How do I configure AWS WAF to protect my resources from common attacks?
I want to use AWS WAF on my resources to mitigate against common attacks.
Short description
To use AWS WAF on your resources to mitigate against common attacks, take one or more of the following actions:
- Migrate from AWS WAF Classic to AWS WAF
- Associate your resource to a web access control list (web ACL) in AWS WAF
- Review incoming requests to optimize your rules
- Use AWS Managed Rules to help protect against common attacks
- Use the rate of legitimate requests to baseline your AWS WAF
- Use Security Automations for AWS WAF to prevent common attacks
- Use the rate of legitimate requests to baseline your AWS WAF
- Use SQL injection and cross-site scripting (XSS) attack rule statements
- Restrict access from Amazon CloudFront
- Protect against distributed denial-of-service (DDoS) attacks
Resolution
Migrate from AWS WAF Classic to AWS WAF
If you use AWS WAF Classic, then it's a best practice to migrate to AWS WAF. For more information, see Why migrate to AWS WAF?
Associate your resource to a web ACL
First, create your web ACL in AWS WAF. Then, associate your resource to that web ACL to allow AWS WAF to monitor incoming requests. Check if your resource integrates with AWS WAF.
If your resource can integrate with AWS WAF
From the AWS WAF console: Open the AWS WAF console, choose your web ACL, and then select the resource in Associated AWS resources.
From AWS CLI: Run the associate-web-acl command to associate your resource.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
From AWS Firewall Manager: Set up a Firewall Manager policy for AWS WAF to auto-remediate and automatically associate web ACLs to non-compliant resources.
If your resource can't integrate with AWS WAF
For Amazon Elastic Cloud Compute (Amazon EC2) instances: Front your Amazon EC2 instance with an Application Load Balancer or CloudFront distribution. Then, associate the distribution with a web ACL.
For Amazon Elastic Kubernetes Service (Amazon EKS) clusters: Front your Amazon EKS cluster with an Application Load Balancer. Then, associate the Application Load Balancer with a web ACL. For a detailed implementation, see Protecting your Amazon EKS web apps with AWS WAF.
For Network Load Balancers: Front your Network Load Balancer with an Application Load Balancer. Set the Application Load Balancer as the target for the Network Load Balancer, and then associate the Application Load Balancer with a web ACL. Or, front your Network Load Balancer with a CloudFront distribution. Then, associate the distribution with a web ACL.
For AWS Amplify applications: Front your Amplify application with a CloudFront distribution. Then, associate the distribution with a web ACL. For a detailed implementation, see Turn on AWS WAF for web applications hosted by AWS Amplify.
Review incoming requests to optimize your rules
First, use application logs, such as Application Load Balancer or CloudFront access logs, to determine common request patterns. It's a best practice to use AWS WAF logs to easily store, query, and analyze HTTP request logs.
Then, store your logs on Amazon Simple Storage Service (Amazon S3), or Amazon CloudWatch. Use Amazon Athena or CloudWatch Logs Insights to query the logs and identify patterns.
Finally, create an AWS WAF rule in Count mode that verifies incoming requests, and then set the rule to Block:
- Create a NOT rule statement on the host header for example.com.
Note: Replace example.com with your host header. - Set the Action to Block. Now, AWS WAF blocks requests that don't have that host header.
Note: This rule also blocks requests to the AWS provided fully qualified domain name (FQDN).
The following examples are common request patterns that you might encounter.
Requests for URIs that don't exist
To recognize this pattern, you must know every supported URI in your environment.
The following is an example Athena query on AWS WAF logs that counts requests for each URI:
SELECT count("httprequest"."uri") as URIcount, "httprequest"."uri" FROM waf_logs GROUP BY "httprequest"."uri" ORDER BY URIcount DESC
The following is an example CloudWatch query on AWS WAF logs that counts requests for each URI:
fields httpRequest.uri | stats count(*) as requestCount by httpRequest.uri | sort requestCount desc
Requests that contain different host header values
This pattern includes requests with an HTTP host header that's unsupported by your web server. It also includes requests that contain an IP address instead of your website's domain name.
