AWS WAF Operations
Automation is another hot topic in the cloud world. With AWS Lambda it’s possible to update rules within your web ACL automatically depending on the specific types of inbound requests received. Although this lecture does not go into detail with respect to configuring Lamda, it does explain the high level steps involved to create such a solution.
Hello, and welcome to this lecture discussing automation.
As a prerequisite of this lecture, you should have a basic understanding of AWS Lambda. For an introduction to Lambda, please see our existing course here.
AWS WAF is one of many AWS services that is becoming more integrated with other services and lends itself to automation. Using built-in features and existing services of AWS, a solution can be created that automatically modifies your Web ACLs, to improve both its security and efficiency benefits. This is primarily through the use of another AWS service, that being AWS Lambda. To achieve this level of automation is an advanced topic and out of scope of this course. However, I will highlight the steps and elements taken to show how this can be achieved.
Firstly, let's define a scenario to work from. There is a risk of a DDOS attack flooding our environment with malicious HTTP requests which would prevent our web servers from processing legitimate HTTP requests. As a result, we will want to automate a process that protects our web infrastructure from a DDOS attack.
With the use of Lambda, CloudFront, WAF, CloudWatch, and S3, a solution can be implemented that automatically identifies a source IP address that were sending more than a predefined amount of requests in a set period of time, based on a custom threshold that we set within our CloudFront distribution. Any IP address requesting above this set threshold of requests, would automatically be added to a blacklist within WAF and blocked.
The high level overview of how this is achieved is as follows. As a web requests all of these by AWS CloudFront, access logs detailing requests are sent an S3 bucket. Each time a new access log is created and stored in S3, an AWS Lambda script is triggered to analyze the log to determine if there were any requests that exceed the threshold limit regarding the number of requests. If entries are identified, the source IP address of these requests are added to a blacklist file within WAF. Future requests from these IP addresses will then be blocked.
You could also incorporate cloud formation if you need a repeatable solution for other environments as well. You can create additional functionality from within your AWS Lambda function, by getting Lambda to publish statistics to CloudWatch to see how many blocks were recurring using custom CloudWatch metrics. As I said before, this kind of configuration is out of scope for this course, but do be aware that this is possible.
AWS has feature examples similar to this among others on their website, showcasing the powers of AWS WAF and AWS Lambda.
That brings us to the end of this lecture. Next, we evaluate what it costs to run AWS within your environment.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 50+ courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.