Recommended
More Related Content
What's hot
What's hot (20)
Similar to Introduction to AWS WAF and AWS Firewall Manager
Similar to Introduction to AWS WAF and AWS Firewall Manager (20)
Recently uploaded
Recently uploaded (20)
Introduction to AWS WAF and AWS Firewall Manager
- 2. Agenda • Service Introduction • Service Enablement • Pricing • Monitoring and Governance 2
- 3. Akesh Patil Sr. Cloud Architect Digital & Cloud Consulting AWS Community Builder | AWS APN Ambassador Speaker
- 4. AWS WAF AWS WAF is a web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources Monitor web requests that your end users send to your applications and to control access to your content Protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources. Control bot traffic and block common attack patterns such as SQL injection or cross-site scripting (XSS). What AWS WAF can do? 4
- 5. Resources protected by AWS WAF • Amazon CloudFront distribution • Amazon API Gateway REST API • Application Load Balancer • AWS AppSync GraphQL API • Amazon Cognito user pool • AWS App Runner service • AWS Verified Access instance 5
- 7. AWS WAF Behaviours Allow Allow all requests except the ones that you specify Block Block all requests except the ones that you specify Count Count requests that match your criteria Run Run CAPTCHA or challenge checks against requests that match your criteria 7
- 8. Options to protect web application exploits •Tells AWS WAF how to inspect web request •Every rule has a single top-level rule statement containing other statements •Can be simple or complex rule AWS WAF Rule Statements •Curated and maintained by AWS Threat Research Team •Provides protection against common application vulnerabilities •Includes Baseline rule groups, Use-case specific rule groups, IP reputation rule groups AWS Managed Rules •Rules specific to your application to block undesired patterns Custom Rules •Rules created by security partners •Available based on subscription AWS Marketplace Rules 8
- 9. Considerations for AWS WAF Implementation Protections • Identity usage patterns and baseline requirements based on previous incidents and observations • Start with the baseline rule groups and the Amazon IP reputation list from the AWS Managed Rules Governance • How to manage and monitor WAF implementations across organization • Use AWS Firewall Manager to manage WAF configurations centrally 9
- 12. Application Layer Defense Web ACLs and Managed Rules • Cross site scripting • SQL Injection Custom Rules • Block requests with header x- tomatoattack Rate-based Rules • Block request originating IP address based on count Advanced Custom Rules • Json Based Rules 12
- 13. DDoS protection with AWS Shield • Available for all AWS clients without additional charge • Protection against common attacks (SYN/UDP floods, Reflection Attacks etc. Layer 3/4) • Automatic detection and mitigation • Charged service that provides additional protection against more complex attacks • Protection against advanced attacks (Layer 7) • 24x7 DDoS response team • Cost Protection • Better monitoring/Visualization Standard Advanced 13
- 14. Logging • Amazon Kinesis Firehose • S3 • CloudWatch 14
- 16. Multi-Account Setup (Decentralized WAF) 16
- 17. Multi-Account Setup (Centralized WAF) 17
- 18. AWS Firewall Manager AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. What AWS Firewall Manager can do? • Simplifies administration and maintenance tasks across multiple accounts and resources • Helps to protect resources across accounts • Helps to protect all resources of a particular type, such as all Amazon CloudFront distributions • Helps to protect all resources with specific tags • Automatically adds protection to resources that are added to your account • Allows you to apply security group rules to all member accounts or specific subsets of accounts in an AWS Organizations organization • Let you use your own rules, or purchase managed rules from AWS Marketplace 18
- 19. AWS Firewall Manager prerequisites AWS Organizations Your organization must be using AWS Organizations to manage your accounts, and All Features must be enabled. Firewall administrator AWS Account Designate one of the AWS accounts in your organization as the administrator for AWS Firewall Manager AWS Config You must enable AWS Config for all the accounts in your organization and in the required regions so that AWS Firewall Manager can detect newly created resources 19
- 21. Monitoring & Governance • AWS FMS Integration with Security Hub will send following findings • resources that are not properly protected by WAF rules • resources that are not properly protected by Shield Advanced • Shield Advanced findings that indicate a Distributed Denial of Service attack is underway • security groups that are being used incorrectly 22
- 23. Pricing AWS WAF AWS FIREWALL MANAGER 24
- 24. Godrej Eternia C, A-Wing, 8th Floor, Old Pune-Mumbai Rd, Wakadewadi, Shivajinagar, Pune, Maharashtra 411005 Blazeclan Technologies Pvt ltd sales@blazeclan.com www.blazeclan.com 25
Editor's Notes
