DEV Community

selvakumar palanisamy
selvakumar palanisamy

Posted on

WAF -Web application firewall

WAFs are frequently used to protect web applications and APIs from common security attacks such as SQL injection, cross-site scripting, cross-site request forgery, and others.
They can add a valuable layer of defence and give your team more time to patch vulnerabilities in your application.
They can also speed up and reduce the cost of exploiting known vulnerabilities, as well as serve as an early warning system for suspicious user activity.

Its deployment options include attaching AWS WAF to your:

CloudFront distributions
API Gateways ALBs
AppSync
GraphQL API

To configure your WAF you’ll need to provision a WebACL then associate it to your API ,the resources required at a minimum are:

AWS::WAFv2::WebACL
AWS::WAFv2::WebACLAssociation
Enter fullscreen mode Exit fullscreen mode
WebACL:
  Type: "AWS::WAFv2::WebACL"
  Properties:
    Name: WebACLSQLi
    Scope: REGIONAL
    Description: Web ACL to block SQL injection
    DefaultAction:
      Allow: {}
    VisibilityConfig:
      SampledRequestsEnabled: true
      CloudWatchMetricsEnabled: true
      MetricName: MyMetricName
    Rules:
      - Name: SQLInject-RuleSet
        Priority: 0
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesSQLiRuleSet
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName: SQLInjection-ruleset-metric

WebACLAssociation:
  Type: "AWS::WAFv2::WebACLAssociation"
  Properties:
    WebACLArn: !GetAtt WebACL.Arn
    ResourceArn: !Ref ApiARN
Enter fullscreen mode Exit fullscreen mode

Cloudformation stack to deploy webacl resources for the ALB

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template defines Web ACL resources
Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
    - Label:
        default: Resources
      Parameters:
      - albARN
    - Label:
        default: Names
      Parameters:
      - tagName
      - tagNamePrefix
    ParameterLabels:
      albARN:
        default: ALB ARN
      tagName:
        default: Name Tag
      tagNamePrefix:
        default: Name Prefix
Parameters:
  albARN:
    Description: ARN for the Application Load Balancer
    Type: String
    MinLength: '30'
    MaxLength: '180'
    ConstraintDescription: must be a valid ARN of Application Load Balancer.
  tagName:
    Type: String
    Description: Name tag value
    MinLength: '5'
    MaxLength: '25'
    Default: Default
  tagNamePrefix:
    Description: The prefix for use in Name tag values
    Type: String
    MinLength: '5'
    MaxLength: '25'
    Default: default
Resources:
  webAcl:
    Type: AWS::WAFv2::WebACL
    Properties:
      Description: Web ACL for Application Load Balancer of Elastic Beanstalk
      Name:
        Fn::Sub: "${tagNamePrefix}-web-owasp"
      DefaultAction:
        Allow: {}
      Rules:
      - Name: AWS-CRS
        Priority: 0
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesCommonRuleSet
            ExcludedRules: []
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-aws-crs-metric"
      - Name: Bad-Inputs
        Priority: 1
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesKnownBadInputsRuleSet
            ExcludedRules: []
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-bad-inputs-metric"
      - Name: Anonymous-IpList
        Priority: 2
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesAnonymousIpList
            ExcludedRules: []
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-anonymous-iplist-metric"
      - Name: Windows-RuleSet
        Priority: 3
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesWindowsRuleSet
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-windows-ruleset-metric"
      - Name: SQLInject-RuleSet
        Priority: 4
        Statement:
          ManagedRuleGroupStatement:
            VendorName: AWS
            Name: AWSManagedRulesSQLiRuleSet
        OverrideAction:
          None: {}
        VisibilityConfig:
          SampledRequestsEnabled: true
          CloudWatchMetricsEnabled: true
          MetricName:
            Fn::Sub: "${tagNamePrefix}-SQLinjection-ruleset-metric"
      Scope: REGIONAL
      Tags:
      - Key: Name
        Value:
          Fn::Sub: "${tagName} OWASP Web ACL"
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName:
          Fn::Sub: "${tagNamePrefix}-web-owasp-metric"
  cloudwatchLogsGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName:
        Fn::Sub: aws-waf-logs-${tagNamePrefix}-web-owasp
      RetentionInDays: 180
  webAcllogging:
    Type: AWS::WAFv2::LoggingConfiguration
    Properties:
      ResourceArn:
        Fn::GetAtt:
        - webAcl
        - Arn
      LogDestinationConfigs:
      - Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-${tagNamePrefix}-web-owasp
      LoggingFilter:
        DefaultBehavior: KEEP
        Filters:
        - Behavior: KEEP
          Conditions:
          - ActionCondition:
              Action: BLOCK
          Requirement: MEETS_ANY
      RedactedFields:
      - SingleHeader:
          Name: password
  albWebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
      ResourceArn:
        Ref: albARN
      WebACLArn:
        Fn::GetAtt:
        - webAcl
        - Arn
Outputs:
  OWASPWebAclARN:
    Description: ARN of WebACL
    Value:
      Fn::GetAtt:
      - webAcl
      - Arn
  CloudwatchLogsGroupARN:
    Description: ARN of CloudWatch Logs Group
    Value:
      Fn::GetAtt:
      - cloudwatchLogsGroup
      - Arn
Enter fullscreen mode Exit fullscreen mode

Top comments (0)