WAF & Shield
- AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests.
- AWS also provides AWS Shield Standard and AWS Shield Advanced to help minimize the effects of a distributed denial of service (DDoS) attack.
- You use AWS WAF to control how Amazon CloudFront or an Application Load Balancer responds to web requests.
- You start by creating conditions, rules, and web access control lists (web ACLs).
- Conditions define the basic characteristics that you want AWS WAF to watch for in web requests.
- The following illustration shows how AWS WAF checks the rules and performs the actions based on those rules.
AWS WAF with Amazon CloudFront Features
- When you create a web ACL, you can specify one or more CloudFront distributions that you want AWS WAF to inspect.
- AWS WAF starts to allow, block, or count web requests for those distributions based on the conditions that you identify in the web ACL.
- CloudFront provides some features that enhance the AWS WAF functionality.
- Using AWS WAF with CloudFront Custom Error Pages
○When AWS WAF blocks a web request based on the conditions that you specify, it returns HTTP status code 403 (Forbidden) to CloudFront.
○CloudFront returns that status code to the viewer.
○The viewer then displays a brief and sparsely formatted default message.
- Using AWS WAF with CloudFront Geo Restriction
○If you want to block web requests from specific countries and also block requests based on other conditions, you can use CloudFront geo restriction in conjunction with AWS WAF.
- Choosing the HTTP Methods That CloudFront Responds To
■You can use CloudFront only to get objects from your origin or to get object headers.
○GET, HEAD, OPTIONS
■You can use CloudFront only to get objects from your origin, get object headers, or retrieve a list of the options that your origin server supports.
Authentication and Access Control for AWS WAF
- AWS WAF integrates with AWS Identity and Access Management (IAM), a service that lets your organization do the following:
○Create users and groups under your organization’s AWS account
○Share your AWS account resources with users in the account
○Assign unique security credentials to each user
○Control user access to services and resources
- In AWS WAF, the resources are web ACLs and rules.
- For each AWS WAF resource, the service defines a set of API operations.
- To grant permissions for these API operations, AWS WAF defines a set of actions that you can specify in a policy.
- When you grant permissions, you can use the IAM policy language to specify the conditions when a policy should take effect.
- A DDoS attack can prevent legitimate users from accessing a service and can cause the system to crash due to the overwhelming traffic volume.
- This DDoS protection, known as AWS Shield Standard, is included with AWS WAF.
- AWS Shield Advanced provides expanded DDoS attack protection
- AWS Shield Advanced includes intelligent DDoS attack detection and mitigation for not only for network layer (layer 3) and transport layer (layer 4) attacks, but also for application layer (layer 7) attacks.
- Types of DDoS Attacks
○User Datagram Protocol (UDP) reflection attacks
○DNS query flood
○HTTP flood/cache-busting (layer 7) attacks
- For layer 7 DDoS attacks, AWS attempts to detect and notify AWS Shield Advanced customers through CloudWatch alarms, but does not apply mitigations proactively.
Monitoring AWS WAF and AWS Shield Advanced
- Monitoring is an important part of maintaining the reliability, availability, and performance of AWS WAF and for identifying possible DDoS attacks using AWS Shield.
- As you start, you should create a monitoring plan.
- The next step is to establish a baseline for normal performance in your environment.
- Automated Monitoring Tools
○Amazon CloudWatch Alarms
○Amazon CloudWatch Logs
○Amazon CloudWatch Events
○AWS CloudTrail Log Monitoring
- Manual Monitoring Tools
○This involves manually monitoring those items that the CloudWatch alarms don’t cover.
Monitoring with Amazon CloudWatch
- You can monitor web requests and web ACLs and rules using CloudWatch, which collects and processes raw data from AWS WAF into readable, near real-time metrics.
- You can create a CloudWatch alarm that sends an Amazon SNS message when the alarm changes state.
- A notification is sent to an Amazon SNS topic or Auto Scaling policy.
- Alarms invoke actions for sustained state changes only.
Responding to DDoS Attacks
- Layer 3 and layer 4 attacks are addressed automatically by AWS.
- However, if DDoS alarms in CloudWatch indicate a possible layer 7 attack, you have two options:
○Investigate and mitigate the attack on your own
○If you are an AWS Shield Advanced customer, you also have the option of contacting the AWS Support Center