1. Home
  2. Training Library
  3. Security (SAA-C02)

Demo - How to configure WAF


Security Introduction
AWS Shield
Amazon Cognito
SAA-C02- Exam Prep

The course is part of this learning path

Start course
2h 32m

This course looks at the key Security services within AWS relevant to the Solution Architect associate exam. Core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment. IAM is an important service in ensuring your resources are secure.

Want more? Try a lab playground or do a Lab Challenge

Learning Objectives

  • Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, identity federation, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
  • Understand how to configure and monitor AWS WAF
  • Learn about AWS Firewall Manager and its components
  • Learn how to configure AWS Shield
  • Learn the fundamentals of AWS Cognito

Hello and welcome to this lecture where I'll provide a demonstration on how to configure the AWS WAF service. The key points in this demonstration will show you, where to find the WAF service, how to set up a Condition, and I'll explain each of them with their corresponding filters, how to set up a Rule, how to set up a Web ACL, and how to associate a Web ACL to a CloudFront Distribution. So just opened up my AWS account and I'm at the main screen. So the first thing I need to do is go to the WAF service. Now you can find it under the security, identity, and compliance category. And you'll see it's down here, labeled as WAF & Shield. So, if you go into that, and that will then load up this screen. And we can see here we have AWS WAF, AWS Shield and AWS Firewall Manager. Later in this course I'll be talking about both AWS Firewall Manager and also AWS Shield. But for now, all I want to do is go to AWS WAF. So if you click on the blue button, and that takes us into the WAF Dashboard. Now I haven't got any configuration in here at all. I kind of wanted to show you how to create this from scratch. So to start with, we need to configure a Web ACL. So, if you click on the blue button, we'll then have a number of steps to complete. On the side here you can see step 1 through to step 4. So firstly, we have a concepts overview, and this is what we've already spoke about in the previous lectures. It talks about what conditions are, how rules contain conditions, and the fact that Web ACLs contain rules. So you can have a read through of that just to refresh your memory, and just get a bit more information. Once we've gone through that concepts, just click on the blue next button, and this is where you start to configure your web access control list or your Web ACL.

 So to start with we need to give it name. Just call it CloudAcademy, and you'll notice that whatever name I gave it, it'll also automatically create a CloudWatch metric name. So you can view statistics about this web ACL from within CloudWatch under that metric. Now under the Region, we can either specify Global, if you want to use this web ACL with CloudFront, or we can specify a particular Region, if we want to apply it to an Application Load Balance for example. For this demonstration I want to create this web ACL for a CloudFront distribution. So if we click on next... Now this is where we can create our conditions. Now we have a number of conditions down the side here. We have our Cross-site scripting, Geo match, IP match, Size constraint, SQL injections, and String and regex matches. All of which I've discussed earlier. So let's pick IP match conditions. So, we want to create and IP match condition that specifies and IP address or an IP address range, that you want to use to control access to our content. Click on Create Condition, then we can give this match condition a name. Just call it My IP. It's associated with CloudFront. 

Now we can select either an IPv4 or an IPv6 address, or just add in my IP address here. Then need to click on Add IP address, and we can see at the bottom here that's it's added our IP address to this condition. We then click on create, we can see here that an IP match condition has been created successfully. Let's also create a GEO match condition as well. So again, create condition, server UK. Location type, country, location, type in United Kingdom, then select add location. And we can see here that it's added it under the filter. Click on create, and we now have a GEO match condition as well. Once we've created all the conditions that we want for our web ACL, we can then scroll down to the bottom and click on next. Now here are your WAF rules. And remember the rules contain the conditions that you want to use to filter your web requests. So to start with, let's create a rule, and give it a name. Just call it WAF. And again you'll notice that any rules that you create, AWS WAF will automatically create another CloudWatch metric matching the name of all your rules as well. We have different rule types, regular or rate-based. For this demonstration I'll select regular. Next we can then add our conditions to this rule. So, remember I created two conditions. I created one condition as a GEO match, and one as an IP address. 

So, for this demonstration, let's say that we want to block all requests that do not originate from the UK, which is one of the conditions I set up. And also to block any requests that do not originate from my IP address. So let's say, when a request does not originate from a geographic location located in the UK, then add a condition, and, when it does not originate from an IP address from my IP. So at this stage, we don't specify whether it allows or blocks it. So the rules simply contain the conditions that we created. And the variables of that condition, with regards to whether it does, or does not originate from that specific geographic location or the IP address. So to complete the rule, we then click on create. And we can see the rule we just created here. The rule name is WAF, and this is where we can specify the action. Either allow, block, or count. So this is the actual web access control list itself, which contains the rules. And, if you remember within our rule, we said if the geographic location does not originate from the UK, and does not come from my IP address, then we want that to block. So we are going to block all traffic that doesn't come from the UK, and doesn't come from my IP address. So that's the action I'm going to elect for that rule. And then for any requests that do not match any rules within this web ACL, then we can either take a default action of allow all the requests, or block all the requests. For this demonstration, I'm going to block all the requests that don't match any rules. At this point, click on review and create, and here's the screen that just shows the Web ACL name, and the CloudWatch metric name, which is the same. It shows the rules that we have, the action of that rule, and also the default action of the Web ACL. The bottom it shows the AWS resources used in this Web ACL. 

And at the minute we don't have resources, we don't have a CloudFront distribution list. So what we'll do, we'll then add this Web ACL to a CloudFront distribution. So to finish creating your Web ACL, simply click on confirm and create. And now you have your Web ACL created, with the name that we specified, CloudAcademy, and over here you can see the rules, etc. So what we can do now, is now add this Web ACL to an existing CloudFront distribution. So if I go across to CloudFront, and I have a distribution here, if I select it, and go to Distribution Settings, we can see here that next to AWS WAF Web ACL, there's no entry. So what I need to do is click on edit, at the top here, there's a drop down list for Web ACL's, and we can now see the one that we created. So, if I select that, and then click on yes edit, to confirm our selection, we can now see that this CloudFront distribution has been associated with the newly created Web ACL that we stated. And that's it. So just to clarify what we've done, we opened up the WAF service, we created two conditions. We created the GEO match condition, and an IP address condition. We then created a rule that contained both of those conditions. That rule was then added to the Web ACL, and we specified and action of block, and we also added a default action of block to the actual Web ACL itself for any requests that come through that didn't match any rules. And then we associated that Web ACL to an existing CloudFront distribution.

About the Author
Stuart Scott
AWS Content Director
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 90+ courses relating to Cloud reaching over 140,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.