The following is an example Athena query on AWS WAF logs that counts requests with different host header values:
SELECT header.value as HostHeader, count(header) as count FROM waf_logs, UNNEST(httprequest.headers) AS x(header) WHERE "header"."name" = 'Host' GROUP BY header ORDER BY count DESC
The following is an example CloudWatch query on AWS WAF logs that counts requests with different host header values:
fields @timestamp, @message | parse @message '{"name":"Host","value":"*"}' as host | stats count(*) as requestCount by host | sort requestCount desc
Use AWS Managed Rules to help protect against common attacks
First, identify common request patterns and attacks you want to mitigate against. Then, add the relevant AWS Managed Rules rule groups to help prevent common attacks. Different rule groups provide different functions:
You can also use the following rule groups at an additional charge to mitigate against specialized attacks:
- AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group
- AWS WAF Fraud Control account takeover prevention (ATP) rule group
- AWS WAF Bot Control rule group
Add the relevant rule groups to your web ACL in Count mode. Then, review the AWS WAF logs and CloudWatch metrics to determine if the managed rule matches legitimate traffic. If it doesn't, turn off Enable Count mode for the rule group to block the traffic.
To turn off a specific rule in the AWS Managed Rule Group, choose Override rules action for that rule.
Note: Legitimate requests to your environment might launch the AWS Managed Rules. For more information, see How to customize behavior of AWS Managed Rules for AWS WAF.
Use the rate of legitimate requests to baseline your AWS WAF
To mitigate against volumetric attacks, analyze your traffic to identify the number of requests made by legitimate client IP addresses. To do this, use CloudWatch Logs Insights, Athena queries, or Amazon QuickSight on the AWS WAF logs. Use the information from the analysis to baseline your AWS WAF. Then, configure a rate-based rule statement to set a request threshold.
The following is an example Athena query on AWS WAF logs that counts requests from a single IP address in within a specific time frame:
SELECT "httprequest"."clientip", "count"(*) "count", "httprequest"."country" FROM waf_logs WHERE httprequest.clientip LIKE '10.0.0.0' and date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') between '2020-11-16 09:00:00' and '2020-11-16 10:00:00' GROUP BY "httprequest"."clientip", "httprequest"."country"
Note: Replace 10.0.0.0 with your IP address and 2020-11-16 09:00:00 and 2020-11-16 10:00:00 with your time frame.
The following is an example CloudWatch Insights query on AWS WAF logs that counts requests from a single IP address:
fields httpRequest.clientIp, httpRequest.country | stats count(*) as requestCount by httpRequest.clientIp, httpRequest.country | filter httpRequest.clientIp = "10.0.0.0"
Note: Replace 10.0.0.0 with your IP address. To set your time frame, choose the calendar icon.
The following is an example Athena query on AWS WAF logs that counts all requests from IP addresses in within a specific time frame:
SELECT "httprequest"."clientip", "count"(*) "count", "httprequest"."country" FROM waf_logs WHERE date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') between '2020-11-16 09:00:00' and '2020-11-16 10:00:00' GROUP BY "httprequest"."clientip", "httprequest"."country" ORDER BY "count" DESC
Note: Replace 2020-11-16 09:00:00 and 2020-11-16 10:00:00 with your time frame.
The following is an example CloudWatch Insights query on AWS WAF logs that counts requests from IP addresses in within a specific time frame:
fields httpRequest.clientIp, httpRequest.country | stats count(*) as requestCount by httpRequest.clientIp, httpRequest.country | sort requestCount desc
Note: To set your time frame, choose the calendar icon.
Use Security Automations for AWS WAF to prevent common attacks
Use Security Automations for AWS WAF to provide additional protection from common attacks.
Note: This solution uses other AWS services that might incur costs.
Use SQL injection and XSS attack rule statements
To protect your applications against SQL injection and XSS attacks, use the built-in attack rule statements for SQL injection and XSS. Attacks can be performed on different parts of the HTTP request, such as the HTTP header, query string, or URI. Configure your AWS WAF rules to inspect different parts of the HTTP request against the attack rule statements.
Note: Legitimate requests to your environment might launch the attack rule statements. For more information, see How can I detect false positives caused by AWS Managed Rules?
Restrict access from CloudFront
Take the following actions:
- Restrict access based on CloudFront IP addresses.
- Add a custom header in CloudFront for origin requests. On the origin, allow access only if the custom header and value are present. If the origin is an Application Load Balancer or API Gateway, then use AWS WAF on the origin. This action allows requests that contain the custom header and value.
Protect against DDoS attacks
For more information on protection from DDoS attacks, see AWS best practices for DDoS resiliency and AWS Shield features.
Related information
Related videos
Relevant content
- asked 2 years agolg...
- asked a year agolg...
- Accepted Answerasked 2 months agolg...
- asked 6 months agolg...
- asked 2 years agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago