AWS Web Application Firewall
AWS Firewall Manager
The course is part of these learning paths
Explore the 3 AWS services, designed to help protect your web applications from external malicious activity, with this course. Once getting started, this course will delve into depth on all three services, comprised of AWS Web Application Firewall Service (WAF), AWS Firewall Manager and AWS Shield. By learning how all three services can be used together for enhanced protection of web applications you enterprise will wholly benefit from all the advantages that these services have to offer.
Study the core principles, understand the importance and discuss how protecting web apps with AWS can elevate your business to the next level with this cohesive course made up of 14 lectures, including demos.
- Gain a core foundation of what AWS WAF is and what it does
- Knowledge of how to configure and implement a WAF solution
- Analyze how AWS WAF works closely with AWS CloudFront
- An understanding of how AWS Firewall Manager can be used to help you control AWS WAF across multiple accounts
- How AWS Shield is protecting Distributed Denial of Service attacks
- An awareness of different types of DDoS attacks
- An awareness of the step involved in configuring AWS Shield Advanced
- Security architects
- Technical engineers
- Website administrators
- Anyone requiring a deeper understanding of WAF, Shield, and Firewall Manager
Cloud Academy would recommend having a basic understanding of the following, before starting this course:
- Amazon CloudFront Distributions
- AWS Application Load Balancer
- AWS Organizations
- The 7 layers of the OSI model
Related Training Content
If you are interested in further training content related to this topic, discover the following Learning Paths:
It should be noted that this course will be replacing the existing course on this topic found currently here.
Hello and welcome to this lecture where I'll provide a demonstration on how to configure the AWS WAF service. The key points in this demonstration will show you, where to find the WAF service, how to set up a Condition, and I'll explain each of them with their corresponding filters, how to set up a Rule, how to set up a Web ACL, and how to associate a Web ACL to a CloudFront Distribution. So just opened up my AWS account and I'm at the main screen. So the first thing I need to do is go to the WAF service. Now you can find it under the security, identity, and compliance category. And you'll see it's down here, labeled as WAF & Shield. So, if you go into that, and that will then load up this screen. And we can see here we have AWS WAF, AWS Shield and AWS Firewall Manager. Later in this course I'll be talking about both AWS Firewall Manager and also AWS Shield. But for now, all I want to do is go to AWS WAF. So if you click on the blue button, and that takes us into the WAF Dashboard. Now I haven't got any configuration in here at all. I kind of wanted to show you how to create this from scratch. So to start with, we need to configure a Web ACL. So, if you click on the blue button, we'll then have a number of steps to complete. On the side here you can see step 1 through to step 4. So firstly, we have a concepts overview, and this is what we've already spoke about in the previous lectures. It talks about what conditions are, how rules contain conditions, and the fact that Web ACLs contain rules. So you can have a read through of that just to refresh your memory, and just get a bit more information. Once we've gone through that concepts, just click on the blue next button, and this is where you start to configure your web access control list or your Web ACL.
So to start with we need to give it name. Just call it CloudAcademy, and you'll notice that whatever name I gave it, it'll also automatically create a CloudWatch metric name. So you can view statistics about this web ACL from within CloudWatch under that metric. Now under the Region, we can either specify Global, if you want to use this web ACL with CloudFront, or we can specify a particular Region, if we want to apply it to an Application Load Balance for example. For this demonstration I want to create this web ACL for a CloudFront distribution. So if we click on next... Now this is where we can create our conditions. Now we have a number of conditions down the side here. We have our Cross-site scripting, Geo match, IP match, Size constraint, SQL injections, and String and regex matches. All of which I've discussed earlier. So let's pick IP match conditions. So, we want to create and IP match condition that specifies and IP address or an IP address range, that you want to use to control access to our content. Click on Create Condition, then we can give this match condition a name. Just call it My IP. It's associated with CloudFront.
Now we can select either an IPv4 or an IPv6 address, or just add in my IP address here. Then need to click on Add IP address, and we can see at the bottom here that's it's added our IP address to this condition. We then click on create, we can see here that an IP match condition has been created successfully. Let's also create a GEO match condition as well. So again, create condition, server UK. Location type, country, location, type in United Kingdom, then select add location. And we can see here that it's added it under the filter. Click on create, and we now have a GEO match condition as well. Once we've created all the conditions that we want for our web ACL, we can then scroll down to the bottom and click on next. Now here are your WAF rules. And remember the rules contain the conditions that you want to use to filter your web requests. So to start with, let's create a rule, and give it a name. Just call it WAF. And again you'll notice that any rules that you create, AWS WAF will automatically create another CloudWatch metric matching the name of all your rules as well. We have different rule types, regular or rate-based. For this demonstration I'll select regular. Next we can then add our conditions to this rule. So, remember I created two conditions. I created one condition as a GEO match, and one as an IP address.
So, for this demonstration, let's say that we want to block all requests that do not originate from the UK, which is one of the conditions I set up. And also to block any requests that do not originate from my IP address. So let's say, when a request does not originate from a geographic location located in the UK, then add a condition, and, when it does not originate from an IP address from my IP. So at this stage, we don't specify whether it allows or blocks it. So the rules simply contain the conditions that we created. And the variables of that condition, with regards to whether it does, or does not originate from that specific geographic location or the IP address. So to complete the rule, we then click on create. And we can see the rule we just created here. The rule name is WAF, and this is where we can specify the action. Either allow, block, or count. So this is the actual web access control list itself, which contains the rules. And, if you remember within our rule, we said if the geographic location does not originate from the UK, and does not come from my IP address, then we want that to block. So we are going to block all traffic that doesn't come from the UK, and doesn't come from my IP address. So that's the action I'm going to elect for that rule. And then for any requests that do not match any rules within this web ACL, then we can either take a default action of allow all the requests, or block all the requests. For this demonstration, I'm going to block all the requests that don't match any rules. At this point, click on review and create, and here's the screen that just shows the Web ACL name, and the CloudWatch metric name, which is the same. It shows the rules that we have, the action of that rule, and also the default action of the Web ACL. The bottom it shows the AWS resources used in this Web ACL.
And at the minute we don't have resources, we don't have a CloudFront distribution list. So what we'll do, we'll then add this Web ACL to a CloudFront distribution. So to finish creating your Web ACL, simply click on confirm and create. And now you have your Web ACL created, with the name that we specified, CloudAcademy, and over here you can see the rules, etc. So what we can do now, is now add this Web ACL to an existing CloudFront distribution. So if I go across to CloudFront, and I have a distribution here, if I select it, and go to Distribution Settings, we can see here that next to AWS WAF Web ACL, there's no entry. So what I need to do is click on edit, at the top here, there's a drop down list for Web ACL's, and we can now see the one that we created. So, if I select that, and then click on yes edit, to confirm our selection, we can now see that this CloudFront distribution has been associated with the newly created Web ACL that we stated. And that's it. So just to clarify what we've done, we opened up the WAF service, we created two conditions. We created the GEO match condition, and an IP address condition. We then created a rule that contained both of those conditions. That rule was then added to the Web ACL, and we specified and action of block, and we also added a default action of block to the actual Web ACL itself for any requests that come through that didn't match any rules. And then we associated that Web ACL to an existing CloudFront distribution.
About the Author
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 80+ courses relating to Cloud, mostly within the AWS category and with a heavy focus on security and compliance.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.