By UATeam in AWS

AWS WAF Security Rules Example: Protecting Web Applications

AWS WAF (Web Application Firewall) provides robust protection against common web threats such as SQL injection, cross-site scripting (XSS), and bot attacks. By defining custom security rules, AWS WAF helps safeguard web applications running on services like Amazon CloudFront, Application Load Balancer (ALB), and API Gateway.

This article provides a practical example of creating and applying AWS WAF security rules to protect a web application.

What Is AWS WAF?

AWS WAF is a managed service that:

  • Filters HTTP/S requests based on rules defined by the user.
  • Protects against OWASP Top 10 vulnerabilities.
  • Offers real-time visibility into traffic patterns and security threats.

AWS WAF Security Rules Example

Objective

We’ll create an AWS WAF WebACL (Web Access Control List) and configure rules to:

  1. Block malicious IP addresses.
  2. Prevent SQL injection attacks.
  3. Allow traffic from a specific country.

Step 1: Create an AWS WAF WebACL

  1. Navigate to the AWS WAF Console:
    • Go to AWS Management ConsoleWAF & ShieldWeb ACLs.
  2. Create a Web ACL:
    • Name: example-web-acl.
    • Region: Select the applicable region.
    • Resource Type: Choose the resource to protect (e.g., CloudFront, ALB).
  3. Add Rules:
    • Skip adding rules for now; we’ll define them in the next steps.
  4. Default Action:
    • Set the default action to Allow for traffic not matching any rules.
  5. Create the Web ACL:
    • Save and create the Web ACL.

Step 2: Add Security Rules

1. Block Malicious IP Addresses

  • Navigate to the Rules section of the Web ACL.
  • Add a new rule:
    • Rule Builder: Use IP Set.
    • Create an IP Set:
      • Name: malicious-ip-set.
      • Add known malicious IPs (e.g., 203.0.113.1/32).
    • Configure the rule to Block requests matching the IP set.

2. Prevent SQL Injection Attacks

  • Add a new rule:
    • Rule Builder: Use Rule Groups.
    • Select AWS Managed Rule Groups.
    • Add the AWS-AWSManagedRulesSQLiRuleSet rule group.
    • Configure the rule to Block traffic matching SQL injection patterns.

3. Allow Traffic from a Specific Country

  • Add a new rule:
    • Rule Builder: Use Geographic Match.
    • Select a country (e.g., United States).
    • Configure the rule to Allow traffic from the selected country.
    • Place this rule above the blocking rules to prioritize it.

Step 3: Attach the WebACL to a Resource

  1. Select a Resource:
    • Attach the Web ACL to a CloudFront distribution, Application Load Balancer, or API Gateway.
  2. Apply the WebACL:
    • Confirm the association in the WAF console.

Step 4: Test the Configuration

  1. Send Traffic:
    • Simulate requests from allowed and blocked sources.
  2. Monitor Logs:
    • Enable logging in the Web ACL to review traffic patterns and rule matches.
    • Use Amazon Kinesis or CloudWatch Logs for detailed insights.

Best Practices for AWS WAF Security Rules

  1. Use Managed Rule Groups:
    • AWS provides pre-configured rule groups for common threats, reducing the need for manual configurations.
  2. Enable Logging:
    • Use CloudWatch Logs to monitor and troubleshoot security rules.
  3. Implement Rate-Based Rules:
    • Protect against DDoS and bot attacks by limiting the number of requests from a single IP.
  4. Regularly Update IP Sets:
    • Continuously update blocked IPs to reflect the latest threat intelligence.
  5. Prioritize Rules:
    • Order rules appropriately to ensure high-priority rules are evaluated first.

Conclusion

AWS WAF provides powerful tools to secure web applications against a wide range of threats. By following this example, you can create and apply security rules to block malicious traffic, prevent SQL injection, and allow trusted traffic. AWS WAF’s flexibility and integration with other AWS services make it an essential component of a modern web application’s security strategy.