to help users to introduce to AWS WAF service, various WAF components. This presentation also helps users to understand the need of AWS Firewall Manager for multi-account landing zone.
3. Akesh Patil
Sr. Cloud Architect
Digital & Cloud Consulting
AWS Community Builder | AWS APN
Ambassador
Speaker
4. AWS WAF
AWS WAF is a web application firewall that lets you monitor the
HTTP(S) requests that are forwarded to your protected web
application resources
Monitor web requests that your end users send to your applications and to control access to your
content
Protect against common web exploits and bots that can affect availability, compromise security, or
consume excessive resources.
Control bot traffic and block common attack patterns such as SQL injection or cross-site scripting
(XSS).
What AWS WAF can do?
4
5. Resources protected by AWS WAF
• Amazon CloudFront distribution
• Amazon API Gateway REST API
• Application Load Balancer
• AWS AppSync GraphQL API
• Amazon Cognito user pool
• AWS App Runner service
• AWS Verified Access instance
5
7. AWS WAF Behaviours
Allow
Allow all requests
except the ones that
you specify
Block
Block all requests
except the ones that
you specify
Count
Count requests that
match your criteria
Run
Run CAPTCHA or
challenge checks
against requests
that match your
criteria
7
8. Options to protect web application exploits
•Tells AWS WAF how to inspect web request
•Every rule has a single top-level rule statement containing other statements
•Can be simple or complex rule
AWS WAF Rule Statements
•Curated and maintained by AWS Threat Research Team
•Provides protection against common application vulnerabilities
•Includes Baseline rule groups, Use-case specific rule groups, IP reputation rule groups
AWS Managed Rules
•Rules specific to your application to block undesired patterns
Custom Rules
•Rules created by security partners
•Available based on subscription
AWS Marketplace Rules
8
9. Considerations for AWS WAF Implementation
Protections
• Identity usage patterns and baseline
requirements based on previous
incidents and observations
• Start with the baseline rule groups
and the Amazon IP reputation list
from the AWS Managed Rules
Governance
• How to manage and monitor WAF
implementations across organization
• Use AWS Firewall Manager to manage
WAF configurations centrally
9
12. Application Layer Defense
Web ACLs and
Managed Rules
• Cross site
scripting
• SQL Injection
Custom Rules
• Block
requests with
header x-
tomatoattack
Rate-based
Rules
• Block request
originating IP
address
based on
count
Advanced
Custom Rules
• Json Based
Rules
12
13. DDoS protection with AWS Shield
• Available for all AWS clients
without additional charge
• Protection against common
attacks (SYN/UDP floods,
Reflection Attacks etc. Layer 3/4)
• Automatic detection and
mitigation
• Charged service that provides
additional protection against
more complex attacks
• Protection against advanced
attacks (Layer 7)
• 24x7 DDoS response team
• Cost Protection
• Better monitoring/Visualization
Standard Advanced
13
18. AWS Firewall Manager
AWS Firewall Manager is a security management service that allows
you to centrally configure and manage firewall rules across your
accounts and applications in AWS Organizations.
What AWS Firewall Manager can do?
• Simplifies administration and maintenance tasks across multiple accounts and resources
• Helps to protect resources across accounts
• Helps to protect all resources of a particular type, such as all Amazon CloudFront
distributions
• Helps to protect all resources with specific tags
• Automatically adds protection to resources that are added to your account
• Allows you to apply security group rules to all member accounts or specific subsets of
accounts in an AWS Organizations organization
• Let you use your own rules, or purchase managed rules from AWS Marketplace
18
19. AWS Firewall Manager prerequisites
AWS Organizations
Your organization must be using AWS
Organizations to manage your accounts, and All
Features must be enabled.
Firewall administrator AWS Account
Designate one of the AWS accounts in your
organization as the administrator for AWS Firewall
Manager
AWS Config
You must enable AWS Config for all the accounts in
your organization and in the required regions so
that AWS Firewall Manager can detect newly
created resources
19
21. Monitoring & Governance
• AWS FMS Integration with Security Hub will send following findings
• resources that are not properly protected by WAF rules
• resources that are not properly protected by Shield Advanced
• Shield Advanced findings that indicate a Distributed Denial of
Service attack is underway
• security groups that are being used incorrectly
22
AWS WAF is a web application firewall (WAF) that helps you protect your websites and web applications against various attack vectors at the application layer (OSI Layer 7).
