AWS WAF, an AWS Security Best Practice
- March 06, 2018
One of the key business drivers of cloud based DevOps is greater scalability, especially for eCommerce and digital business. So, as more and more organizations move to AWS for its scalability, availability, and reliability, it makes sense we’d get more and more questions about moving to solutions like AWS Web Application Firewall (WAF). In today’s blog, we will address why such a move is a good choice for companies migrating their digital business to the cloud. Let’s kick-off the discussion with a little background on AWS WAF.
AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF can be used to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for specific applications. AWS WAF is so straightforward to use that we’ve found new rules can be deployed within minutes.
With AWS WAF we can use an API to automate the creation, deployment, and maintenance of web security rules. And, you can deploy AWS WAF on either Amazon CloudFront as part of your CDN solution; the Application Load Balancer (ALB) that fronts web servers; or origin servers running on EC2. A last note: AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives. There are no upfront commitments.
If your organization is considering an AWS migration, moving to AWS WAF is a sound decision as it supports AWS security best practices by offering the ability to:
- Proactively build security in. WAF allows developers to embed security in the dev chain as they write code, ensuring that security is integrated into cloud-native apps. As firm believers in Security by Design, AWS WAF allows us to effectively balance the need for security with agility.
- Centrally define rules that are then easily deployed across all the apps you want protected. Thus, offering consistency in tooling as AWS services work seamlessly together for greater security and compliance to security standards.
- Watch web traffic in real-time, easily writing new rules in Amazon CloudWatch as needed.
As we all know, application layer attacks are an increasingly common threat to web security. They use a variety of means to cripple and penetrate websites; to weaken site performance; execute data breaches; and expose infrastructure. To prevent such attacks, we deploy web application firewalls as a security measure. Deployed between a web client and a web server, the WAF performs a deep inspection of every request and response in every common form of web traffic.
These inspections are carried out through a variety of rules that can analyze traffic based on a spectrum of criteria, such as IP addresses, the strings that requests contain, and if the request appears to contain malicious code such as a SQL injection. The output of a rule is a decision to allow or deny the request. However, between the request and output lies the analysis, which is often done through cascading rules. E.g. a request is inspected against Rule A. If it passes, it is then sent for inspection against Rule B, and so forth through each Rule set until the request is either denied or it passes each of the Rule tests.
Moving to WAF
Having done the work to set up rules is naturally important for security. So, being able to migrate rules to AWS WAF is a natural request. Many organizations are metric-driven and want to convert the metrics from their previous firewall into WAF metrics. Although AWS WAF does not provide metrics out of the box, a similar mechanism can easily be created.
In addition to creating rules, AWS WAF recently launched the ability to address the top application security flaws as named by the Open Web Application Security Project (OWASP) through an AWS CloudFormation template. The template contains the web ACL and the condition types and rules recommended in their how-to document. Note that the template is designed as a starting point.
Helping you get started with AWS WAF, AWS has added Managed Rules for AWS WAF. Written by security experts, Managed Rules are a set of rules written, curated and managed by AWS Marketplace Sellers that can be easily deployed in front of your web applications running on AWS Application Load Balancers or Amazon CloudFront. These rules help you get up and started quickly — in a matter of a few clicks — and they are even updated as new vulnerabilities and/or bad actors emerge.
We strongly recommend AWS WAF to our customers. It offers advanced features, is a Payment Card Industry (PCI) Data Security Standard (DSS) 3.2 compliant service, and has been an integral part of several mission-critical deployments where PCI Tier-1 and HIPAA standard compliance was required.
*This was originally written by Flux7 Inc., which has become Flux7, an NTT DATA Services Company as of December 30, 2019