How do I protect my Elastic Beanstalk environment against attacks from known unwanted hosts?

Last updated: 2020-05-28

My AWS Elastic Beanstalk instances are getting requests from an unwanted hostname. How can I protect my Elastic Beanstalk instances from getting requests from this hostname?

Short description

In an Elastic Beanstalk environment with an Application Load Balancer, you can use AWS WAF as a custom resource to protect your instances against attacks from unwanted hostnames.

To block your Elastic Beanstalk environment from unwanted hostnames, complete the steps from either of the following sections:

  • Block one hostname
  • Block multiple hostnames

Resolution

Block one hostname

1.    Create waf.config configuration file in your .ebextensions directory.

2.    Update your waf.config file based on the following example. Be sure to replace BlockedHost1 with the hostname that you want to block from your Elastic Beanstalk environment.

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
  aws:elasticbeanstalk:customoption:
    BlockedHost1: 'exampletoblock.com'
Resources:
  BlockedHostnames:
    Type: "AWS::WAFv2::RegexPatternSet"
    Properties:
      Description: 'List of Hostnames to be block by WebACL'
      Name: BlockedHostsSet
      RegularExpressionList: 
        - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
      Scope: REGIONAL
  
  WafAcl:
    Type: "AWS::WAFv2::WebACL"
    Properties:
      Description: "Web ACL to Block requests from unknown hosts on AWSEBV2LoadBalancer"
      Name: "BlockHostACL"
      Scope: REGIONAL
      DefaultAction:
        Allow: {}
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: BlockHostACLMetric
      Rules:
        - Name: BlockedHostsRule
          Priority: 1
          Action:
            Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: UnknownHostRule1
          Statement:
            RegexPatternSetReferenceStatement:
              Arn: '`{ "Fn::GetAtt" : ["BlockedHostnames", "Arn" ]}`'
              FieldToMatch: 
                SingleHeader:
                  Name: Host
              TextTransformations: 
                - Priority: 0
                  Type: NONE
  
  WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties: 
      ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
      WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'

3.    Create or update your Elastic Beanstalk environment with your waf.config file from step 2.

Important: If you run your waf.config file on an existing Elastic Beanstalk environment that doesn't have an Application Load Balancer, you get an error. You receive the error because the load balancer type can be defined only during environment creation. For more information, see Configuring an Application Load Balancer. You can change your Load Balancer type with a blue/green deployment.

4.    To confirm that BlockedHost1 is blocked from sending requests to your Elastic Beanstalk environment, open a terminal and then run the following command to simulate a request originating from exampletoblock.com.

$ curl -I -H 'host: exampletoblock.com' http://YOUR-ENV-NAME.YOUR-ENV-ID.AWS-REGION.elasticbeanstalk.com

Note: Replace exampletoblock.com with the hostname configured on waf.config that you want to block. Replace the URL on the command with your Elastic Beanstalk environment URL.

If the hostname is blocked, then you receive output similar to the following: 

> HTTP/1.1 403 Forbidden
  Server: awselb/2.0
  Date: Mon, 20 Apr 2020 17:31:14 GMT
  Content-Type: text/html
  Content-Length: 134
  Connection: keep-alive

5.    To simulate a normal request, run the following command:

$ curl -I http://ENV-NAME.ENV-ID.eu-west-1.elasticbeanstalk.com

If the request is successful, then you see a successful 200 status code and receive output similar to the following:

> HTTP/1.1 200 OK
  Date: Mon, 20 Apr 2020 17:38:04 GMT
  Content-Type: text/html
  Content-Length: 3352
  Connection: keep-alive
  Server: nginx/1.16.1

Block multiple hostnames

You can block multiple hostnames by adding the hostnames to a Web Access Control List (Web ACL) that uses the RegexPatternSet.

In your waf.config file, add additional hostnames as custom options in the RegularExpressionList. See the following example:

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
  aws:elasticbeanstalk:customoption:
    BlockedHost1: 'exampletoblock.com'
    BlockedHost2: 'anothertoblock.com'
Resources:
  BlockedHostnames:
    Type: "AWS::WAFv2::RegexPatternSet"
    Properties:
      Description: 'List of Hostnames to be block by WebACL'
      Name: BlockedHostsSet
      RegularExpressionList: 
        - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
        - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost2" }}
      Scope: REGIONAL

Adding and customizing Elastic Beanstalk environment resources

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support