Skip to content

How do I configure AWS WAF to protect my resources from common attacks?

8 minute read
0

I want to use AWS WAF on my resources to protect against common attacks.

Short description

To use AWS WAF on your resources to protect against common attacks, take one or more of the following actions:

  • Migrate from AWS WAF Classic to AWS WAF.
  • Associate your resource to a web access control list (web ACL) in AWS WAF.
  • Review incoming requests to optimize your rules.
  • Use AWS Managed Rules to help protect against common attacks.
  • Use the rate of legitimate requests to baseline AWS WAF.
  • Use Security Automations for AWS WAF to prevent common attacks.
  • Use SQL injection and cross-site scripting (XSS) attack rule statements.
  • Restrict access from Amazon CloudFront.
  • Protect against distributed denial of service (DDoS) attacks.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Migrate from AWS WAF Classic to AWS WAF

If you use AWS WAF Classic, then it's a best practice to migrate to AWS WAF. For more information, see Why migrate to AWS WAF?

Associate your resource to a web ACL

First, create your web ACL in AWS WAF. Then, associate your resource to that web ACL to allow AWS WAF to monitor incoming requests. If you can't directly integrate your resource with AWS WAF, then review the following alternatives. For more information, see Resources that you can protect with AWS WAF.

Resources that can integrate with AWS WAF

For resources that can integrate with AWS WAF, use one of the following options to integrate your resources:

Resources that can't integrate with AWS WAF

For resources that can't directly integrate with AWS WAF, use one of the following options to integrate your resources:

Review incoming requests to optimize your rules

To protect your resources, use application logs, such as Application Load Balancer or CloudFront access logs, to determine common request patterns.

Note: It's a best practice to use AWS WAF logs to store, query, and analyze HTTP request logs.

After you determine common request patterns, store your logs on Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch. To query the logs and identify patterns, use Amazon Athena or CloudWatch Logs Insights.

Finally, create an AWS WAF rule in Count mode that verifies incoming requests, and then set the rule to Block:

  1. Create a NOT rule statement on the host header for example.com.
    Note: Replace example.com with your host header.
  2. Set Action to Block. AWS WAF blocks requests that don't have the host header that you specify.

Note: This rule also blocks requests to the AWS provided fully qualified domain name (FQDN).

The following examples are common request patterns that you might encounter.

Requests for URIs that don't exist

To recognize this pattern, you must know every supported URI in your environment. The following is an example Athena query on AWS WAF logs that counts requests for each URI:

SELECT COUNT("httprequest"."uri") AS URIcount, "httprequest"."uri"
  FROM waf_logs
 GROUP BY "httprequest"."uri"
 ORDER BY URIcount DESC

The following is an example CloudWatch query on AWS WAF logs that counts requests for each URI:

fields httpRequest.uri
| stats count(*) as requestCount by httpRequest.uri
| sort requestCount desc

Requests that contain different host header values

This pattern includes requests with an HTTP host header that your web server doesn't support. This pattern also includes requests that contain an IP address instead of your website's domain name.

The following is an example Athena query on AWS WAF logs that counts requests with different host header values:

SELECT header.value as HostHeader, count(header) as count
  FROM waf_logs, UNNEST(httprequest.headers) AS x(header)
 WHERE "header"."name" = 'Host'
 GROUP BY  header
 ORDER BY count DESC

The following is an example CloudWatch query on AWS WAF logs that counts requests with different host header values:

fields @timestamp, @message
| parse @message '{"name":"Host","value":"*"}' as host
| stats count(*) as requestCount by host
| sort requestCount desc

Use AWS Managed Rules to help protect against common attacks

To use AWS Managed Rules, identify common request patterns and attacks that you want to protect against. Then, add the relevant AWS Managed Rules rule groups. To protect against specialized tasks, you can use the following rule groups at an additional charge:

Add the relevant rule groups to your web ACL in Count mode. Then, review the AWS WAF logs and CloudWatch metrics to determine if the managed rule matches legitimate traffic. If the rule doesn't match legitimate traffic, then turn off Enable Count mode for the rule group to block the traffic. To turn off a specific rule in the AWS Managed Rule Group, choose Override rules action for that rule.

Note: Legitimate requests to your environment might launch the AWS Managed Rules. For more information, see How to customize behavior of AWS Managed Rules for AWS WAF.

Use the rate of legitimate requests to baseline your AWS WAF

To protect against volumetric attacks, analyze your traffic to identify the number of requests made by legitimate client IP addresses. To analyze your traffic, use CloudWatch Logs Insights, Athena queries, or Amazon QuickSight on AWS WAF logs. Use the information from the analysis to baseline your AWS WAF. Then, configure a rate-based rule statement to set a request threshold.

The following is an example Athena query on AWS WAF logs that counts requests from a single IP address within a specific time frame:

SELECT  "httprequest"."clientip", "count"(*) "count", "httprequest"."country"
  FROM waf_logs
 WHERE httprequest.clientip LIKE '10.0.0.0' and date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') between '2020-11-16 09:00:00' and '2020-11-16 10:00:00'
 GROUP BY "httprequest"."clientip", "httprequest"."country"

Note: Replace 10.0.0.0 with your IP address, and 2020-11-16 09:00:00 and 2020-11-16 10:00:00 with your time frame.

The following is an example CloudWatch Insights query on AWS WAF logs that counts requests from a single IP address:

fields httpRequest.clientIp, httpRequest.country
| stats count(*) as requestCount by httpRequest.clientIp, httpRequest.country
| filter httpRequest.clientIp = "10.0.0.0"

Note: Replace 10.0.0.0 with your IP address.

The following is an example Athena query on AWS WAF logs that counts all requests from IP addresses within a specific time frame:

SELECT "httprequest"."clientip", "count"(*) "count", "httprequest"."country"
  FROM waf_logs
 WHERE date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') BETWEEN '2020-11-16 09:00:00' AND '2020-11-16 10:00:00'
 GROUP BY "httprequest"."clientip", "httprequest"."country"
 ORDER BY "count" DESC

Note: Replace 2020-11-16 09:00:00 and 2020-11-16 10:00:00 with your time frame.

The following is an example CloudWatch Insights query on AWS WAF logs that counts requests from IP addresses in within a specific time frame:

fields httpRequest.clientIp, httpRequest.country
| stats count(*) as requestCount by httpRequest.clientIp, httpRequest.country
| sort requestCount desc

Use Security Automations for AWS WAF to prevent common attacks

To provide additional protection from common attacks, you can use Security Automations for AWS WAF.

Note: This solution uses other AWS services that might incur costs.

Use SQL injection and XSS attack rule statements

To protect your applications against SQL injection and XSS attacks, use built-in attack rule statements for SQL injection and XSS. Attacks can occur on different parts of the HTTP request, such as the HTTP header, query string, or URI. Configure your AWS WAF rules to inspect different parts of the HTTP request against the attack rule statements.

Note: Legitimate requests to your environment might launch the attack rule statements. For more information, see How can I detect false positives caused by AWS Managed Rules?

Restrict access from CloudFront

You can restrict access based on CloudFront IP addresses. Then, add a custom header in CloudFront for origin requests. On the origin, allow access only if the custom header and value are present. If the origin is an Application Load Balancer or API Gateway, then use AWS WAF on the origin. This action allows requests that contain the custom header and value.

Protect against DDoS attacks

To protect against DDoS attacks, see AWS best practices for DDoS resiliency and AWS Shield features.

Related information

Shared responsibility model

Managing false positives in AWS WAF