Web Application Firewall (WAF)
AWS WAF is a web-based application firewall service that helps protect your web apps from common deeds that could affect app availability, compromise security, or consume excessive resources.
AWS Free Tire provides 10 million monthly bot control requests.
Firewall
A firewall could be a software that is installed in your machine or it could be hardware that sits in between the device on network on the part of and the actual uplink of the internet, which carefully analyze the traffic and allows or restricts the flow of traffic to your device or devices with the help of pre-define configuration rule that are return to the firewall.
WAF Conditions
Condition define basic characteristic that would analyze within a web request.
Six conditions of WAF are as follows:
- Cross-Site scripting activities
- GEO Match
- IP address
- Size Constraints
- SQL Injection attacks
- Strings that appear within the requests
Cross-Site scripting activities a cross-site scripting match condition specifies the parts of a web request (such as a User-Agent header) that you want AWS WAF to inspect for cross-site scripting threats.
Geographical location that requests originate from (GEO Match) this will block all international requests. You can choose filter, which country can use your website. A geo match condition lets you allow, block, or count web requests based on the geographic origin of the request.
IP address or address ranges that requests originate from an IP match condition specifies the IP addresses and/or IP address ranges that you want to use to control access to your content. Put IP addresses that you want to allow and IP addresses that you want to block into separate IP match conditions.
Length of specified parts of the request (Size Constraints) a size constraint condition specifies the parts of a web request (such as a User-Agent header) that you want AWS WAF to compare to a set size.
SQL Injection attacks a SQL injection match condition specifies the parts of a web request (such as a User-Agent header) that you want AWS WAF to inspect for SQL queries. Create separate conditions for parts that you want to allow SQL queries in and parts that you don’t.
Strings that appear within the requests a string match condition, or a regex match condition, specifies the part of a web request (such as a User-Agent header) and the text (the value of the header) that you want to use to control access to your content. Create separate conditions for strings or regex patterns that you want to allow or block.
WAF Rules
We can combine multiple combinations into rules to precisely target requests. A web ACL has a capacity of 1,500. You can add hundreds of rules and rule groups to a web ACL. The total number that you can add is based on the complexity and capacity of each rule.
WAF provides two types of rule:
- Regular Rule
- Rate-Based Rule
Let’s look into sample Regular Rule:
- If request comes from 172.30.50
- They include to be SQL-like code
When rules has multiple conditions, it is treated as AND
Rate-Based rule
Rate-Based rule = Regular Rule + Rate limiting feature
- If request come from 172.30.0.50
- They include to be SQL-like code
- If requests exceeds 1000 requests in 10 minutes
WEB WAF ACL
Web WAF ACL defines action taken against a rule
Regular Rule:
- If requests comes from 172.30.0.50
- They include to be SQL-like code
What action you want to take now?
You can apply these actions on your WAF ACL.
Types of actions: Allow, Block, and Count.
Association
It is defined to which entity WAF is associated. You can’t WAF be associated with EC2 instance directly.
WAF association just support these AWS Services: CloudFront, Application Load Balancer (ALB), Amazon API Gateway, and AWS Appsync.
