The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. OWASP Top 10 risks can be addressed with AWS provided tools and guidance. For example, the security pillar of the Well Architected Framework help companies build Secure Designs. AWS WAF is an important tool, used as a first layer of defense against some of the risks listed in the OWASP Top 10.

Threat modeling and pen testing

The first step for addressing OWASP Top 10 risks, is to model the threats faced by your application. For example, you need to identify the threats that are relevant to your application. SQLi threats are mostly relevant for applications with an SQL database. Then for each threat, consider how you will mitigate them (e.g. using which tool, to what level, etc...). OWASP Top 10 include threats that are addressable in your application such as CORS configuration and other security headers, authentication and permission management, data integrity in CI/CD pipelines, etc.. It also includes threats that can be addressed using AWS WAF.

Pen testing your application on a regular basis helps you to assess your security posture, and uncover new opportunities to improve. You can use automated pen testing, or work with AWS partners that can conduct pen testing activities on your application. You can find such tools and services on the AWS Marketplace.


AWS WAF can help you address some of the risks identified in your threat modeling exercise. For example, in Broken Access Control, it is recommended to deny requests by default except for public resources. This can implemented in AWS WAF, by setting the default action to Block, and explicitly allow URLs that correspond to your public resources.

In addition to the custom rules that you configure in AWS WAF, it's recommended to use Amazon Managed Rules (AMR). (AMRs) is a set of rules inspired by OWASP top 10 and maintained by the AWS Threat Research Team. It's designed to to protect applications from the most common and high-severity threats while keeping a very low false positive rate across all customers. The AWS Threat Research Team conducts routine testing of AMR rules to ensure that they are effective and kept up to date, and works with customers directly to enhance AMRs. AMR has baseline rule groups and use-case specific rule groups (e.g. for SQL, Linux, etc..). AMRs help you enhance your coverage of OWASP Top 10 risks, but are not a replacement for the threat modeling exercise.

You can also consider Managed rules that are also inspired by OWASP Top 10 from the AWS Marketplace. It includes HighSecurity OWASP Set by CSC, Web exploits OWASP rules by F5 and Complete OWASP top 10 rulegroup by Fortinet.


Was this page helpful?