hands-on lab

Leveraging AWS WAF to Defend an Insecure Web App

Up to 2h 30m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.
Lab description

In this lab scenario, you take on the role of a cloud security engineer, working for a business that has recently launched an Internet-facing web application. Unfortunately in the rush to launch, version one (MVP) of the web application has since been discovered to contain several OWASP classified vulnerabilities which need immediate action and remediation. The vulnerability types include SQL Injection, XSS (Cross-Site Scripting), SSRF (Server Side Request Forgery), and RCE (Remote Code Execution) via Command Injection - all of which must now be defended against quickly by yourself.

Being a cloud security engineer, you know that you can quickly deploy a first line of defense using AWS’s WAF (Web Application Firewall). In this lab, you will learn how to configure AWS WAF to detect and protect against each of the previously mentioned vulnerabilities. You will be instructed to perform before and after analysis of each vulnerability, ensuring that you understand the vulnerability itself, including how it is executed and what is breached/exposed as a result. Once the correct AWS WAF rule has been configured and deployed, you will confirm that the vulnerability in question has indeed been mitigated.

Note: To keep things simple and to quicken the lab launch time, all AWS networking and compute resources provisioned within this lab take place in the publicly zoned area of the default VPC, and as such the security posture is limited and should not be replicated in your own production environments.

Learning Objectives

Upon completion of this lab, you will be able to:

  • Understand common attacks involving SQL Injection, XSS, SSRF, and Command Injection and how they are applied
  • Configure AWS WAF to defend against common attacks involving SQL Injection, XSS, SSRF, and Command Injection 

Intended Audience

  • Those interested in increasing the security posture of a deployed web app within AWS using the AWS WAF service.


Familiarity with the following will be beneficial but is not required:

  • Be comfortable with basic Linux command line administration

Lab Environment

This lab will start with the following AWS resources provisioned automatically for you:

  • 2 x EC2 instance
    • ide.cloudacademy.platform.instance - provides a web-based IDE with an integrated terminal
    • hacker.cloudacademy.platform.instance - used to apply various attacks against the insecure web app (to be deployed using Terraform)
  • 1 x ALB
    • Listener (port 80)
      • Web Frontend Forwarding Rule (forwards to Web Frontend Target Group)
      • API Forwarding Rule (forwards to API Target Group)
    • Web Frontend Target Group (forwards to port 80)
    • API Target Group (forwards to port 8080)

To achieve the lab end state, you will be walked through the process of:

  • Using your local workstation browser to remotely connect to the ide.cloudacademy.platform.instance
  • Using the web-based IDE and integrated terminal, deploy the insecure web app using Terraform
  • Examine, explore and apply different attacks (SQL Injection, XSS, SSRF, and Command Injection)
  • Configure and apply AWS WAF to defend against the attacks previously executed


This lab references the following GitHub repos:


May 23rd, 2024 - Resolved check issue

August 12th, 2022 - Updated student IAM permissions for creating Web ACLs in the console

August 19th, 2022 - Improved source code in the insecure web app repo

Environment before

Environment after

About the author
Jeremy Cook, opens in a new tab
Content Lead Architect
Learning paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).

Covered topics
Lab steps
Logging In to the Amazon Web Services Console
Provision AWS Web App Infrastructure
Insecure Web App - Application Review
Exercise 1: SQL Injection Vulnerability and WAF Defense
Exercise 2: XSS Vulnerability and WAF Defense
Exercise 3: SSRF Vulnerability and WAF Defense
Exercise 4: RCE Vulnerability and WAF Defense