Creating a Web ACL Demo
Start course
4h 50m

This section of the AWS Certified Solutions Architect - Professional learning path introduces the key identity management, security, and encryption services within AWS relevant to the AWS Certified Solutions Architect - Professional exam. Core to security is AWS Identity & Access Management commonly referred to as IAM. This service manages identities and their permissions that can access your AWS resources, so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Learn about identity and access management on AWS, including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF), including what it is, when to use it, how it works, and why use it
  • Understand how to configure and monitor AWS WAF
  • Learn about AWS Firewall Manager and its components
  • Learn how to configure AWS Shield
  • Learn the fundamentals of AWS Cognito

In this lecture, I want to provide a demonstration showing you how to create the following: an IP set, a rule group and its associated rules, and a web ACL that is associated with a CloudFront distribution. Okay, so I'm in my AWS console and we can find AWS WAF under the Security and Identity and Compliance category here.

So once we get to the WAF dashboard, what I want to do first is to create an IP set, and we can see the IP sets on the left here. So I'm going to create an IP set, and I'm also going to create a rule group. And then I'm going to create my web ACL using the IP set that I'm going to create now within a rule. And then I'm gonna add that rule into the rule groups, and then attach that to the web ACL to a CloudFront distribution. So if we select IP Sets, we can see here that we have no IP sets found. So I haven't got any created at the moment.

What I need to do is click on Create IP set. And I can give my IP set a name. So I'm just gonna call this MyIPSet. Add an optional description, and also the region in which you want to create this IP set in. I'm just gonna put it in the global CloudFront region, because that's what I'm going to be associating the web ACL to. Now you can select here IPv4, IPv6. And this is where you enter your IP addresses that you want to be a part of your IP set. So I'm just going to copy in a couple of IP addresses I've got here.

So the first one I've copied here is a single IP address, and we know that because it has a mask of 32. So that's just a single IP. But you can also add network ranges as well. So for example, this one underneath is a network range with a subnet mask of /24. And for each IP address or network address that you want to add in, you have to add it on a separate line. So once you've created your IP set, simply click on Create IP set. Okay, that's now created in the global CloudFront region. So if we change the location there, we'll be able to see the IP set in the list. So there it is, MyIPSet.

Now what I want to do is to create a rule group. So if I go across the rule groups, and we can see here that there are currently no rule groups found. So if I click on Create rule group, give this rule group a name. I'm gonna call this MyRuleGroup. Again, an optional description. And it also adds its own CloudWatch metric name as well, which matches the name of the rule group. The region, I'm going to keep it in the global CloudFront region. Click on Next. And this is where we can start adding our rules to the rule group.

So let me add my first rule. So let me call this MyFirstRule. And we have our different types of rules, the regular rule or the rate-based rule. I'm gonna stick with the regular rule. So let's start building the rule. So if a request matches a statement, or we can have an and statement here, where it matches all the statements, or an or statement, or a not. Let's go for an or. So for the first statement, I'm going to say if a request originates from a country in the United States or the United Kingdom, you can see this added them in here, using the source IP address to determine the country of origin, or, and this is where the second statement comes in, we can inspect the originating IP address, and this is where we can select our IP set that we created just now.

Again, using the source IP address as the originating address. Then as an action, I want to block that. So let's take a look at this rule. So we have a regular rule where if a request matches at least one of the statements, so either that the source IP address originates from the UK or the US or the IP address matches one of those in the IP set that we created, then block the traffic. So let's add that rule. Okay, so we can see it there, MyFirstRule.

Let's add another rule. Let's call this MySecondRule. Again, I'm gonna add a regular rule. This time if a request matches the statement, so I'm not gonna use an and or or. And for the inspection type, I'm going to say HTTP method. And match type, if it contains a SQL injection attack. So if the request matches a SQL injection attack, then I also want to block that traffic. So Add rule. So now I have two rules here, NyFirstRule and MySecondRule.

The first rule relates to the country of origin and my IP set, and the second rule relates to any SQL injection attacks. And we can see here that the capacity has been identified as two for the first rule and 20 for the second rule. So the minimum required capacity is 22, but I can enter the maximum capacity up to 1500 for this rule group. So if you envisage you're going to add more rules to this at a later stage, then you should increase this capacity. So I'm just gonna change that to 500. And this would give me plenty of allowance to add additional rules or modify the rules that might increase the capacity limit of this rule group.

Click on Next. And here you can change the rule priority. So you can move it up or down depending on how many rules you have. I'm just gonna leave it as what we had. Click on Next. And then here is a quick review of our rule group. So we have the rule group name, and we also have the rules that we created and the actions. So Create rule group. And there we have it. We can see MyRuleGroup. So now we've created the IP set. We've created a rule group, which contains two rules, and one of those rules contains the IP set that we created.

Now we need to attach this rule group to a web ACL. So if we go across to Web ACLs, again, we don't have any created at the moment, say Create web ICL. Give this a name. I'm gonna call it MyWebACL, add an optional description. Again, CloudWatch will create an automatic metric for this web ACL. And then we can select our resource type if we want it associated with the CloudFront distribution or an application load balancer, APIGateway, or AppSync, et cetera. But I'm gonna associate this to a CloudFront distribution in the global CloudFront region.

So down here, where it says Associated AWS resources, I'm gonna add a resource. I'm gonna select my CloudFront distribution. So this web ACL will now be associated with this CloudFront distribution. Click on Next. Now here we can add any rules, so we can just add a rule from here, or we can add managed rule groups or add my own rules and rule groups. So as we created our rule group earlier, I want to add that in here. So if we go across to Rule group. We'll give this rule a name within the web ACL, MyRules, select the rule group, and we have the MyRuleGroup option that we had here, and then click on Add rule.

So we've just added a rule within this web ACL, which is associated to the rule group. Now here we can see it's picked up the maximum capacity of that rule group of 500. So it will take up 500 WCUs of the maximum 1500 allowed for the web ACL. Even though it's only using 22, it will take the maximum. So just be aware of that when creating your rule groups. And then we also have a default web ACL action for requests that don't match any rules.

So in this demonstration, I'm just going to allow everything through that isn't picked up by any of my rules. So effectively what I'm saying there is, is that if any traffic comes from any other country other than the UK or the US, or sits outside of the IP address ranges that I specified in my IP set, and isn't a SQL injection attack, then I'm happy for that traffic to come through. Click on Next. Again, we can set the rule priority. 

Click on Next. You can change the CloudWatch metric name of the rule that you just added if you want to. And you also have the option of running some sample options here as well on your web ACL. I'm just going to leave it as default. Click on Next. And this is where we can review the details from the web ACL that we've just created. So it shows the name, the scope, which is CloudFront, the region, and the CloudWatch metrics, the WCU capacity of your rules in your web ACL, and the default action as well.

So once you are happy with everything, just click on Create web ACL. And there we have it. So that's a very quick demonstration on how to create an IP set, how to create a rule within a rule group, using the IP sets as well. And then also how to create a web ACL associated to a CloudFront distribution using your own rule groups.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.