When and why should I use WAF?


Key Management Service (KMS)
What is KMS?
Components of KMS
AWS Web Application Firewall
AWS Shield
Start course
5h 2m

This course looks at the key Security services within AWS relevant to the SysOps Administrator - Associate exam. The core to security is Identity & Access Management, commonly referred to as IAM. This service manages identities and their permissions that are able to access your AWS resources and so understanding how this service works and what you can do with it will help you to maintain a secure AWS environment.  In addition to IAM, this course covers a range of other security services covering encryption and access control

Learning Objectives

  • Learn about identity and access management on AWS including users, groups & roles, IAM policies, MFA, and cross-account access
  • Learn the fundamentals of AWS Web Application Firewall (WAF) including what it is, when to use it, how it works, and why use it
  • Learn how to manage data protection through encryption services such as the Key Management Service (KMS) and CloudHSM
  • Learn how to secure your AWS accounts using AWS Organizations
  • Understand how to configure and monitor AWS WAF, Firewall Manager, and Shield
  • Learn the fundamentals of access control via federation using AWS Cognito and AWS SSO

Hello and welcome to this lecture where I shall cover when and why you should use AWS WAF. If you are delivering web content via a CloudFront distribution or through an application load balancer, then I would recommend you implement the AWS Web Application Firewall service as an additional layer of security. Without using a Web Application Firewall, you could be exposing your websites and web apps to potentially harmful or malicious traffic, which could wreak havoc within your environment. This could have significant and detrimental impact on your business from a financial and reputation perspective. There are a number of security vulnerabilities that exist across web applications, and it's important these risks of exposure are mitigated as early as possible. OWASP, the Open Web Applications Security Project, is a not-for-profit organization where it looks at improving the security in software. They provide a top 10 list of the most critical security risks facing organizations around application architecture. This list includes the following, and their website can be found here.

So the top 10 vulnerabilities and risks are as follows, injections, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using known vulnerable components, and unvalidated redirects and forwards. If you can implement a WAF within your architecture to mitigate against some of these vulnerabilities, then that acts as a huge asset to your web application architecture and a great relief to the security officers within your organization. If you then compare the implementation and administration time needed to deploy AWS WAF to a standard WAF solution, then it's by far quicker. Further, AWS WAF is far simpler and easier to manage as well. Another motivation for implementing a Web Application Firewall might be to achieve a higher level of security compliance.

If, for example, your web application handles credit card transactions, then your web solution may need to be PCI DSS compliant, which is Payment Card Industry Data Security Standard. As of April 2016, AWS WAF was PCI DSS 3.2 certified. You may have other security detection mechanisms within your organization that operate deeper within your infrastructure, perhaps at the web server layer to mitigate against some of the same risks that WAF does. And so you may be thinking, why should I implement WAF if I have this existing solution which is working perfectly fine? Well, if you have existing detection systems within your infrastructure, then that's great. However, the closer they are logically implemented to your web application, the greater the risk of additional vulnerabilities occurring elsewhere within your infrastructure.

It's best to mitigate vulnerability risks as close to the perimeter of your network environment as possible. By doing so, it reduces the chances of other infrastructure and systems being compromised. When using CloudFront, AWS WAF sits logically between the end user requesting access to your website or web app and your CloudFront distribution. Although logically AWS WAF is in front of CloudFront, the request will be received by the CloudFront distribution first, and then it's immediately forwarded to your associated WAF Web ACL to either block or allow the request. So before it's even traversed your CloudFront environment and network, you have the ability to detect, analyze, and either block or allow the incoming request. If the traffic is dropped, no more processing occurs, which saves valuable bandwidth across your internal network and prevents other internal systems potentially becoming compromised.

If the traffic is allowed, then AWS CloudFront continues to process the request as normal and forwards the traffic to the web resource. WAF is very easy to manage either via the AWS Management Console or via the API calls and offers integration with other AWS services, such as AWS CloudWatch for monitoring specific WAF metrics and AWS Lambda for automation. If you couple ease of use, built-in monitoring metrics, and automation possibilities with a low cost point compared to other WAF products, then you'll realize AWS WAF offers an excellent secure solution for your web applications. That brings me to the end of this lecture. Following this, I shall be giving a demonstration on how to configure the WAF service itself.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.