What is AWS WAF?
AWS (Amazon Web Services) is a very popular cloud platform used by many of the enterprise software companies to manage, deploy and release their applications across cloud. In fact, I also use AWS daily at my work.
AWS has a service named AWS WAF (Web Application Firewall) which helps a user to protect against common web exploits and bots that that can affect availability, compromise security, or consume excessive resources. It also lets you monitor the HTTP(s) requests that are forwarded to your protected web application resources.
How AWS WAF works?
AWS WAF can control how protected resources respond to HTTP(S) web requests. This can be done by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the web ACL.
In your web ACL, you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. It provides us with the following action choices for resource protection:
Allow the requests to go to the protected resource for processing and response.
Block the requests.
Count the requests.
Run CAPTCHA or challenge checks against requests to verify human users and standard browser use.
Components of AWS WAF :
The following are the central components of AWS WAF:
Web ACLs – You use a web access control list (ACL) to protect a set of AWS resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about web ACLs, see WAF Web access control lists (web ACLs).
A web ACL is an AWS WAF resource.
Rules – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges. For more information about rules, see AWS WAF rules.
A rule is not an AWS WAF resource. It only exists in the context of a web ACL or rule group.
Rule groups – You can define rules directly inside a web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see AWS WAF Rule groups.
A rule group is an AWS WAF resource.
AWS WAF Bot Control:
With Bot Control, you have the capability to effortlessly monitor, block, or impose rate limits on various types of bots, including scrapers, scanners, crawlers, status monitors, and search engines. When employing the targeted inspection level within the rule group, there is also the option to issue challenges to bots that do not self-identify, thereby increasing the difficulty and cost for malicious bots attempting to exploit your website. You can secure your applications by utilizing the Bot Control managed rule group independently or in conjunction with other AWS Managed Rules rule groups and your customized AWS WAF rules.
For more information about the Bot Control managed rule group, see AWS WAF Bot Control rule group.
AWS WAF Fraud Control account creation fraud prevention (ACFP):
Account creation fraud is an online illegal activity in which an attacker tries to create one or more fake accounts. Attackers use fake accounts for fraudulent activities such as abusing promotional and sign up bonuses, impersonating someone, and cyberattacks like phishing. The presence of fake accounts can negatively impact your business by damaging your reputation with customers and exposure to financial fraud. AWS WAF offers this feature in the AWS Managed Rules rule group AWSManagedRulesACFPRuleSet with companion application integration SDKs.
ACFP protects your account sign-up pages by monitoring account sign-up requests for anomalous activity and by automatically blocking suspicious requests. The rule group uses request identifiers, behavioral analysis, and machine learning to detect fraudulent requests.
Request inspection – ACFP gives you visibility and control over anomalous account creation attempts and attempts that use stolen credentials, to prevent the creation of fraudulent accounts.
Response inspection – For CloudFront distributions, in addition to inspecting incoming account creation requests, the ACFP rule group inspects your application's responses to account creation attempts, to track success and failure rates.
AWS WAF Fraud Control account takeover prevention (ATP):
Account takeover is an online illegal activity in which an attacker gains unauthorized access to a person's account. The attacker might do this in a number of ways, such as using stolen credentials or guessing the victim's password through a series of attempts. When the attacker gains access, they might steal money, information, or services from the victim. AWS WAF offers this feature in the AWS Managed Rules rule group AWSManagedRulesATPRuleSet and companion application integration SDKs.
The ATP managed rule group labels and manages requests that might be part of malicious account takeover attempts. The rule group does this by inspecting login attempts that clients send to your application's login endpoint.
Request inspection – ATP gives you visibility and control over anomalous login attempts and login attempts that use stolen credentials, to prevent account takeovers that might lead to fraudulent activity.
Response inspection – For CloudFront distributions, in addition to inspecting incoming login requests, the ATP rule group inspects your application's responses to login attempts, to track success and failure rates.
AWS WAF can protect these resources:
Amazon CloudFront distributions:
AWS WAF web ACL can be associated with a CloudFront distribution using the AWS WAF console or APIs. You can also associate a web ACL with a CloudFront distribution when you create or update the distribution itself. To configure an association in AWS CloudFormation, you must use the CloudFront distribution configuration
Regional resources:
You can protect regional resources in all Regions where AWS WAF is available. You can use AWS WAF to protect the following regional resource types:
Amazon API Gateway REST API
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool
AWS App Runner service
AWS Verified Access instance
Restrictions on multiple resource associations:
single web ACL can be associated with one or more AWS resources, with the following restrictions:
You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many.
You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.
References: