What Is AWS WAF, and How Does It Work?
AWS Web Application Firewall is a WAF that monitors and controls HTTP(S) requests that are sent to your web application resources. This WAF will allow, deny, count, or run CAPTCHA and other challenge checks on incoming requests depending on the rules configured.
AWS WAF lets you control access to your web applications based on conditions that you specify in the pre-configured or managed rulesets from AWS and AWS Marketplace.
Here are some of the features of AWS WAF.
AWS Web Application Firewall Advanced Features
Another notable feature of AWS WAF is Bot Control, which allows for visibility and control over bot activity that can consume excessive resources, distort data, or create disruption. It offers managed rule groups that can block or prevent common bots from operating on a web app.
AWS WAF can be administered via APIs, allowing platform admins the ability to manage rules and web ACLs. This can allow admins the flexibility of automating parts of the administration of the WAF.
Real-time logging and visibility is another powerful feature of AWS WAF; it enables real-time data collection of raw requests, including information about IP addresses and geographical areas, URIs, User-Agents, and referrers. It can also be linked with Amazon CloudWatch, allowing you to create custom alarms for when limits are exceeded or specific attacks occur.
AWS WAF also mitigates account takeover attacks by employing its Fraud Control Account Takeover Prevention (ATP) feature, which forms part of the AWS Managed Rules rule group. The ATP Managed Rules group identifies and manages potentially malicious requests that target your app’s login page and provides a robust shield against account takeover attempts.
Furthermore, AWS WAF uses tokens, or "fingerprints," that encapsulate information about individual client sessions, allowing it to distinguish between malicious and legitimate sessions, even if they stem from the same IP address.
These tokens are created, updated, and encrypted for clients that successfully respond to silent challenges and CAPTCHA puzzles; they are then included in every web request, allowing AWS WAF to decrypt and verify the token's contents for session authenticity.
AWS WAF Best Practices That You Should Know
1. Migrate from AWS WAF Classic to AWS WAF
AWS WAF Classic and AWS WAF are web application firewall services provided by Amazon Web Services (AWS). However, AWS WAF Classic is the older version of the service and is being phased out in favor of the newer AWS WAF service. AWS WAF Classic has a more basic feature designed to control how API Gateway, Amazon CloudFront, or Application Load Balancer responds to web requests using custom rules and web ACLs.
On the other hand, AWS WAF is a cloud-native web application firewall designed to work with AWS services, such as Amazon CloudFront and Application Load Balancer. It can be integrated with AWS Shield, which provides DDoS protection, and AWS Firewall Manager, which allows for centralized management of multiple AWS accounts.
It would be best if you migrated to AWS WAF because it provides more advanced features like:
Bot control
Real-time traffic visibility
AWS Managed Rules
Web ACLs in JSON format
More rules per web ACL
Improved console experience
A new AWS WAF API that allows you to configure all your WAF resources via a single set of APIs, etc.
The migration process is largely automated, but there are a few things you have to do manually.
First, the automated tool reads all your existing web ACL and related resources. It then generates new ACLs compatible with AWS WAF alongside an AWS CloudFormation template to store it in an Amazon S3 bucket.
Next, deploy the template to recreate the web ACL and its resources in AWS WAF. Review the new web ACL and manually switch your protected resources over to the new web ACL.
2. Test AWS WAF
AWS WAF offers a rule deployment mode called “count mode,” which reports the number of web requests your rules would block without actually blocking them. This option is useful to evaluate the impact of your rules before enabling them.
This approach helps to ensure legitimate traffic is not blocked when deploying the AWS WAF rules for the first time.
However, note that your web application might remain vulnerable to attacks that the “count mode” rule would otherwise block. Therefore, switching to “block mode” is essential to ensure real protection once you’re confident in the rule's efficacy.
3. Deploy Rate-Based Rules
Rate-based rules can effectively protect your applications from large floods of requests within a small period of time. This can, in turn, improve your application’s security stance and reduce the chances of it being taken down by a denial-of-service attack.
