Rules make the world go round, as any school teacher will agree. Most of us remember being told to: “Tuck your shirt in,” “Walk slowly in the hallways,” or “Turn up at 8 am sharp.”
The list goes on. While our former teenage selves undoubtedly found the endless list of regulations frustrating, nowadays, we can collectively agree that a strict order is often a great thing.
Similarly, WAF rules are in place for a very good reason, considering web application attacks grew by a staggering 500% in 2023. AWS WAF rules are designed to ensure maximum and effective protection against threat actors and attacks like server-side request forgery (SSRF) and broken authentication.
What are AWS WAF Rules?
AWS WAF (Web Application Firewall) is a security firewall that helps protect web applications and APIs from various attacks by filtering and monitoring HTTP(S) requests. It is a cloud WAF solution designed to secure AWS services like Amazon CloudFront, API Gateway, Application Load Balancer, and AppSync GraphQL APIs. AWS WAF protects against common web exploits and vulnerabilities, ensuring that malicious traffic is blocked before it can reach your applications.
AWS WAF rules are the core components that define how the firewall operates. These rules specify patterns to look for in incoming requests and actions to take when these patterns are matched. You can tailor rules to specific needs, which are created manually or sourced from AWS Managed Rules. Each rule within AWS WAF is designed to match specific attack patterns, such as SQL injection attempts or cross-site scripting (XSS) attacks.
How AWS WAF Rules Work
Each WAF rule operates by checking incoming requests against predefined criteria. The rules can be configured to:
Allow: Permit all incoming requests except those explicitly blocked.
Block: Deny all incoming requests except those explicitly allowed.
Count: Track the number of requests that match the rule criteria without taking other actions.
CAPTCHA: Used to verify that a request is made by a human and not an automated bot.
Challenge: Sends a client-side JavaScript challenge to the requester and blocks the request if the challenge fails.
Web ACLs (Access Control Lists) group these rules and apply them to your AWS resources. A Web ACL can contain multiple rules, and AWS WAF processes them according to their priority. The system evaluates requests against each rule in order, stopping once a terminating action (allow or block) is triggered. If a rule is set to count, it records the request and continues evaluating subsequent rules.
How to Choose the Right AWS WAF Rules for You
Choosing the right AWS WAF rules is crucial for effective web application security. Here are some tips for selecting the most appropriate rules for your needs.
1. Understand Your Application's Threats
Every application has a unique threat profile based on its functionality, user base, and exposure. Start by identifying the most common and significant threats your application faces. For example:
E-commerce platforms: Often targeted by SQL injection and cross-site scripting (XSS) attacks.
APIs: Vulnerable to command injection and parameter tampering.
2. Analyze Traffic Patterns
Analyze your application's typical traffic patterns to clearly distinguish legitimate from malicious traffic. This step will help you apply the exact rules required to address those threats.
Baseline traffic: Establish a baseline of normal traffic patterns to identify anomalies.
User behavior: Analyze user behavior to set appropriate thresholds for rate limiting and other protections.
3. Utilize Managed Rule Groups
AWS offers Managed Rule Groups, which are sets of predefined rules maintained by AWS or third-party vendors. These groups cover many common threats, including the OWASP Top 10. Managed Rule Groups are a good starting point because they:
Stay current: They are regularly updated to address the latest threats.
Offer comprehensive coverage: They protect against a wide array of common attack vectors.
4. Consider Scalability and Performance
When selecting WAF rules, consider your application's scalability and performance to ensure that security measures do not hinder user experience.
Performance impact: Choose rules that minimize performance degradation.
Scalable solutions: Implement rules that can scale with your application's growth and increased traffic.
Additional Considerations
Use rule groups wisely: Combine AWS Managed Rule Groups with custom rules tailored to your application's specific needs.
Stay updated: Regularly review and update your WAF rules to address new vulnerabilities and threat vectors.
Document your configuration: Keep detailed records of your WAF rule configurations, including the rationale for each rule, to facilitate future reviews and audits.
How to Configure AWS WAF Rules Correctly
Configuring AWS WAF rules correctly is essential for maximizing the security of your web applications and APIs.
1. Leverage Managed Rule Groups
Managed Rule Groups are predefined sets of rules maintained by AWS or third-party vendors. They are designed to protect against common threats and are regularly updated to respond to new vulnerabilities.
