Overview
You can use AWS WAF to create custom, application-specific rules that block attack patterns to ensure application availability, secure resources, and prevent excessive resource consumption.
The Security Automations for AWS WAF solution supports the latest version of AWS WAF (AWS WAFV2) service API.
Benefits
The AWS CloudFormation template automatically launches and configures the AWS WAF settings and protective features that you choose to include during initial deployment.
When activated, AWS CloudFormation provisions an Amazon Athena query and a scheduled AWS Lambda function responsible for orchestrating Athena executing, processing result output, and updating AWS WAF.
This solution emits CloudWatch metrics such as allowed requests and blocked requests. You can build a customized dashboard to visualize these metrics and gain insights into the pattern of attacks and protection provided by AWS WAF.
Technical details
The Security Automations for AWS WAF solution provides fine-grained control over the requests attempting to access your web application. The following diagram presents the architecture that you can build using the solution's implementation guide and accompanying AWS CloudFormation template.
At the core of the design is an AWS WAF web ACL that acts as central inspection and decision point for all incoming requests. The protective functions that you choose to activate determine the WAF rules that are added to your web ACL. The labels of the WAF rules in the architecture diagram don’t reflect the priority level of the rules.
A. AWS managed rules
This set of AWS Managed Rules provides protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic.
B. & C. Manual IP lists
This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to allow or deny. You can also configure IP retention and remove expired IP addresses from these IP lists.
D. & E. SQL injection and XSS
The solution configures two AWS WAF rules that are designed to protect against common SQL injection or XSS patterns in the URI, query string, or body of a request.
F. HTTP flood
This component helps protect against attacks that consist of a large number of requests from a particular IP address, such as a web-layer distributed denial-of-service (DDoS) attacks or a brute-force login attempt. You can set a quota that defines the maximum number of incoming requests allowed from a single IP address within a default five-minute period.
G. Scanners and probes
This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.
H. IP reputation lists
This component is the IP Lists Parser AWS Lambda function, which checks third-party IP reputation lists hourly for new ranges to block.
I. Bad bot
This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.
A. AWS managed rules
This set of AWS Managed Rules provides protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic.
B. & C. Manual IP lists
This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to allow or deny. You can also configure IP retention and remove expired IP addresses from these IP lists.
D. & E. SQL injection and XSS
The solution configures two AWS WAF rules that are designed to protect against common SQL injection or XSS patterns in the URI, query string, or body of a request.
F. HTTP flood
This component helps protect against attacks that consist of a large number of requests from a particular IP address, such as a web-layer distributed denial-of-service (DDoS) attacks or a brute-force login attempt. You can set a quota that defines the maximum number of incoming requests allowed from a single IP address within a default five-minute period.
G. Scanners and probes
This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.
H. IP reputation lists
This component is the IP Lists Parser AWS Lambda function, which checks third-party IP reputation lists hourly for new ranges to block.
I. Bad bot
This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.
Related content
This course provides an overview of AWS security technology, use cases, benefits, and services. The infrastructure protection section covers AWS WAF for traffic filtering.
Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. In this course, you will be introduced to Amazon Macie, how the service works, and the underlying concepts driving the service.
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.
So Peach turned to AWS for a solution, and now Peach not only blocks cyberattacks but also deters them—reducing needless service slowdowns and boosting customer confidence.