Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

WAF on AWS: A Practical Guide

  • 7 min read

What Is AWS WAF? 

Amazon Web Services Web Application Firewall (AWS WAF) is a cloud-based security service that helps protect web applications from common web exploits and bots that could affect application availability, compromise security, or consume excessive resources. By defining customizable web security rules, AWS WAF can block common attack patterns, such as SQL injection or cross-site scripting.

The service integrates with other AWS services like Amazon CloudFront and Application Load Balancer, allowing organizations to implement security at the edge of their network or directly on their applications. This integration makes it easier to deploy and manage security rules across large and complex deployments.

In this article, you will learn:

AWS WAF Components 

AWS WAF includes the following components:

  • Web Access Control Lists (ACLs): These allow users to set rules that permit or block traffic based on conditions such as IP addresses, HTTP headers, HTTP body, or URI strings. ACLs can be applied to multiple resources, from CloudFront distributions to API Gateways, enhancing security.
  • Rules: These define conditions under which web traffic is inspected and acted upon. They can be crafted to target specific behaviors such as the presence of malicious SQL code in requests or attempts to execute scripts in web forms. By using a combination of AND/OR logic and numerous match conditions, users have granular control over traffic.
  • Rule groups: These are collections of predefined rules that address particular common threats, such as OWASP Top 10 security risks. Users can include groups in their Web ACLs either as-is or with custom modifications. This feature enables streamlined updates and uniform rule implementation across multiple applications.

Related content: Read our guide to WAF architecture (coming soon)

What Are AWS Shield Advanced and AWS Firewall Manager?

AWS Shield Advanced and Firewall Manager are two complementary security solutions provided by AWS, which can work together with AWS WAF.

AWS Shield Advanced provides enhanced protections for web applications against more sophisticated attacks such as Distributed Denial of Service (DDoS) attacks. It offers additional detection and mitigation capabilities, combined with detailed attack diagnostics, allowing users to better understand and prepare against such threats.

AWS Firewall Manager simplifies the administration of firewall rules across multiple AWS accounts and resources. It centralizes the management of security settings, ensuring consistent application of firewall protection according to organizational policies. This is particularly useful for enterprises managing complex environments with multiple operational requirements.

What Resources Can You Protect with AWS WAF?

AWS WAF can be used to protect a variety of Amazon resources.

Amazon CloudFront 

By integrating AWS WAF with Amazon CloudFront, users can inspect and filter content delivery network (CDN) traffic at the edge locations. This reduces latency by preventing attacks from reaching the application server. It’s especially effective against large scale DDoS attacks and SQL injection attempts, while also helping to meet geographic restrictions by blocking requests from unwanted regions.

Amazon API Gateway REST APIs

Amazon API Gateway REST APIs can be directly protected with AWS WAF, allowing only legitimate requests to pass through to backend services. This includes protection against content-based attacks and rate-based attacks, which helps maintain API availability and performance. API developers can define precursors for acceptable requests, protecting backend systems from exploitative traffic.

Application Load Balancer

AWS WAF can be associated with Application Load Balancer to inspect and conditionally_route incoming traffic. This setup is particularly useful in microservices architectures where different services require differing levels of protection. It also aids in achieving high availability and fault tolerance by distributing traffic while enforcing security rules.

AWS AppSync GraphQL APIs

Integrating AWS WAF with AWS AppSync GraphQL APIs enables security features such as rate limiting and webhook verification. This protects APIs from over-fetching and malicious data manipulation attempts, which are common in poorly secured GraphQL implementations. By tailoring rules to the requirements of GraphQL, users can mitigate potential risks.

Amazon Cognito User Pools

Amazon Cognito user pools are useful for managing user identities and access in AWS environments. AWS WAF can protect their sensitive user data and prevent unauthorized access attempts. Security rules can be set up to monitor and control sign-in and sign-up activities, offering an additional layer of security against brute force attacks and credential stuffing.

