What Is AWS WAF? How Does It Work?
While regular firewall products protect entire networks, a WAF is built to solely monitor your web applications and services. AWS WAF allows you to create custom rules to protect yourself from specific attacks, as well as use pre-configured rulesets designed by the AWS security team.
For example, you can configure a ruleset that only allows specific traffic originating from a whitelisted set of IP addresses over customized port access to a part of your application. As you can imagine the more granular your rulesets, the better operational security you can implement. Another common feature for WAF systems is rate-limiting, here you can create a rule that automatically blocks an IP address when a specified amount of requests are generated within a certain amount of time. This is useful for detecting and stopping brute force login attacks as well as packet flood attacks.
All AWS WAF implementation comes with AWS Shield Standard as an added layer of protection. AWS Shield works on the transport layer and stops threats as they are detected in real-time. This is done by using anomaly detection, traffic signatures, and threat database comparison all without impacting the uptime of your application. This feature also provides extensive built-in DDoS protection for your WAF services. AWS Shield Standard is completely free and integrates easily with AWS WAF.
AWS WAF lives entirely in the AWS cloud and can be controlled and configured through the AWS Firewall Manager. In the manager, you set rules, monitor your events, and even manage multiple deployments of the WAF. Through an extensive API, you’ll have the option to define app-specific rules as your dev team develops applications.
Flexible pricing allows virtually any sized dev team to implement this web-based firewall solution. Cost is solely tied to the amount of data processed and the number of rules you implement. While this might seem like the perfect solution, there are a number of features and details you should consider first.
Let’s take a look at AWS WAFs core features, and review some pitfalls that you may run into on the platform.
Setting Up AWS WAF
One of the main reasons AWS WAF has rapidly increased in popularity is due to its easy implementation. The only prerequisite to get started is that you have an AWS account, which makes setup significantly easier than other cloud-based application firewalls.
Once signed in, you’ll run through a wizard that guides you through creating and configuring your ACL (Access Control List). The ACL is the first line of defense against unauthorized access and attacks against your web services. This is where you’ll be able to allow or block web requests, set rules based on IP addresses, and configure specific policies that dictate whether or not traffic is allowed to reach your web applications.
When configuring your rules you’ll have the ability to have them applied to a group or remain independent by themselves. Creating rules groups helps you cut down on the clutter and originate your security policies more effectively. Rules detect requests by matching data found in the string to a ruleset you configure.
While setting up string rules can be a bit complicated, AWS WAF does provide a visual editor that guides you through the rule creation process. Depending on your rule sets there may be a time when you can only use the Rule JSON Editor. The JSON editor isn’t as intuitive as the visual editor, but it does give you more freedom to create more customized and in-depth rulesets. The JSON editor can also be used to copy configurations across multiple web ACLs if needed.
If you’re looking for more out-of-box options AWS Marketplace has a number of managed rules for purchase. Companies such as Cyber Security Cloud, F5, and Fortinet offer their own versions of managed rules that help block everything from botnet driven attacks to cross-site scripting attacks.
This combination of flexible configuration and prepackaged rulesets makes AWS WAF simpler to set up than most alternatives.
Features & Integrations
In addition to the ACL, there are a number of additional features and integrations that give AWS WAF extended capability and protection.
While this approach would require a deeper knowledge of the platform, a dev team could build a security ruleset as a part of the deployment process. In theory, this could cut down on complicated handoffs between teams, and shorten the development cycle. Developers could also apply scripting automation through this API to build out custom security rules, groups, and policies based on whatever their template or internal policy requires.
Automation can also be applied to deploy AWS WAF instances automatically with the use of AWS CloudFormation. Here you can create a master template that dictates what security settings, rulesets, and configurations the firewall needs. This feature makes spinning up new environments quick and ensures you have consistency across all of your products.
One of the most useful integrations for your WAF is the alerting feature, which you can fully customize through thresholds and alert templates. CloudWatch can help keep your security team alerted to configuration changes and events, as well as provide AI-powered services like anomaly detection.
Challenges With AWS WAF
While AWS WAF proves to be a versatile cloud-based security solution, it doesn’t come without some challenges.
You’ll need dedicated security personnel. AWS WAF can be complicated when building custom rulesets and policies. A misconfiguration on your WAF could spell disaster and allow access to more vulnerable areas of your applications. There are many instances of data breaches occurring due to misconfigured AWS settings, one notable incident occurred when Capital One failed to secure its WAF.
An attacker used a common attack called a Side Server Request Forgery to trick AWS WAF into sending information to the attacker. This resulted in the theft of over 100 million credit card application records and was a direct result of a misconfigured WAF.
Without a highly trained IT security professional in place, an organization can fall victim to a hacker taking advantage of weaknesses in poor configurations. Alternatively, your IT staff can mitigate risk by utilizing a product such as Access Advisor, which helps scope AWS roles and identify permission issues.
If you want to manage logging for your web ACL, you’ll need to enable and configure Kinesis Data Firehose, which has its own separate learning curve and limitations. When a WAF has too many add-ons and features, it can become difficult to not only manage them all but to also gain a deep understanding of all of the systems in place.
It’s this same lack of understanding and confusion that can cause misconfigurations, and ultimately data breaches. Once again, having a security professional in place can mitigate this risk, but having a WAF that incorporates a built-in solution would eliminate it.
Rulesets will need to be managed, updated, and audited. WAF firewall rules may seem static, but as the threat landscape changes, your firewall rules will need to follow suit. Managed Rules are a streamlined alternative to creating your own, however, this does come with two drawbacks. Managed Rules will cost your company money and need to be purchased on the AWS Marketplace. While this is still considerably less expensive than hiring a consultant, it’s still an additional cost.
Managed Rules also do not allow for rule modification. This means your ability to alter or customize a ruleset deployed on AWS Marketplace is limited. This puts you in a box when it comes to security and flexibility. If you choose to build your own rulesets they will periodically need updating to reflect new and evolving threats. Permissions to your AWS environment should also be audited regularly, depending on the size of your organization.
Pricing
Pricing for AWS WAF is linked to the number of Access Control Lists you use, the volume of requests you process, and the number of rules you have added to each ACL. This pricing model can be a bit complicated, but with proper planning, you can estimate your costs based on current usage and future needs.
Why choose AWS WAF?
AWS WAF Alternatives
If you’re looking to move away from the AWS platform, check out our shortlist of competitive AWS WAF alternatives. Be sure to check out our updated post on the best WAFs.
AppTrana Managed Web Application Firewall This WAF solution comes with its own fully managed security team and features customized security policies, contractual SLAs, and 24×7 support.
Cloudflare WAF Leverages its large cloud-based infrastructure to build powerful rulesets and policies with relative ease through intuitive dashboards and wizards.
Barracuda Web Application Firewall Barracuda has three WAF offerings that provide adequate protection from threats and a host of automated remediation. Solutions include on-premises, cloud-based, and as a managed service.
F5 Advanced Web Application Firewall Utilizes proactive botnet defenses, behavioral analytics, and application-layer encryption to defend your services against threats, and secure communications between your ancillary systems.
StackPath Web Application Firewall A cloud-based firewall product that includes competitive usages based pricing in conjunction with a suite of protection and edge services.
IP addresses
HTTP headers
HTTP message body
Custom URIs
The number of incoming requests that WAF has to process
The number of Web ACLs that you have
The number of Rules within each of the Web ACLs
