WAFs are frequently used to protect web applications and APIs from common security attacks such as SQL injection, cross-site scripting, cross-site request forgery, and others.
They can add a valuable layer of defence and give your team more time to patch vulnerabilities in your application.
They can also speed up and reduce the cost of exploiting known vulnerabilities, as well as serve as an early warning system for suspicious user activity.
Its deployment options include attaching AWS WAF to your:
CloudFront distributions
API Gateways ALBs
AppSync
GraphQL API
To configure your WAF you’ll need to provision a WebACL then associate it to your API ,the resources required at a minimum are:
AWS::WAFv2::WebACL
AWS::WAFv2::WebACLAssociation
WebACL:
Type: "AWS::WAFv2::WebACL"
Properties:
Name: WebACLSQLi
Scope: REGIONAL
Description: Web ACL to block SQL injection
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: MyMetricName
Rules:
- Name: SQLInject-RuleSet
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: SQLInjection-ruleset-metric
WebACLAssociation:
Type: "AWS::WAFv2::WebACLAssociation"
Properties:
WebACLArn: !GetAtt WebACL.Arn
ResourceArn: !Ref ApiARN
Cloudformation stack to deploy webacl resources for the ALB
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template defines Web ACL resources
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Resources
Parameters:
- albARN
- Label:
default: Names
Parameters:
- tagName
- tagNamePrefix
ParameterLabels:
albARN:
default: ALB ARN
tagName:
default: Name Tag
tagNamePrefix:
default: Name Prefix
Parameters:
albARN:
Description: ARN for the Application Load Balancer
Type: String
MinLength: '30'
MaxLength: '180'
ConstraintDescription: must be a valid ARN of Application Load Balancer.
tagName:
Type: String
Description: Name tag value
MinLength: '5'
MaxLength: '25'
Default: Default
tagNamePrefix:
Description: The prefix for use in Name tag values
Type: String
MinLength: '5'
MaxLength: '25'
Default: default
Resources:
webAcl:
Type: AWS::WAFv2::WebACL
Properties:
Description: Web ACL for Application Load Balancer of Elastic Beanstalk
Name:
Fn::Sub: "${tagNamePrefix}-web-owasp"
DefaultAction:
Allow: {}
Rules:
- Name: AWS-CRS
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-aws-crs-metric"
- Name: Bad-Inputs
Priority: 1
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesKnownBadInputsRuleSet
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-bad-inputs-metric"
- Name: Anonymous-IpList
Priority: 2
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesAnonymousIpList
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-anonymous-iplist-metric"
- Name: Windows-RuleSet
Priority: 3
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesWindowsRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-windows-ruleset-metric"
- Name: SQLInject-RuleSet
Priority: 4
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesSQLiRuleSet
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-SQLinjection-ruleset-metric"
Scope: REGIONAL
Tags:
- Key: Name
Value:
Fn::Sub: "${tagName} OWASP Web ACL"
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName:
Fn::Sub: "${tagNamePrefix}-web-owasp-metric"
cloudwatchLogsGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName:
Fn::Sub: aws-waf-logs-${tagNamePrefix}-web-owasp
RetentionInDays: 180
webAcllogging:
Type: AWS::WAFv2::LoggingConfiguration
Properties:
ResourceArn:
Fn::GetAtt:
- webAcl
- Arn
LogDestinationConfigs:
- Fn::Sub: arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:aws-waf-logs-${tagNamePrefix}-web-owasp
LoggingFilter:
DefaultBehavior: KEEP
Filters:
- Behavior: KEEP
Conditions:
- ActionCondition:
Action: BLOCK
Requirement: MEETS_ANY
RedactedFields:
- SingleHeader:
Name: password
albWebACLAssociation:
Type: AWS::WAFv2::WebACLAssociation
Properties:
ResourceArn:
Ref: albARN
WebACLArn:
Fn::GetAtt:
- webAcl
- Arn
Outputs:
OWASPWebAclARN:
Description: ARN of WebACL
Value:
Fn::GetAtt:
- webAcl
- Arn
CloudwatchLogsGroupARN:
Description: ARN of CloudWatch Logs Group
Value:
Fn::GetAtt:
- cloudwatchLogsGroup
- Arn
Top comments (0)