AWS App Runner

AWS App Runner is a service designed to make web application deployments easier in AWS. Securing this service with AWS WAF ensures that applications run smoothly without being compromised by common web vulnerabilities or speed-based web attacks. It also simplifies security for developers, allowing them to focus on functional development.

AWS Verified Access Instances

AWS Verified Access is a new service designed to ensure secure and direct connectivity for remote users to internal applications without VPNs. When integrated with AWS WAF, security rules can be configured to ensure that only authenticated and authorized sessions are allowed access, enhancing both usability and security.

Getting Started with AWS WAF 

Set Up Your Account to Use the WAF Service

To set up an AWS account to use the WAF: 

  1. Sign up for an AWS account or login to an existing account.
  2. Go to the AWS sign-up page and follow the online instructions, which include receiving a phone call for verification. 
  3. After signing up, an AWS account root user is created with access to all AWS services and resources. 
  4. Once the sign-up process is complete, you will receive a confirmation email.
  5. Next, create a user with administrative access by enabling AWS IAM Identity Center and granting administrative permissions to the user. It is a best practice to avoid using root user access unless for tasks that can be done with administrative access. 
  6. Turn on multi-factor authentication (MFA) for added security. 
  7. Sign in using the IAM Identity Center user, and if needed, assign access to additional users by creating permission sets that adhere to the least-privilege principle.
  8. Download and set up the necessary tools for managing AWS WAF programmatically, such as the AWS SDKs and the AWS Command Line Interface (CLI). These tools facilitate API calls and automation of your tasks. 

Create a Web Access Control List

To create a Web ACL:

  1. Open the AWS Management Console and navigate to the AWS WAF section.
  2. Select Create web ACL and enter a name for the Web ACL. 
  3. Optionally, add a description and modify the CloudWatch metric name if needed. 
  4. Select the resource type, such as CloudFront distributions, and associate any AWS resources if applicable. 

Add a String Match Rule

Creating a string match rule involves specifying the criteria for inspecting web requests: 

  1. Start by adding a new rule and using the Rule visual editor
  2. Name the rule and select Regular rule as the type. 
  3. For the Statement, choose the request component to inspect, such as the header, and specify the header to inspect, like User-Agent. 
  4. Define the match type and string to match, for example, MyAgent. 
  5. Set the action for matching requests to Count to generate metrics without affecting request handling. 
  6. Finally, click on Add rule to add the rule to your Web ACL.

Add a Rule Group with AWS Managed Rules 

AWS Managed Rules offer predefined rule groups that address common threats. To add these to your Web ACL:

  1. Navigate to Add rules and rule groups and select Add rules, then Add managed rule groups.
  2. On the next page, expand the AWS managed rule groups list and select the desired rule group. 
  3. Enable it by turning on the Add to web ACL toggle and set the action to Count to observe its behavior before enforcing it. 
  4. Save the rule group and return to the main configuration page.

Complete the Web ACL Configuration

To finalize the configuration for your ACL:

  1. Select Next on the Add rules and rule groups page. 
  2. Arrange the rule priority to ensure the proper processing order. You can view and modify this order on the rule priority settings page, and then click Next
  3. Review metrics and logging settings on the Configure metrics page, making adjustments as necessary. 
  4. Finally, review your configurations and select Create Web ACL

Once created, your Web ACL will be active and listed in the AWS WAF console, ready to protect your resources.

WAF and CDN with Coralogix

Coralogix sets itself apart in observability with its modern architecture, enabling real-time insights into WAF and CDN logs along with RUM data, all with built-in cost optimization. Coralogix’s straightforward pricing covers all its platform offerings including APM, RUM, SIEM, infrastructure monitoring and much more. With unparalleled support that features less than 1 minute response times and 1 hour resolution times, Coralogix is a leading choice for thousands of organizations across the globe.

Enjoy lightning fast and highly accurate alerting and monitoring for your WAF and CDN data with Coralogix.

Where Modern Observability
and Financial Savvy Meet.