How to implement:
In the AWS WAF console, navigate to the web ACL and choose "Add rules." Then, select "Add managed rule group" and choose the appropriate group.
Extra tips:
Select Appropriate Rule Groups: Choose rule groups that align with your application's threat profile, such as the OWASP Top 10, Common Vulnerabilities and Exposures (CVE), SQL injection, or cross-site scripting. For example, the AWSManagedRulesCommonRuleSet covers the OWASP Top 10 vulnerabilities.
Control Automatic Updates: Use version management to test new versions of rule groups before applying them to your production environment. This tip ensures stability and allows you to revert to a previous version if necessary.
2. Customize Rule Actions
AWS WAF rules can have different actions, such as allow, block, count, CAPTCHA, or challenge. Customizing these actions lets you adjust your WAF's response based on the threat level. This flexibility ensures your WAF protects your applications effectively without unnecessarily blocking legitimate traffic.
How to implement:
When you add or edit a rule in the AWS WAF console, select the action (allow, block, count, CAPTCHA, or challenge) under the "Action" section.
Extra tips:
Default Action: Set the default action for your web ACL to either allow or block traffic that does not match any rules.
Granular Actions: For each rule, decide whether you want to allow, block, or count the requests. Counting can help you understand traffic patterns without immediately blocking potential false positives.
3. Implement Scope-down Statements
Scope-down statements allow you to narrow the focus of rule groups to specific requests, reducing the likelihood of blocking legitimate traffic. This means you can target rules to particular conditions, such as specific IP ranges, geographic locations, or certain parts of your application.
How to implement:
To implement a scope-down statement, add a new rule or edit an existing one, and specify the conditions under the "Statement" section.
Extra tips:
Use IP Sets: Create IP sets to define trusted IP addresses or ranges that should be exempt from certain rules.
Fine-Tune Conditions: To avoid over-blocking, apply conditions focusing on specific parts of the request, such as headers or query strings.
4. Monitor and Analyze Traffic
Continuously monitor and analyze web traffic to identify trends, potential attacks, and areas for improvement in your WAF configuration. You can use this data to understand the types and frequencies of requests hitting your application and fine-tune the WAF rules.
How to implement:
Select the web ACL, navigate to the "Logging and metrics" tab, and configure the logging destination to enable logging.
Extra tips:
Enable Logging: Set up AWS WAF logging to capture detailed information about web requests. Use Amazon Kinesis Data Firehose to stream logs to Amazon S3 or another storage service for analysis.
Use Metrics: Utilize AWS CloudWatch metrics to monitor the performance and effectiveness of your WAF rules. Set up alarms to notify you of any anomalies or spikes in traffic that may indicate an attack.
5. Prioritize Rule Evaluation
The order in which WAF rules are evaluated can significantly impact the effectiveness of your security setup since AWS WAF processes rules based on their priority settings. So, prioritize the most important and specific rules at the top of your list. This way, these rules are applied first, which reduces the amount of work needed for the rules that follow and makes the overall system more efficient.
How to implement:
In the AWS WAF console, drag and drop rules to reorder them under your web ACL's "Rules" section.
Extra tips:
Order Rules Logically: Place the most critical security rules at the top of the list. For instance, rules blocking known malicious IP addresses should be evaluated before more complex rules.
Review Regularly: Periodically review and adjust the priority of your rules based on changing threat landscapes and traffic patterns.
6. Use Rate-Based Rules
Rate-based rules effectively mitigate denial-of-service (DoS) attacks by limiting the number of requests from a single IP address within a specified time frame.
How to implement:
To create a rate-based rule, go to the AWS WAF console, add a new rule, select "Rate-based rule," and configure the request threshold and action.
Extra tips:
Set Thresholds: Define thresholds based on your application's normal traffic patterns. For example, you can set a rule to block an IP address if it makes more than 100 requests per minute.
Monitor and Adjust: Monitor the impact of rate-based rules and adjust thresholds to balance security and usability.
open-appsec is an open-source project that builds on machine learning to provide pre-emptive web app & API threat protection against OWASP-Top-10 and zero-day attacks. It simplifies maintenance as there is no threat signature upkeep and exception handling, like common in many WAF solutions. open-appsec can be deployed on-premise as well as in public cloud environments like AWS.
To learn more about how open-appsec works, see this White Paper and the in-depth Video Tutorial. You can also experiment with deployment in the free Playground.
