Skip to content

WAF & Shield

WAF

Use cases
  • Web application firewall that lets you monitor the HTTP/HTTPS requests that are forwarded to CloudFront or an Application Load Balancer
  • Also lets you control access to your content
Characteristics
  • You can configure conditions such as:
    • What IP addresses are allowed to make requests
    • What query string parameters need to be passed for the requests to be allowed
    • Then the application load balancer or CloudFront will either allow the content to be received or to give an HTTP 403 Status Code
  • Allows 3 different behaviours:
    • ALLOW all requests except the ones specified
    • BLOCK all requests except the ones specified
    • COUNT the requests that match the properties specified
  • Additional protection against web attacks by defining conditions using characteristics of web requests:
    • Source IP address
    • Source country
    • Values in request headers
    • Strings in requests / len of requests
    • Presence of malicious SQL code (SQL injection) or scripts (XSS)
  • Application load balancers (ALB) integrate with WAF at a regional level
    • Localization:
      • CloudFront is global
      • ALB WAF are regional
    • You can use AWS WAF to protect webapps not hosted in AWS via CloudFront (which supports custom origins outside of AWS)
Components
Conditions
  • Inspect: IP addresses (+ region mapping), HTTP headers, HTTP body, URI strings
  • Match against: SQL injection, cross-site scripting, regex, strings, IP ranges, regions, sizes
Rules
  • Comprise a number of conditions ANDed together
  • Rate based rule - 5 minute period for given IP, e.g. to protect against DDoS or login brute forcing
  • Need conditions for normal rules, but they're optional for rate-based rules (no condition=all requests count)
  • Managed rules from Marketplace sellers
Web ACLs
  • Collection of rules ORed together
  • Actions per rule: allow, block, or count (for testing)
  • Default action if no rule matches
  • Associate Web ACLs with CloudFront, ALB, and API Gateway instances which will then proxy requests via WAF and act on result

Shield

Use cases
DDoS mitigation
Characteristics
Standard
  • Enabled for all AWS accounts (turned on by default)
  • No additional costs beyond what you already pay for AWS WAF
  • Integrated into existing services (not a stand-alone service)
  • Netflow monitoring & TCP/UDP protection
Advanced
  • Advanced DDOS protection + DDOS response team support
  • Automated layer 7 traffic monitoring
  • Visibility and reporting
  • Extra cost ($3000/month)
  • Cost protection (reimburse related Route53, CloudFront and ELB DDOS charges)
  • CloudFront integration (can protect non-AWS origins)
  • CloudWatch metrics notifications of attacks
Back to top