It’s best to deploy a blanket rate-based rule to protect your web application from denial-of-service attacks. You can also create additional rules to protect specific URLs and use AWS WAF Security Automations solution to create more restrictive rates and rules to block known malicious IPs.
To find the most appropriate rate for your web app environment, you can use Amazon Athena to query your AWS WAF logs stored in Amazon S3. This will, in turn, create visualizations and tables that can show the top requesting IPs within any five-minute period.
4. Use AWS WAF Managed Rule Groups to Protect Against Common Web App Attacks
You can use AWS Managed Rule Groups and other vendor-managed rulesets from AWS Marketplace to safeguard your web application against common attacks. Some of the benefits of using a managed rule set are its automatic updates and easy administration.
Before enabling these managed rule groups in “block mode,” we advise you to enable them in “count mode” and monitor them to ensure that the rule groups don't mistakenly flag legitimate traffic.
Note: You can enable a specific rule in “count mode” even if the rest of the rule set is in “block mode” by setting the rule action to "COUNT."
5. Tune AWS WAF
Tuning the AWS WAF helps avoid inaccurate blocking of legitimate requests (false positives) and granting access to potentially harmful traffic (false negatives).
Tuning AWS WAF involves customizing its rules according to your web app's workload and creating rule exclusions to reduce false positive detections. During the tuning process, we advise that you enable rules in “count mode” to prompt the WAF to log requests without blocking any traffic.
Test for False Negatives
Typically, you’ll discover false negatives when you conduct security testing (pentesting) on your web applications.
Note that a penetration tester may be able to bypass your managed and custom rules to exploit your web applications. Therefore, it’s important to consider whether or not denial-of-service attacks should be allowed in a penetration testing engagement.
Test for False Positives
To test for false positives in your AWS WAF, you need to deeply understand how your application works to differentiate between legitimate requests and malicious ones. This can be accomplished using various methods, some of which include Web ACL logging, monitoring CloudWatch metrics, and also sampling the web requests that your ACLs are evaluating.
Additionally, you can modify your application interface so that genuine users can notify you if they are blocked from accessing your web app. You can do this by implementing a custom error page that displays user-friendly messages, soliciting feedback from the user regarding the issue they encountered.
6. Conduct Post-Deployment Evaluations
After deploying AWS WAF, it is important to conduct periodic evaluations to monitor and review the WAF. This can be done by regularly reviewing its dashboards to establish a baseline of normal application traffic, or you can use AWS WAF logs with tools like Athena, OpenSearch Service, and external SIEM solutions to analyze traffic patterns, understand anomalies, detect new threats, or recognize false alarms.
Regular penetration testing can also help keep up with emerging threats and address zero-day vulnerabilities.
Additionally, it is essential to keep WAF rules current and up to date to ensure that they protect your web application against the latest threats. Use managed rules too, because they can reduce the technical effort required to keep the AWS WAF up to date.
Challenges with AWS WAF
Several challenges come with using AWS WAF. Firstly, it may be unable to identify malicious payloads less than 8 KB in size unless you create a custom size constraint rule.
Secondly, its service is exclusive to people who use Amazon Web Services.
Finally, the cost of using AWS WAF is based on the features, the number of rules, and the volume of requests you receive, so it can become expensive if you have a complex deployment with all additional Intelligent Threat Mitigation features enabled and a high number of web ACLs and rules.
open-appsec as an Alternative to AWS WAF
If you want an alternative to AWS WAF, consider using open-appsec WAF. It uses machine learning to ensure faster and more efficient maintenance, making it a great option if you want to ensure the security of your web applications without spending a lot of time and resources on maintenance.
While open-appsec has a smaller community than AWS WAF, it can still provide the necessary technical support to users and is open-source. open-appsec does not use rules, policies, or exception handling to tailor web application security; instead, it preemptively uses its offline and online machine-learning models to protect web applications from zero-day attacks like Text4Shell, Log4Shell, and Spring4Shell
Here’s a more detailed comparison of AWS WAF and open-appsec WAF, or you can try open-appsec in the Playground today.
