I've been experimenting with various settings for AWS WAF publishing 🎉
Advance Preparation
- Publishing with Amazon CloudFront and Amazon S3
Publishing with Amazon CloudFront
This is a method of publishing using a combination of AWS WAF and Amazon CloudFront.
AWS Console → Click “WAF & Shield.”
Click "Create web ACL."
Set an arbitrary name. Select CloudFront as the resource type. Select the target CloudFront distribution. Leave the other settings as default this time.
Confirm the settings → Click “Create web ACL.”
Click on the Web ACL that has been created.
You can check the details of the Web ACL.
Publishing only the specified IP
This is a method for publishing only the specified IP in AWS WAF.
As preliminary preparation, configure the Web ACL.
Click "IP sets."
Click "Create IP set."
Set an arbitrary name. Select CloudFront as the region, and select IPv4. Set the target IP address. → Click "Create IP set."
Click on the IP settings that has been created.
You can check the details of the IP settings.
Click "Web ACLs" → Click the target Web ACL.
Click "Rules" → Click "Add rules" → Click "Add my own rules and rule groups."
Select "IP set." Set an arbitrary name, select the IP setting configured in the IP set, select the Source IP address, set "Allow" in "Action," and click "Add Rule."
Click "Save," and you will see the rules are set. Next, click "Edit" for the default rule.
Select Block as the Default action, set 403 as the Response code, and click "Save."
Confirm that the settings have been made.
If you access the URL from the IP you set, the WebSite will be displayed. WebSite will not be displayed except for the specified IP.
Basic authentication public
This is the method to publish with Basic authentication in AWS WAF.
As preliminary preparation, configure the Web ACL.
Click "Web ACLs" → Click the target Web ACL.
Click "Rules" → Click "Add rules" → Click "Add my own rules and rule groups."
Select "Rule builder." Set an arbitrary name. Select "Regular rule" for the type, set "Statement" to the captured content, set the value of the user name and password converted to the base64 in “String to Match,” set "Block" for the Action, set "Custom response" to the captured content, and click "Add rule."
Click "Save".
Click on the created rule.
You can see the details of the rule.
When you access the URL, a dialog for entering the user and password will appear.
When enter the configured user and password, the WebSite will be displayed.
Request Restriction
This is how to restrict requests with AWS WAF.
As preliminary preparation, configure the Web ACL.
Click "Web ACLs" → Click the target Web ACL.
Click "Rules" → Click "Add rules" → Click "Add my own rules and rule groups."
Select "Rule builder." Set an arbitrary name. Select "Rate based rule" as the type, set the rate limit to 100 in the Request rate details, set Block as the Action, and click "Add rule."
Click "Save".
Click on the rule that has been created.
You can see the rule details.
Try to access the site dynamically at least 100 times within 5 minutes.
If there are more than the specified number of accesses in 5 minutes, it will be blocked. When the number of accesses is less than the set number, the access is allowed.
By using AWS WAF, it is possible to publish in combination with Amazon CloudFront and configure various settings other than the IP restrictions, basic authentication, and request restrictions that we tried this time 💡
In my next article, I would like to introduce the way combined with Amazon Route 53.
Related Articles
Top comments (3)
Hi @dayjournal ,
It almost feels like a series now, if you can make use of Series under post option.
Give the series a unique name. (Series visible once it has multiple posts) that would be great.
I would also recommend posting video series for these articles since it contains a lot of pictures.
Thank you!
This is useful when you want to confirm you are not blocking valid requests inadvertently. spell to separate lovers