Protecting Web Apps with AWS WAF
AWS Security Hub
The course is part of this learning path
In this section of the AWS Certified: SAP on AWS Specialty learning path, we introduce you to the various Security services currently available in AWS that are relevant to the PAS-C01 exam.
- Understand the purpose of AWS user and identity management
- Identify resources and capabilities for AWS network security
- Understand how to evaluate the security of an AWS environment
- Describe AWS services used to create a comprehensive security solution for SAP deployments
The AWS Certified: SAP on AWS Specialty certification has been designed for anyone who has experience managing and operating SAP workloads. Ideally you’ll also have some exposure to the design and implementation of SAP workloads on AWS, including migrating these workloads from on-premises environments. Many exam questions will require a solutions architect level of knowledge for many AWS services, including AWS Security services. All of the AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
In this lecture, I want to provide a demonstration showing you how to create the following: an IP set, a rule group and its associated rules, and a web ACL that is associated with a CloudFront distribution. Okay, so I'm in my AWS console and we can find AWS WAF under the Security and Identity and Compliance category here.
So once we get to the WAF dashboard, what I want to do first is to create an IP set, and we can see the IP sets on the left here. So I'm going to create an IP set, and I'm also going to create a rule group. And then I'm going to create my web ACL using the IP set that I'm going to create now within a rule. And then I'm gonna add that rule into the rule groups, and then attach that to the web ACL to a CloudFront distribution. So if we select IP Sets, we can see here that we have no IP sets found. So I haven't got any created at the moment.
What I need to do is click on Create IP set. And I can give my IP set a name. So I'm just gonna call this MyIPSet. Add an optional description, and also the region in which you want to create this IP set in. I'm just gonna put it in the global CloudFront region, because that's what I'm going to be associating the web ACL to. Now you can select here IPv4, IPv6. And this is where you enter your IP addresses that you want to be a part of your IP set. So I'm just going to copy in a couple of IP addresses I've got here.
So the first one I've copied here is a single IP address, and we know that because it has a mask of 32. So that's just a single IP. But you can also add network ranges as well. So for example, this one underneath is a network range with a subnet mask of /24. And for each IP address or network address that you want to add in, you have to add it on a separate line. So once you've created your IP set, simply click on Create IP set. Okay, that's now created in the global CloudFront region. So if we change the location there, we'll be able to see the IP set in the list. So there it is, MyIPSet.
Now what I want to do is to create a rule group. So if I go across the rule groups, and we can see here that there are currently no rule groups found. So if I click on Create rule group, give this rule group a name. I'm gonna call this MyRuleGroup. Again, an optional description. And it also adds its own CloudWatch metric name as well, which matches the name of the rule group. The region, I'm going to keep it in the global CloudFront region. Click on Next. And this is where we can start adding our rules to the rule group.
So let me add my first rule. So let me call this MyFirstRule. And we have our different types of rules, the regular rule or the rate-based rule. I'm gonna stick with the regular rule. So let's start building the rule. So if a request matches a statement, or we can have an and statement here, where it matches all the statements, or an or statement, or a not. Let's go for an or. So for the first statement, I'm going to say if a request originates from a country in the United States or the United Kingdom, you can see this added them in here, using the source IP address to determine the country of origin, or, and this is where the second statement comes in, we can inspect the originating IP address, and this is where we can select our IP set that we created just now.
Again, using the source IP address as the originating address. Then as an action, I want to block that. So let's take a look at this rule. So we have a regular rule where if a request matches at least one of the statements, so either that the source IP address originates from the UK or the US or the IP address matches one of those in the IP set that we created, then block the traffic. So let's add that rule. Okay, so we can see it there, MyFirstRule.
Let's add another rule. Let's call this MySecondRule. Again, I'm gonna add a regular rule. This time if a request matches the statement, so I'm not gonna use an and or or. And for the inspection type, I'm going to say HTTP method. And match type, if it contains a SQL injection attack. So if the request matches a SQL injection attack, then I also want to block that traffic. So Add rule. So now I have two rules here, NyFirstRule and MySecondRule.
The first rule relates to the country of origin and my IP set, and the second rule relates to any SQL injection attacks. And we can see here that the capacity has been identified as two for the first rule and 20 for the second rule. So the minimum required capacity is 22, but I can enter the maximum capacity up to 1500 for this rule group. So if you envisage you're going to add more rules to this at a later stage, then you should increase this capacity. So I'm just gonna change that to 500. And this would give me plenty of allowance to add additional rules or modify the rules that might increase the capacity limit of this rule group.
Click on Next. And here you can change the rule priority. So you can move it up or down depending on how many rules you have. I'm just gonna leave it as what we had. Click on Next. And then here is a quick review of our rule group. So we have the rule group name, and we also have the rules that we created and the actions. So Create rule group. And there we have it. We can see MyRuleGroup. So now we've created the IP set. We've created a rule group, which contains two rules, and one of those rules contains the IP set that we created.
Now we need to attach this rule group to a web ACL. So if we go across to Web ACLs, again, we don't have any created at the moment, say Create web ICL. Give this a name. I'm gonna call it MyWebACL, add an optional description. Again, CloudWatch will create an automatic metric for this web ACL. And then we can select our resource type if we want it associated with the CloudFront distribution or an application load balancer, APIGateway, or AppSync, et cetera. But I'm gonna associate this to a CloudFront distribution in the global CloudFront region.
So down here, where it says Associated AWS resources, I'm gonna add a resource. I'm gonna select my CloudFront distribution. So this web ACL will now be associated with this CloudFront distribution. Click on Next. Now here we can add any rules, so we can just add a rule from here, or we can add managed rule groups or add my own rules and rule groups. So as we created our rule group earlier, I want to add that in here. So if we go across to Rule group. We'll give this rule a name within the web ACL, MyRules, select the rule group, and we have the MyRuleGroup option that we had here, and then click on Add rule.
So we've just added a rule within this web ACL, which is associated to the rule group. Now here we can see it's picked up the maximum capacity of that rule group of 500. So it will take up 500 WCUs of the maximum 1500 allowed for the web ACL. Even though it's only using 22, it will take the maximum. So just be aware of that when creating your rule groups. And then we also have a default web ACL action for requests that don't match any rules.
So in this demonstration, I'm just going to allow everything through that isn't picked up by any of my rules. So effectively what I'm saying there is, is that if any traffic comes from any other country other than the UK or the US, or sits outside of the IP address ranges that I specified in my IP set, and isn't a SQL injection attack, then I'm happy for that traffic to come through. Click on Next. Again, we can set the rule priority.
Click on Next. You can change the CloudWatch metric name of the rule that you just added if you want to. And you also have the option of running some sample options here as well on your web ACL. I'm just going to leave it as default. Click on Next. And this is where we can review the details from the web ACL that we've just created. So it shows the name, the scope, which is CloudFront, the region, and the CloudWatch metrics, the WCU capacity of your rules in your web ACL, and the default action as well.
So once you are happy with everything, just click on Create web ACL. And there we have it. So that's a very quick demonstration on how to create an IP set, how to create a rule within a rule group, using the IP sets as well. And then also how to create a web ACL associated to a CloudFront distribution using your own rule groups.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.