Web Application Firewall
Learn how to protect your web application from common web exploits using a web application firewall.
We'll cover the following
AWS WAF is a web application firewall that helps protect our web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF helps protect web applications from attacks by allowing us to configure rules that allow, block, or monitor (count) web requests based on conditions that we define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection, and cross-site scripting. New rules can be deployed within minutes, letting us respond quickly to changing traffic patterns.
How AWS WAF works
When AWS services receive requests for websites, the requests are forwarded to AWS WAF for inspection against defined rules. Once a request meets a condition defined in the rules, AWS WAF instructs the underlying service to either block or allow the request based on the action we define.
Here’s the step-by-step workflow of AWS WAF:
Traffic inspection: AWS WAF examines the incoming requests to our web applications, inspecting both the content and the characteristics of each request.
Rules evaluation: It then evaluates these requests against predefined rules or custom rules that we set up. These rules define what kind of traffic is allowed, blocked, or monitored. AWS WAF also provides managed rule sets developed by AWS or third-party security experts, which offer protection against common threats such as SQL injection, cross-site scripting (XSS), and more. These managed rule sets can be customized to suit our specific application needs.
Web ACLs: AWS WAF is typically used in conjunction with Web ACLs (Web Access Control Lists), which are collections of rules organized to control access to our web applications. These ACLs can be associated with CloudFront distributions, Application Load Balancers, or Amazon Gateway APIs.
Logging and monitoring: AWS WAF logs all web requests that match the rules we’ve configured, allowing us to monitor traffic patterns, detect potential threats, and investigate security incidents.
What resources are protected using WAF
WAF is a regional service. However, we can protect global resources using WAF by attaching a Web ACL with a CloudFront distribution. For regional services, the WAF is limited to the following resources:
Amazon API Gateway REST API
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool
AWS App Runner service
AWS Verified Access instance
Note: WAF operates on the application layer (layer 7), so we cannot attach it to a network load balancer (NLB).
Attacks protected by AWS WAF
AWS WAF (Web Application Firewall) helps protect web applications from various types of cyber attacks, including, but not limited to, SQL injection (SQLi), cross-site scripting (XSS), cross-site request forgery (CSRF), XML external entity (XXE) attacks, and API abuse.
Best practices
Here are some best practices for using AWS WAF effectively:
CAPTCHA puzzles: Consider implementing CAPTCHA challenges to help prevent spam and ensure that users interacting with the application are human.
Geo-restriction: If possible, implement geo-restriction to restrict access to the web application from certain countries.
Implement rate limiting: Set up rate-based rules to limit requests from single IP addresses, preventing DDoS attacks and brute-force attempts.
Get hands-on with 1300+ tech skills courses.