« Back to News

Web Application Security Using AWS WAF and AWS Shield

As a modern enterprise, only one defense is not the only defense you need today. Hackers are constantly reinventing to break through cyber defenses that you put up to protect our business applications, portals, and API’s. Instances like a record data breach at Equifax, attacks on cryptocurrency owners, elections being hacked or the nervy rise of armed AI bots, discussions on cybersecurity has now made its way into the boardroom. It affects us all. In this three-part series, let’s take a closer look at how companies are safeguarding their assets from these attacks.

DDoS attack is the most commonly used weapon of choice by intruders. Attacks like the ones on DNS provider Dyn, back in 2016 using a botnet or the one on GitHub – that took down the entire service for around 10 minutes, are occurring more often. Downtime costs business tens-of-thousands of dollars, drop in customer loyalty (8% of customers stopped using Dyn after the attack) and not to mention the lawsuits that follow (Equifax).

Today, there are different types of threats simple and sophisticated, which are very difficult to detect with traditional security tools like network layer firewalls. Many options are now available for securing and preventing different types of attacks, but it is difficult to analyze which tool is apt to your advantage.

To guard against some known and some unknown web attacks, Amazon has introduced advanced security tool like AWS Web Application Firewall (WAF) and AWS Shield.

AWS WAF is a web application firewall service that lets you monitor web (HTTP/HTTPS) requests for Amazon CloudFront distributions and Application Load balancer to manage your traffic. It lets you filter web traffic with custom Rules, it can block malicious requests and can also monitor and tune your web applications.

For additional protection against Distributed Denial of Service (DDoS) attacks, AWS also offers AWS Shield Advanced. AWS Shield Advanced provides expanded DDoS attack protection for your CloudFront distributions, Amazon Route 53 hosted zones, and Elastic Load Balancers.

AWS WAF is better for its ease in AWS integration, affordability, and flexibility amongst others benefits.

AWS WAF and Shield provides a list of vulnerabilities i.e Rules. Rules are a set of conditions with predefined access control list actions (Block/Allow/Count). You create a Rule to specify the conditions that you want AWS WAF to search for in the incoming web requests.


Image courtesy: Amazon AWS

If you add more than one condition to a Rule, the web request must match all the conditions in the Rule for AWS WAF to allow or block requests based on that ACL.

For instance, AWS WAF can watch for the IP addresses from where the requests originate or the strings that the requests contain and where the strings appear, or whether the requests appear to contain malicious SQL code, etc.

AWS WAF works with Amazon CloudFront and Amazon ELB i.e. Elastic Load Balancer. Essentially, to avoid web attacks, you need to monitor the HTTP and HTTPS request. By using CloudFront or ELB, it helps us analyze the traffic of distributed networks and makes it much easier to analyze and understand.


Image courtesy: Amazon AWS

The Open Web Application Security Projects (OWASP) provides a list of standard vulnerabilities (threats) such as Cross-site scripting, IP blocks, DDoS, Geolocation specification etc.

Top vulnerabilities include;

  • Cross-Site Scripting (XSS)

XSS occurs when the attacker uses a web application to send malicious code in the form of browser-side scripts like the HTML tags: BODY, URL, Query String, or the HEADER of a Cookie to a different end user.

  • Geolocation or Geographic Match Condition

Cybercriminals use Geolocation before expanding their attacks into a targeted region.

  • Bad-Bot Rule

Bad Bot can take data from websites without permission and allow misuse, high-speed abuse and attacks on the websites and the APIs. Using available online user information, most account thefts and frauds happen.

  • SQL Injection

SQL injection is injection attacks (malicious SQL queries) which the attackers execute to harm web applications’ database server.

  • Scans Probes Rule

Port scanning is one of the predominantly used technique that attackers use to exploit and break into systems. With the help of this technique, they can find information about running services, which user owns those services and anonymous login details.

If your application is not able to handle these vulnerabilities, there are high chances of data loss and theft resulting in a massive damage to the business.

AWS WAF and AWS Shield Architecture

For you to be able to distribute traffic of the web application, you must see the architecture of AWS WAF and use AWS ELB. You can use the same configuration for AWS Shield Advance for protection against DDoS attacks.

As in the diagram shown below, the WAF is always kept behind a load balancer and works as per configured Rules and Access Control Lists (ACL) in the WAF. With this, it is easy to allow or block the request of APIs which will be decided by access control list (ACL) in WAF.

AWS WAF with Load Balancer

The architecture diagram of AWS WAF in conjunction with ELB

Implementation of AWS WAF with CloudFront or ELB :

The process is as follows:

  • Create ELB or Cloudfront for handling HTTP or HTTPS requests for network firewalls.
    • If user distributes traffic using ELB, then you need to select Application Load Balancer with S3 buckets.
    • If you want to use CloudFront, then you need to select Web and Originate from S3 bucket.
  • Create WAF Rules which could be a list of probable attacks, from web attackers, using automation solutions for AWS WAF template of CloudFormation. You can download the following templates:
    • AWS WAF security automation solution template for Cloudformation using CloudFront
    • AWS WAF security automation solution template for Cloudformation using ELB.
    • Once this template is downloaded, you can use it in Cloudformation. It will take approximately 10-15 minutes to create all the resources for use in WAF.
    • The AWS default security template Rule list can configure nine Rules. Rules are nothing but a predefined configuration for standard vulnerabilities for securing your web applications.  You can further customize these Rules as per requirements.

Configure each Rule as per requirement. For example, Geo-location

  • List of Rules and predicting theft attacks on the website also helps in deciding the choice of service to be used.
    • Adding an ACL is dependent on whether you take action to allow or block the request. On the basis of this configuration, the load balancer either allows request or blocks them with the message ‘HTTP 403 Status Code (Forbidden)’.
  • Testing customizes Rules and manages Alerts for theft occurring on the websites.
    • You can test these Rules using JMeter or Postman
    • Using Cloudwatch you can configure an Alert for WAF metric so the user is made aware of attacks.

As part of the next stage of this journey, we will talk about the newly launched AWS Firewall Manager which helps us to centrally configure and manage AWS WAF rules across multiple accounts and applications and later, we will cover testing for these vulnerabilities and ensure that our WAF works as intended. Stay tuned.

Leave a Reply

About the Writer

  • Farida Pathan

    Farida Pathan is a DevOps engineer with a diversified background in DevOps, automation, scripting, etc. She has a deep interest in helping customers using Cloud, Containers, Orchestration which motivates her to solve a complex problem using simpler and effective solutions.

How can Synerzip Help You?

By partnering with Synerzip, clients rapidly scale their engineering team, decrease time to market and save at least 50 percent with our Agile development teams in India.