Security is a shared responsibility between AWS and the customer, with responsibility boundaries that vary depending on factors such as the AWS services used. For example, when you build your web application with AWS services such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync you are responsible of protecting your web application at Layer 7 of the OSI Model. AWS WAF is a tool that helps you protect web applications by filtering and monitoring HTTP(S) traffic, including traffic from the public internet. Web application firewalls (WAFs) protect applications at the application layer from common web exploits that can affect application availability, compromise security, and consume excessive resources. For example, you can use AWS WAF to protect against attacks such as cross-site request forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among other threats in the OWASP Top 10. This layer of security can be used together with a suite of tools to create a holistic defense-in-depth architecture.
AWS WAF is a managed web application firewall that can be used in conjunction with a wide variety of networking and security services such as Amazon Virtual Private Cloud (Amazon VPC), and AWS Shield Advanced.
What AWS WAF can do
Filter web traffic - Create rules to filter web requests based on conditions such as IP addresses, HTTP headers and body, or custom URIs.
Prevent account takeover fraud - Monitor your application’s login page for unauthorized access to user accounts using compromised credentials.
Using AWS WAF has several benefits:
Additional protection against web attacks using criteria that you specify. You can define criteria using characteristics of web requests such as the following:
IP addresses that requests originate from.
Country that requests originate from.
Values in request headers.
Strings that appear in requests, either specific strings or strings that match regular expression (regex) patterns.
Length of requests.
Presence of SQL code that is likely to be malicious (known as SQL injection).
Presence of a script that is likely to be malicious (known as cross-site scripting).
Rules that can allow, block, or count web requests that meet the specified criteria. Alternatively, rules can block or count web requests that not only meet the specified criteria, but also exceed a specified number of requests in any 5-minute period.
Rules that you can reuse for multiple web applications.
Managed rule groups from AWS and AWS Marketplace sellers.
Real-time metrics and sampled web requests.
Automated administration using the AWS WAF API.
AWS WAF can be natively enabled on CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync and is deployed alongside these services. AWS services terminate the TCP/TLS connection, process incoming HTTP requests, and then pass the request to AWS WAF for inspection and filtering. Unlike traditional appliance-based WAFs, there is no need to deploy and manage infrastructure, or plan for capacity. AWS WAF provides flexible options for implementing protections through managed rules, partner-provided rules, and custom rules that you can write yourself.
It’s important to understand that with AWS WAF, you are controlling ingress traffic to your application.
Before deciding how to deploy AWS WAF, you need to understand what type of threats your web applications may be facing and the protection options available with AWS WAF. Web applications face different kinds of threats that AWS WAF can help you mitigate.
Distributed denial of service (DDoS) attacks – Try to exhaust your application resources so that they are not available to your customers. At Layer 7, DDoS attacks are typically well-formed HTTP requests that attempt to exhaust your application servers and resources.
Web application attacks – Try to exploit a weakness in your application code or its underlying software to steal web content, gain control over web servers, or alter databases; these can involve HTTP requests with deliberately malformed arguments.
Bots – Generate a large portion of the internet’s website traffic. Some good bots associated with search engines, crawl websites for indexing. However, bad bots may scan applications, looking for vulnerabilities and to scrape content, poison backend systems, or disrupt analytics.
Allow all requests except the ones that you specify – This is useful when you want Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, or AWS Verified Access to serve content for a public website, but you also want to block requests from attackers.
Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.
Count requests that match your criteria – You can use the Count action to track your web traffic without modifying how you handle it. You can use this for general monitoring and also to test your new web request handling rules. When you want to allow or block requests based on new properties in the web requests, you can first configure AWS WAF to count the requests that match those properties. This lets you confirm your new configuration settings before you switch your rules to allow or block matching requests.
Run CAPTCHA or challenge checks against requests that match your criteria – You can implement CAPTCHA and silent challenge controls against requests to help reduce bot traffic to your protected resources.
Baseline rule groups – Cover some of the common threats and security risks described in the OWASP Top 10 publication.
Use-case specific rule groups – Provide incremental protection based on your application characteristics, such as the application OS or database.
IP reputation rule groups – An IP reputation list derived from the Amazon threat intelligence team blocks known malicious IP addresses.
