AWS WAF Operations
Security is one of the hottest topics within the cloud industry right now, mostly due to uncertainty and a lack of understanding when it comes to knowing how to secure the cloud really is. With this in mind, public cloud vendors focus massive effort and resources into security, resulting in additional levels of security at all layers within their cloud architecture.
This made way for the development of the AWS Web Application Firewall (WAF) service which was launched at Re:Invent in October 2015.
This course looks at all the elements of AWS Web Application Firewall from a beginners introduction to the service from what it is and when to use it within your environment, to how it can be used in conjunction with other services like AWS CloudWatch and AWS Lambda to help with automation of your security.
If you have thoughts or suggestions for this course, please contact Cloud Academy at firstname.lastname@example.org.
Hello and welcome to this lecture where I'll be giving a demonstration on how to configure AWS WAF.
Within this demo, we'll look at a number of different things. I'll show you where to find the WAF service from the dashboard. We'll then start creating a Web ACL. And through that process, we'll cover some of the different conditions available within AWS WAF. We'll then create a couple of conditions ourselves. We'll then add these to a new rule and at that point, that's essentially created our Web ACL and then that will allow us to associate that Web ACL to a CloudFront distribution. So let's get started.
Okay, so from within the AWS management console, we can find the WAF service under security and identity along with the other security services such as IAM, directory service, inspector, etc. So here you can see AWS WAF, to filter malicious web traffic. So we'll go into the service.
As we haven't got anything configured as yet, we'll get this splash screen. And if you haven't, you'll probably get the same. This gives you a quick introduction to what this service is and then tells you what the service can do such as filter web traffic with custom rules, blocking malicious requests and then how to monitor your traffic. So we'll go ahead and click on get started.
Now this first page is just a concept overview of how the service works such as using your conditions and your rules and your Web ACLs that we've already discussed in the previous lectures. But this screen will just give you a few examples of conditions so here we've got IP match conditions and moving further down are some string match conditions and SQL injections as well. And if we go along to the rules, you can see that rules here are made up of at least one condition and here we see the and-ing process with this rule, this bad user-agent rule has actually got two conditions. And then finally, you can see that the Web ACL contains the rules themselves so we've got rule 1 and rule 2 here and a default action if no traffic meets either of those rules. So here you can clearly see what we was talking about earlier that you start off creating your conditions. You then add those conditions to rules that get and-ed if there's more than one condition. And the Web ACL contains at least one rule and you can have multiple rules in your Web ACL and then finally a default action there.
So this is just a concept overview screen if you're new to the service. So there's nothing actually to do on this screen. So we'll just click on next.
Now this is the first screen where we start to enter some information so we need a name for our Web Access Controllers so let's call this Cloud Academy WAF. And you'll see here that automatically we've been given a CloudWatch metric name to match the same name as the Web ACL. But I'll go over this in further detail in an upcoming lecture regarding monitoring.
So now that we've given our Web ACL a name, I'll click on next.
And here is where we start creating the conditions. So remember firstly we need to create conditions and then the rules and then compile it into a Web ACL. So I'll just quickly run through the different conditions available. So you have the cross-site scripting, IP match conditions, size constraints, SQL injections, and string match conditions as well.
So if we go into each of these to create a condition so for example let's go into the cross-site scripting to create a condition and we can give it a name say CA-XSS1 and then you can select the filter of that condition so the part of the request that you actually want to filter on. There's a number of options so you have your header, your HTTP method, etc. Let's have a look at header and then we can filter on a whole host of other variables as well. So it's quite specific what you can drill down to if you want to. Lets just set that to... We're gonna filter on the cookie of the header. And if there's any transformation to take place for example, WAF can convert everything to a lowercase before it applies the security checks, but we'll just leave that as none and then add the filter. I'll then click create. And there you go.
Now you can see under our cross-site scripting conditions, we have our condition that we just created there, CS-XSS1.
So if we look at the IP match conditions, you can see I've already created one here for this network, but we'll go and create another anyway. So let's give this a name. CA-IPmatch. We'll filter on version four and we'll give it a 10.1.0.0/16 address. So that's an IP address range and we want to filter on that subnet. And add IP address or range and click create. So now you can see we've got another condition that we just created there.
And you can set different filters on each of the different conditions so each one will have slightly different options as you can see and it allows you for that finer grained control. So I won't go ahead and create a condition for everything. But like I say, you've got SQL injections as well and also string match conditions.
And for each of these, if you want to learn more information about each of these conditions, then you can just click on the learn more links and that will take you directly to the AWS documentation for that element.
So now we've created a couple of conditions. We've got a cross-site scripting match condition and we've got a couple of IP match conditions as well. We can now go ahead and click on next.
So from here, we can now create the rules using the conditions we just created. So to create a new rule, click on create rule and we can give it a name. We'll just call it WAF-Rule-1. And again you can see here that it automatically created a new CloudWatch metric name as well so we can monitor the state of the rules within CloudWatch.
Now moving down to the actual guts of the rule where it says add conditions, here we've got a number of options to select. So when a request does or does not, in our example we'll say when a request does and we have other options here, other conditions so match at least one of the filters in the cross-site scripting match condition. Here it talks about the IP address and the size constraints, SQL injections and string match. So these are the different conditions that we had available. So I want to say when a request does originate from one IP address in, now here are the conditions we created within the IP address conditions earlier. This is the one that we created. And you can see that it's this network here 10.1.0.0.
So looking at this rule so far, we've given it a name and we said when a request does originate from an IP address in this condition that we created, which refers to this network, then we'll either allow or block or count the rule, but we'll set that status in a moment.
Let's add another condition to this rule. So there's the and so here's the first condition and then add when a request I'm gonna say does again, we set up one within cross-site scripting so here's our condition that we've created so here's our second condition to the rule, when a request does match our cross-site scripting condition with regards to a header cookie containing a cross-site scripting threat. So we now have two conditions within this rule.
The first condition has to do with IP address range and here's our second condition. So we'll go ahead and create that rule. And now we have a rule name here. We can either allow, block or count. For this demonstration, I'm just gonna set it to block. And like I said earlier in a previous lecture, if a request comes and it doesn't match the conditions within this rule, then it will take a default option. So our default action will be to block all requests that don't match any rules.
So now we've created our conditions and we've applied those to this rule. We've now essentially created a Web ACL, the Cloud Academy WAF ACL that we named at the beginning of this process. So from here, we can now click on next to apply this Web ACL to our CloudFront distribution.
And if you click on resource drop down list here, you'll see all your CloudFront distributions. I'll just go to the test one setup here for this demonstration. So if I select this distribution, then we'll essentially apply this Web ACL to this CloudFront distribution. And then if we click on review and create, and this screen is simply a summary of the actions that we've taken. Here you can see the name or the Web ACL that we named at the beginning along with the CloudWatch metric, the rule that we have along with the associated action that we applied and here we have the default action for any request that don't match any rules within this Web ACL which is block. And finally at the bottom here, you can see which CloudFront distributions that we've associated this Web ACL to. And then finally, it's just confirm and create. And that will go off and push out these rules to each of the locations associated with your CloudFront distribution.
So as you can see, it's a simple process to set up WAF and associate it to your existing CloudFront distributions.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data centre and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 50+ courses relating to Cloud, most within the AWS category with a heavy focus on security and compliance
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.