Hello and welcome to this lecture where I shall cover when and why you should use AWS WAF. If you are delivering web content via a CloudFront distribution or through an application load balancer, then I would recommend you implement the AWS Web Application Firewall service as an additional layer of security. Without using a Web Application Firewall, you could be exposing your websites and web apps to potentially harmful or malicious traffic, which could wreak havoc within your environment. This could have significant and detrimental impact on your business from a financial and reputation perspective. There are a number of security vulnerabilities that exist across web applications, and it's important these risks of exposure are mitigated as early as possible. OWASP, the Open Web Applications Security Project, is a not-for-profit organization where it looks at improving the security in software. They provide a top 10 list of the most critical security risks facing organizations around application architecture. This list includes the following, and their website can be found here.

So the top 10 vulnerabilities and risks are as follows, injections, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using known vulnerable components, and unvalidated redirects and forwards. If you can implement a WAF within your architecture to mitigate against some of these vulnerabilities, then that acts as a huge asset to your web application architecture and a great relief to the security officers within your organization. If you then compare the implementation and administration time needed to deploy AWS WAF to a standard WAF solution, then it's by far quicker. Further, AWS WAF is far simpler and easier to manage as well. Another motivation for implementing a Web Application Firewall might be to achieve a higher level of security compliance.

If, for example, your web application handles credit card transactions, then your web solution may need to be PCI DSS compliant, which is Payment Card Industry Data Security Standard. As of April 2016, AWS WAF was PCI DSS 3.2 certified. You may have other security detection mechanisms within your organization that operate deeper within your infrastructure, perhaps at the web server layer to mitigate against some of the same risks that WAF does. And so you may be thinking, why should I implement WAF if I have this existing solution which is working perfectly fine? Well, if you have existing detection systems within your infrastructure, then that's great. However, the closer they are logically implemented to your web application, the greater the risk of additional vulnerabilities occurring elsewhere within your infrastructure.

It's best to mitigate vulnerability risks as close to the perimeter of your network environment as possible. By doing so, it reduces the chances of other infrastructure and systems being compromised. When using CloudFront, AWS WAF sits logically between the end user requesting access to your website or web app and your CloudFront distribution. Although logically AWS WAF is in front of CloudFront, the request will be received by the CloudFront distribution first, and then it's immediately forwarded to your associated WAF Web ACL to either block or allow the request. So before it's even traversed your CloudFront environment and network, you have the ability to detect, analyze, and either block or allow the incoming request. If the traffic is dropped, no more processing occurs, which saves valuable bandwidth across your internal network and prevents other internal systems potentially becoming compromised.

If the traffic is allowed, then AWS CloudFront continues to process the request as normal and forwards the traffic to the web resource. WAF is very easy to manage either via the AWS Management Console or via the API calls and offers integration with other AWS services, such as AWS CloudWatch for monitoring specific WAF metrics and AWS Lambda for automation. If you couple ease of use, built-in monitoring metrics, and automation possibilities with a low cost point compared to other WAF products, then you'll realize AWS WAF offers an excellent secure solution for your web applications. That brings me to the end of this lecture. Following this, I shall be giving a demonstration on how to configure the WAF service itself.