- AWS WAF is a web application firewall (WAF) that helps you protect your websites and web applications against various attack vectors at the application layer (OSI Layer 7). Security is a shared responsibility between AWS and the customer, with responsibility boundaries that vary depending on factors such as the AWS services used. For example, when you build your web application with AWS services such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync you are responsible of protecting your web application at Layer 7 of the OSI Model. AWS WAF is a tool that helps you protect web applications by filtering and monitoring HTTP(S) traffic, including traffic from the public internet. Web application firewalls (WAFs) protect applications at the application layer from common web exploits that can affect application availability, compromise security, and consume excessive resources. For example, you can use AWS WAF to protect against attacks such as cross-site request forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among other threats in the OWASP Top 10. This layer of security can be used together with a suite of tools to create a holistic defense-in-depth architecture. AWS WAF is a managed web application firewall that can be used in conjunction with a wide variety of networking and security services such as Amazon Virtual Private Cloud (Amazon VPC), and AWS Shield Advanced. What AWS WAF can do Filter web traffic - Create rules to filter web requests based on conditions such as IP addresses, HTTP headers and body, or custom URIs. Prevent account takeover fraud - Monitor your application’s login page for unauthorized access to user accounts using compromised credentials. Using AWS WAF has several benefits: Additional protection against web attacks using criteria that you specify. You can define criteria using characteristics of web requests such as the following: IP addresses that requests originate from. Country that requests originate from. Values in request headers. Strings that appear in requests, either specific strings or strings that match regular expression (regex) patterns. Length of requests. Presence of SQL code that is likely to be malicious (known as SQL injection). Presence of a script that is likely to be malicious (known as cross-site scripting). Rules that can allow, block, or count web requests that meet the specified criteria. Alternatively, rules can block or count web requests that not only meet the specified criteria, but also exceed a specified number of requests in any 5-minute period. Rules that you can reuse for multiple web applications. Managed rule groups from AWS and AWS Marketplace sellers. Real-time metrics and sampled web requests. Automated administration using the AWS WAF API.
- AWS WAF can be natively enabled on CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync and is deployed alongside these services. AWS services terminate the TCP/TLS connection, process incoming HTTP requests, and then pass the request to AWS WAF for inspection and filtering. Unlike traditional appliance-based WAFs, there is no need to deploy and manage infrastructure, or plan for capacity. AWS WAF provides flexible options for implementing protections through managed rules, partner-provided rules, and custom rules that you can write yourself. It’s important to understand that with AWS WAF, you are controlling ingress traffic to your application. Before deciding how to deploy AWS WAF, you need to understand what type of threats your web applications may be facing and the protection options available with AWS WAF. Web applications face different kinds of threats that AWS WAF can help you mitigate. Distributed denial of service (DDoS) attacks – Try to exhaust your application resources so that they are not available to your customers. At Layer 7, DDoS attacks are typically well-formed HTTP requests that attempt to exhaust your application servers and resources. Web application attacks – Try to exploit a weakness in your application code or its underlying software to steal web content, gain control over web servers, or alter databases; these can involve HTTP requests with deliberately malformed arguments. Bots – Generate a large portion of the internet’s website traffic. Some good bots associated with search engines, crawl websites for indexing. However, bad bots may scan applications, looking for vulnerabilities and to scrape content, poison backend systems, or disrupt analytics.
- Allow all requests except the ones that you specify – This is useful when you want Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, or AWS Verified Access to serve content for a public website, but you also want to block requests from attackers. Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website. Count requests that match your criteria – You can use the Count action to track your web traffic without modifying how you handle it. You can use this for general monitoring and also to test your new web request handling rules. When you want to allow or block requests based on new properties in the web requests, you can first configure AWS WAF to count the requests that match those properties. This lets you confirm your new configuration settings before you switch your rules to allow or block matching requests. Run CAPTCHA or challenge checks against requests that match your criteria – You can implement CAPTCHA and silent challenge controls against requests to help reduce bot traffic to your protected resources.
- Baseline rule groups – Cover some of the common threats and security risks described in the OWASP Top 10 publication. Use-case specific rule groups – Provide incremental protection based on your application characteristics, such as the application OS or database. IP reputation rule groups – An IP reputation list derived from the Amazon threat intelligence team blocks known malicious IP addresses.
