Stay up to date with the latest from the Knowledge Center. See all new Knowledge Center articles published in the last month, and re:Post's top contributors.
How do I configure AWS WAF to protect my resources from common attacks?
I want to use AWS WAF on my resources to protect against common attacks.
Short description
To use AWS WAF on your resources to protect against common attacks, take one or more of the following actions:
- Migrate from AWS WAF Classic to AWS WAF.
- Associate your resource to a web access control list (web ACL) in AWS WAF.
- Review incoming requests to optimize your rules.
- Use AWS Managed Rules to help protect against common attacks.
- Use the rate of legitimate requests to baseline AWS WAF.
- Use Security Automations for AWS WAF to prevent common attacks.
- Use SQL injection and cross-site scripting (XSS) attack rule statements.
- Restrict access from Amazon CloudFront.
- Protect against distributed denial of service (DDoS) attacks.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Migrate from AWS WAF Classic to AWS WAF
If you use AWS WAF Classic, then it's a best practice to migrate to AWS WAF. For more information, see Why migrate to AWS WAF?
Associate your resource to a web ACL
First, create your web ACL in AWS WAF. Then, associate your resource to that web ACL to allow AWS WAF to monitor incoming requests. If you can't directly integrate your resource with AWS WAF, then review the following alternatives. For more information, see Resources that you can protect with AWS WAF.
Resources that can integrate with AWS WAF
For resources that can integrate with AWS WAF, use one of the following options to integrate your resources:
- For the AWS WAF console, use the Associated AWS resources option. For more information, see Create a Web ACL.
- For the AWS CLI, use the associate-web-acl command.
- For CloudFront, use the update-distribution command.
- For AWS Firewall Manager, use the Firewall Manager AWS WAF policy.
- For AWS Amplify applications, directly associate the app in the Amplify or AWS WAF console.
Resources that can't integrate with AWS WAF
For resources that can't directly integrate with AWS WAF, use one of the following options to integrate your resources:
- For Amazon Elastic Compute Cloud (Amazon EC2) instances, create an Application Load Balancer or CloudFront distribution. Then, associate the distribution with a web ACL.
- For Amazon Elastic Kubernetes Service (Amazon EKS) clusters, create an Application Load Balancer. Then, associate the Application Load Balancer with a web ACL. For more information, see Protecting your Amazon EKS web apps with AWS WAF.
- For Network Load Balancers, create an Application Load Balancer. Then, set the Application Load Balancer as the target for the Network Load Balancer, and associate the Application Load Balancer with a web ACL. For more information, see Use Application Load Balancers as targets of a Network Load Balancer.
Review incoming requests to optimize your rules
To protect your resources, use application logs, such as Application Load Balancer or CloudFront access logs, to determine common request patterns.
Note: It's a best practice to use AWS WAF logs to store, query, and analyze HTTP request logs.
After you determine common request patterns, store your logs on Amazon Simple Storage Service (Amazon S3) or Amazon CloudWatch. To query the logs and identify patterns, use Amazon Athena or CloudWatch Logs Insights.
Finally, create an AWS WAF rule in Count mode that verifies incoming requests, and then set the rule to Block:
- Create a NOT rule statement on the host header for example.com.
Note: Replace example.com with your host header. - Set Action to Block. AWS WAF blocks requests that don't have the host header that you specify.
Note: This rule also blocks requests to the AWS provided fully qualified domain name (FQDN).
The following examples are common request patterns that you might encounter.
Requests for URIs that don't exist
To recognize this pattern, you must know every supported URI in your environment. The following is an example Athena query on AWS WAF logs that counts requests for each URI:
SELECT COUNT("httprequest"."uri") AS URIcount, "httprequest"."uri" FROM waf_logs GROUP BY "httprequest"."uri" ORDER BY URIcount DESC
The following is an example CloudWatch query on AWS WAF logs that counts requests for each URI:
fields httpRequest.uri | stats count(*) as requestCount by httpRequest.uri | sort requestCount desc
Requests that contain different host header values
This pattern includes requests with an HTTP host header that your web server doesn't support. This pattern also includes requests that contain an IP address instead of your website's domain name.
