Welcome to issue #7 of the “AWS services shorts”, In each issue, I present to you an AWS service and explore what its strengths and weaknesses are, discover some use cases, and finally what the most common mistakes people are making with it.
Today’s issue is about AWS Web Application Firewall!
If you prefer you can watch the video on YouTube
Introduction
AWS Web Application Firewall (WAF)
WAF is a security service that helps protect web applications against common exploits that can affect availability, compromise security, or consume excessive resources. Ic can protect web applications from a variety of threat vectors including SQL injection, cross-site scripting (XSS), and other malicious web attacks. AWS developed WAF to give its users an application-level protection layer that can be seamlessly integrated with other AWS services, particularly in the web hosting and content delivery realms.
Features: https://aws.amazon.com/waf/features/
FAQs: https://aws.amazon.com/waf/faqs/
Pricing: https://aws.amazon.com/waf/pricing/
Docs: https://docs.aws.amazon.com/waf/
Strengths
Fine-Grained Control
With AWS WAF, users have fine-grained control over their web traffic. It allows users to write custom rules that block, allow, or monitor (count) requests based on IP addresses, HTTP headers, HTTP body, URI strings, and other web request parts.
What to protect: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html
Hot to protect it: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rules.html
Define and reuse: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-groups.html
Integration with AWS Ecosystem
AWS WAF seamlessly integrates with Amazon CloudFront, Application Load Balancers, and other services enabling users to deploy a robust defense-in-depth strategy.
Managed Rule Groups
For users unfamiliar with crafting security rules, AWS WAF provides managed rule sets that are maintained by AWS security experts. These rule sets are designed to defend against common threats, reducing the need for users to become security experts themselves.
Cost Efficiency
AWS WAF offers a pay-as-you-go pricing model, meaning users only pay for what they use. This is advantageous for startups and businesses with fluctuating traffic as they don’t need to make a significant upfront investment.
Weaknesses
Regional Dependency
Unless the resources that you want to protect are behind CloudFront, AWS WAF rules must be defined per region, which can be cumbersome for global applications.
https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html
https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works-resources.html
Learning Curve
For those new to AWS or web application security, there can be a steep learning curve in understanding and implementing AWS WAF effectively.
Limited Native Reporting Capabilities
Although AWS WAF provides logging capabilities, native reporting, and visualization tools can be limited compared to some third-party alternatives.
https://aws.amazon.com/blogs/security/visualize-aws-waf-logs-with-an-amazon-cloudwatch-dashboard/
https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
https://docs.aws.amazon.com/waf/latest/developerguide/monitoring_overview.html
Complex Rule Management
While fine-grained control is a strength, it can also be a weakness if not managed properly. Complex rule sets can sometimes lead to unintended blocks or allowances.
Cost Predictability
The pay-as-you-go model, while flexible, can sometimes lead to unpredictable costs, especially during traffic spikes or DDoS events.
Use cases
Application Layer DDoS Protection
AWS WAF can help mitigate application layer DDoS attacks by filtering malicious traffic based on rules.
https://repost.aws/knowledge-center/waf-mitigate-ddos-attacks
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-resiliency.html
Regulatory Compliance
For businesses under regulatory constraints (like PCI DSS), AWS WAF can help ensure web applications are protected against known vulnerabilities.
Bot Control
AWS WAF can be used to identify and block malicious bots or scrapers that might be targeting an application.
Fraud Control
AWS WAF helps prevent fraudulent account creation and account takeover.
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-acfp.html
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html
Mistakes
Misconfigured Rules
The most common mistake is misconfigured rules that either block legitimate traffic or allow malicious traffic.
Ignoring Logs
Failure to monitor or analyze AWS WAF logs can lead to undetected malicious activity or false positives.
https://docs.aws.amazon.com/waf/latest/developerguide/logging.html
https://docs.aws.amazon.com/waf/latest/developerguide/monitoring_automated_manual.html
Not Updating Rule Sets
Not updating or reviewing rule sets (e.g. common vulnerabilities from the OWASP Top 10) and regularly reviewing metrics can leave applications exposed to newer threats.
Over-reliance on Managed Rules
While managed rules are useful, solely relying on them without custom rules tailored to the application can leave gaps in protection.
Not Testing Rules in Count Mode
Before actively blocking traffic, it's wise to test new rules in count mode to ensure they don't have unintended consequences.
Not Integrating with Other AWS Security Services
Failure to integrate AWS WAF with other AWS services like AWS Shield or AWS Firewall Manager can lead to missed security opportunities.
https://docs.aws.amazon.com/waf/latest/developerguide/shield-chapter.html
https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html
I hope you find this overview useful!
Did you like it? Too long? To short? Something is missing?
Please let me know with a comment! 🙏
Your feedback is truly precious to me 😊
Attributions:
Icons from https://www.freepik.com/
Music by Sergii Pavkin from Pixabay
Share this post