After you have identified which threats are applicable for your application, define your baseline criteria for success. If your application does not use a SQL database, you can save WAF capacity units by not adding SQL injection detection rules. AWS recommends that you add WAF rules that are specific to your application’s requirements, because adding unnecessary rules can lead to an increase in false positives.
For existing applications, you may already have visibility into application usage patterns and be looking to block malicious requests identified from previous incidents and observations. Therefore, you may be looking for protections against a specific attack. If you are already using a WAF implementation, you may have a baseline of the average number of requests blocked by the existing WAF rules. In some cases, you may have visibility into the existing rules implemented and you can implement similar rules in AWS WAF.
Comparing AWS managed rules and Custom rules
Depending on your organization’s resources and security culture, you must decide how to implement AWS WAF. You can deploy out-of-the-box AWS Managed Rules sets, create your own custom rules, or use a combination of both. For most applications, AWS recommends starting with the baseline rule groups and the Amazon IP reputation list from the AWS Managed Rules, then selecting application specific rule groups that match the application’s profile.
Governance
You might also have governance requirements to define how to manage and monitor WAF implementations across your organization. In some organizations, WAF configurations are managed centrally by a security team. In this case, the security team must audit and ensure that WAF is configured correctly across resources managed by application teams. In other organizations, WAF configuration and deployment is managed by the application teams so that the WAF rules deployed can be specific to the protected application.
To simplify centralized management of AWS WAF
To defend against application layer attacks requires you to implement an architecture that allows you to specifically detect, scale to absorb, and block malicious requests. This is an important consideration because network-based DDoS mitigation systems are generally ineffective at mitigating complex application layer attacks.
When your application runs on AWS, you can leverage both Amazon CloudFront and AWS WAF to help defend against application layer DDoS attacks.
Amazon CloudFront allows you to cache static content and serve it from AWS edge locations, which can help reduce the load on your origin. It can also help reduce server load by preventing non-web traffic from reaching your origin. Additionally, CloudFront can automatically close connections from slow reading or slow writing attackers (for example, Slowloris).
By using AWS WAF, you can configure web access control lists (Web ACLs) on your CloudFront distributions or Application Load Balancers to filter and block requests based on request signatures. Each Web ACL consists of rules that you can configure to string match or regex match one or more request attributes, such as the URI, query string, HTTP method, or header key. In addition, by using AWS WAF's rate-based rules, you can automatically block the IP addresses of bad actors when requests matching a rule exceed a threshold that you define. This is useful for mitigating HTTP flood attacks that are disguised as regular web traffic.
In addition to using AWS WAF, AWS recommends reviewing AWS Shield Advanced which detects application layer attacks such as HTTP floods or DNS query floods by baselining traffic on your application and identifying anomalies. With the assistance of the Shield Response Team (SRT), AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for network layer (Layer 3) and transport layer (Layer 4) attacks, but also for application layer (Layer 7) attacks
AWS Shield Standadrd - All AWS customers benefit from the automatic protection of Shield Standard, at no additional charge. Shield Standard defends against the most common, frequently occurring network and transport layer DDoS attacks that target your website or applications.
AWS Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts. For higher levels of protection against attacks, you can subscribe to AWS Shield Advanced.
Use AWS Firewall Manager to deploy protection at scale in AWS Organizations | AWS Security Blog (amazon.com)
Use AWS Firewall Manager to deploy protection at scale in AWS Organizations | AWS Security Blog (amazon.com)
AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources.
Firewall Manager provides these benefits:
Helps to protect resources across accounts
Helps to protect all resources of a particular type, such as all Amazon CloudFront distributions
Helps to protect all resources with specific tags
Automatically adds protection to resources that are added to your account
Allows you to subscribe all member accounts in an AWS Organizations organization to AWS Shield Advanced, and automatically subscribes new in-scope accounts that join the organization
Allows you to apply security group rules to all member accounts or specific subsets of accounts in an AWS Organizations organization, and automatically applies the rules to new in-scope accounts that join the organization
Lets you use your own rules, or purchase managed rules from AWS Marketplace
Firewall Manager is particularly useful when you want to protect your entire organization rather than a small number of specific accounts and resources, or if you frequently add new resources that you want to protect. Firewall Manager also provides centralized monitoring of DDoS attacks across your organization.
AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. As new applications are created, Firewall Manager makes it easier to bring new applications and resources into compliance by enforcing a common set of security rules.