- After you have identified which threats are applicable for your application, define your baseline criteria for success. If your application does not use a SQL database, you can save WAF capacity units by not adding SQL injection detection rules. AWS recommends that you add WAF rules that are specific to your application’s requirements, because adding unnecessary rules can lead to an increase in false positives. For existing applications, you may already have visibility into application usage patterns and be looking to block malicious requests identified from previous incidents and observations. Therefore, you may be looking for protections against a specific attack. If you are already using a WAF implementation, you may have a baseline of the average number of requests blocked by the existing WAF rules. In some cases, you may have visibility into the existing rules implemented and you can implement similar rules in AWS WAF. Comparing AWS managed rules and Custom rules Depending on your organization’s resources and security culture, you must decide how to implement AWS WAF. You can deploy out-of-the-box AWS Managed Rules sets, create your own custom rules, or use a combination of both. For most applications, AWS recommends starting with the baseline rule groups and the Amazon IP reputation list from the AWS Managed Rules, then selecting application specific rule groups that match the application’s profile. Governance You might also have governance requirements to define how to manage and monitor WAF implementations across your organization. In some organizations, WAF configurations are managed centrally by a security team. In this case, the security team must audit and ensure that WAF is configured correctly across resources managed by application teams. In other organizations, WAF configuration and deployment is managed by the application teams so that the WAF rules deployed can be specific to the protected application. To simplify centralized management of AWS WAF
- To defend against application layer attacks requires you to implement an architecture that allows you to specifically detect, scale to absorb, and block malicious requests. This is an important consideration because network-based DDoS mitigation systems are generally ineffective at mitigating complex application layer attacks. When your application runs on AWS, you can leverage both Amazon CloudFront and AWS WAF to help defend against application layer DDoS attacks. Amazon CloudFront allows you to cache static content and serve it from AWS edge locations, which can help reduce the load on your origin. It can also help reduce server load by preventing non-web traffic from reaching your origin. Additionally, CloudFront can automatically close connections from slow reading or slow writing attackers (for example, Slowloris). By using AWS WAF, you can configure web access control lists (Web ACLs) on your CloudFront distributions or Application Load Balancers to filter and block requests based on request signatures. Each Web ACL consists of rules that you can configure to string match or regex match one or more request attributes, such as the URI, query string, HTTP method, or header key. In addition, by using AWS WAF's rate-based rules, you can automatically block the IP addresses of bad actors when requests matching a rule exceed a threshold that you define. This is useful for mitigating HTTP flood attacks that are disguised as regular web traffic.
- In addition to using AWS WAF, AWS recommends reviewing AWS Shield Advanced which detects application layer attacks such as HTTP floods or DNS query floods by baselining traffic on your application and identifying anomalies. With the assistance of the Shield Response Team (SRT), AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for network layer (Layer 3) and transport layer (Layer 4) attacks, but also for application layer (Layer 7) attacks AWS Shield Standadrd - All AWS customers benefit from the automatic protection of Shield Standard, at no additional charge. Shield Standard defends against the most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. AWS Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts. For higher levels of protection against attacks, you can subscribe to AWS Shield Advanced.
- Use AWS Firewall Manager to deploy protection at scale in AWS Organizations | AWS Security Blog (amazon.com)
- Use AWS Firewall Manager to deploy protection at scale in AWS Organizations | AWS Security Blog (amazon.com)
- AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources. Firewall Manager provides these benefits: Helps to protect resources across accounts Helps to protect all resources of a particular type, such as all Amazon CloudFront distributions Helps to protect all resources with specific tags Automatically adds protection to resources that are added to your account Allows you to subscribe all member accounts in an AWS Organizations organization to AWS Shield Advanced, and automatically subscribes new in-scope accounts that join the organization Allows you to apply security group rules to all member accounts or specific subsets of accounts in an AWS Organizations organization, and automatically applies the rules to new in-scope accounts that join the organization Lets you use your own rules, or purchase managed rules from AWS Marketplace Firewall Manager is particularly useful when you want to protect your entire organization rather than a small number of specific accounts and resources, or if you frequently add new resources that you want to protect. Firewall Manager also provides centralized monitoring of DDoS attacks across your organization.
- AWS Firewall Manager is a security management service that allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations. As new applications are created, Firewall Manager makes it easier to bring new applications and resources into compliance by enforcing a common set of security rules.