The following is an example Athena query on AWS WAF logs that counts requests with different host header values:
SELECT header.value as HostHeader, count(header) as count FROM waf_logs, UNNEST(httprequest.headers) AS x(header) WHERE "header"."name" = 'Host' GROUP BY header ORDER BY count DESC
The following is an example CloudWatch query on AWS WAF logs that counts requests with different host header values:
fields @timestamp, @message | parse @message '{"name":"Host","value":"*"}' as host | stats count(*) as requestCount by host | sort requestCount desc
Use AWS Managed Rules to help protect against common attacks
To use AWS Managed Rules, identify common request patterns and attacks that you want to protect against. Then, add the relevant AWS Managed Rules rule groups. To protect against specialized tasks, you can use the following rule groups at an additional charge:
- AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group
- AWS WAF Fraud Control account takeover prevention (ATP) rule group
- AWS WAF Bot Control rule group
Add the relevant rule groups to your web ACL in Count mode. Then, review the AWS WAF logs and CloudWatch metrics to determine if the managed rule matches legitimate traffic. If the rule doesn't match legitimate traffic, then turn off Enable Count mode for the rule group to block the traffic. To turn off a specific rule in the AWS Managed Rule Group, choose Override rules action for that rule.
Note: Legitimate requests to your environment might launch the AWS Managed Rules. For more information, see How to customize behavior of AWS Managed Rules for AWS WAF.
Use the rate of legitimate requests to baseline your AWS WAF
To protect against volumetric attacks, analyze your traffic to identify the number of requests made by legitimate client IP addresses. To analyze your traffic, use CloudWatch Logs Insights, Athena queries, or Amazon QuickSight on AWS WAF logs. Use the information from the analysis to baseline your AWS WAF. Then, configure a rate-based rule statement to set a request threshold.
The following is an example Athena query on AWS WAF logs that counts requests from a single IP address within a specific time frame:
SELECT "httprequest"."clientip", "count"(*) "count", "httprequest"."country" FROM waf_logs WHERE httprequest.clientip LIKE '10.0.0.0' and date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') between '2020-11-16 09:00:00' and '2020-11-16 10:00:00' GROUP BY "httprequest"."clientip", "httprequest"."country"
Note: Replace 10.0.0.0 with your IP address, and 2020-11-16 09:00:00 and 2020-11-16 10:00:00 with your time frame.
The following is an example CloudWatch Insights query on AWS WAF logs that counts requests from a single IP address:
fields httpRequest.clientIp, httpRequest.country | stats count(*) as requestCount by httpRequest.clientIp, httpRequest.country | filter httpRequest.clientIp = "10.0.0.0"
Note: Replace 10.0.0.0 with your IP address.
The following is an example Athena query on AWS WAF logs that counts all requests from IP addresses within a specific time frame:
SELECT "httprequest"."clientip", "count"(*) "count", "httprequest"."country" FROM waf_logs WHERE date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') BETWEEN '2020-11-16 09:00:00' AND '2020-11-16 10:00:00' GROUP BY "httprequest"."clientip", "httprequest"."country" ORDER BY "count" DESC
Note: Replace 2020-11-16 09:00:00 and 2020-11-16 10:00:00 with your time frame.
The following is an example CloudWatch Insights query on AWS WAF logs that counts requests from IP addresses in within a specific time frame:
fields httpRequest.clientIp, httpRequest.country | stats count(*) as requestCount by httpRequest.clientIp, httpRequest.country | sort requestCount desc
Use Security Automations for AWS WAF to prevent common attacks
To provide additional protection from common attacks, you can use Security Automations for AWS WAF.
Note: This solution uses other AWS services that might incur costs.
Use SQL injection and XSS attack rule statements
To protect your applications against SQL injection and XSS attacks, use built-in attack rule statements for SQL injection and XSS. Attacks can occur on different parts of the HTTP request, such as the HTTP header, query string, or URI. Configure your AWS WAF rules to inspect different parts of the HTTP request against the attack rule statements.
Note: Legitimate requests to your environment might launch the attack rule statements. For more information, see How can I detect false positives caused by AWS Managed Rules?
Restrict access from CloudFront
You can restrict access based on CloudFront IP addresses. Then, add a custom header in CloudFront for origin requests. On the origin, allow access only if the custom header and value are present. If the origin is an Application Load Balancer or API Gateway, then use AWS WAF on the origin. This action allows requests that contain the custom header and value.
Protect against DDoS attacks
To protect against DDoS attacks, see AWS best practices for DDoS resiliency and AWS Shield features.
Related information
- Tags
- AWS WAF
- Language
- English
Relevant content
- asked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 22 days ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
