In this lab scenario, you take on the role of a cloud security engineer, working for a business that has recently launched an Internet-facing web application. Unfortunately in the rush to launch, version one (MVP) of the web application has since been discovered to contain several OWASP classified vulnerabilities which need immediate action and remediation. The vulnerability types include SQL Injection, XSS (Cross-Site Scripting), SSRF (Server Side Request Forgery), and RCE (Remote Code Execution) via Command Injection - all of which must now be defended against quickly by yourself.
Being a cloud security engineer, you know that you can quickly deploy a first line of defense using AWS’s WAF (Web Application Firewall). In this lab, you will learn how to configure AWS WAF to detect and protect against each of the previously mentioned vulnerabilities. You will be instructed to perform before and after analysis of each vulnerability, ensuring that you understand the vulnerability itself, including how it is executed and what is breached/exposed as a result. Once the correct AWS WAF rule has been configured and deployed, you will confirm that the vulnerability in question has indeed been mitigated.
Note: To keep things simple and to quicken the lab launch time, all AWS networking and compute resources provisioned within this lab take place in the publicly zoned area of the default VPC, and as such the security posture is limited and should not be replicated in your own production environments.
Upon completion of this lab, you will be able to:
Familiarity with the following will be beneficial but is not required:
This lab will start with the following AWS resources provisioned automatically for you:
To achieve the lab end state, you will be walked through the process of:
This lab references the following GitHub repos:
August 12th, 2022 - Updated student IAM permissions for creating Web ACLs in the console
August 19th, 2022 - Improved source code in the insecure web app repo
Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.
He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.
Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).