Using AWS Web Application Firewall as a Response to Attacks – Understanding Attacks on Cloud Environments – SCS-C02 Study Guide

Using AWS Web Application Firewall as a Response to Attacks

One of the primary purposes of a denial-of-service attack is to make the system being attacked unresponsive. Assets will be protected if you place your applications and web services, along with corresponding load balancers and Content Delivery Networks (CDNs), such as CloudFront, behind a Web Application Firewall (WAF).

AWS WAF helps protect traffic by configuring custom and managed rules to allow, block, or monitor (count) web requests, based on the conditions you define.

Figure 3.4: An AWS WAF-fronting web application

The primary function of the AWS WAF service is to protect your web applications from malicious attacks from a wide variety of attack patterns, many of which correspond to the OWASP Top 10. AWS WAF is used in conjunction with Amazon CloudFront and its distributions, an application load balancer or API gateway, to analyze requests over HTTP or HTTPS to help distinguish between harmful and legitimate requests sent to your applications and site. AWS WAF then blocks and restricts any access that is detected as forbidden.

The previous paragraph mentioned OWASP; for those unfamiliar with what or who that is, the following presents a brief explanation.

As you know, many security vulnerabilities are embedded in all applications. It is crucial to identify and assess the risks of potential exposure and resolve these weak points immediately. The Open Web Applications Security Project (OWASP) (https://www.owasp.org/) is a not-for-profit organization that helps the information security industry improve software security to benefit everyone.

OWASP provides a Top-10 list, which is often updated, of the most critical security risks relating to application architecture that enterprises face worldwide. At the time of writing, this list includes the following:

  • Broken access control
  • Cryptographic failures
  • Injection
  • Insecure design
  • Security misconfiguration
  • Vulnerable and outdated components
  • Identification and authentication failures
  • Software and data integrity failure

Going back to AWS WAF, to understand how it offers protection against these security risks, you need to look at the three primary components involved in its design:

  • Web ACL: This is used to protect your AWS resources. They contain rules and rule groups that define what should be inspected within your requests.
  • Rules: The rules themselves essentially comprise if/then statements and help define specific criteria for what the web ACL should inspect and what action (that is, allow, block, or count) to take upon the inspection result.
  • Rule groups: Rule groups allow you to group a set of rules together.

Security Automations for AWS WAF helps deploy sets of preconfigured AWS WAF rules to filter common web-based attacks, such as the following:

  • SQL injection
  • Cross-site scripting
  • HTTP floods
  • Scanners and probes
  • Known attacker origins (IP reputation lists)
  • Bots and scrapers