Concepts
AWS WAF is a web application firewall service that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your applications by defining customizable web security rules.
Getting Started with AWS WAF
- Create a Web ACL:
A web access control list (ACL) acts as a container for rules that you can apply to one or more AWS resources, such as Amazon CloudFront, Amazon API Gateway, or Application Load Balancer.
- Open the AWS WAF & Shield console at https://console.aws.amazon.com/waf/
- Choose “Web ACLs” in the navigation pane.
- Click “Create web ACL.”
- Enter a name, region (if necessary), and resource to associate the Web ACL with (e.g., CloudFront distribution).
- Add Rules:
Rules include conditions, such as IP addresses, HTTP headers, HTTP body, or URI strings, defining the web requests that AWS WAF should allow, block, or count.
- Inside the Web ACL, choose “Add rules” or “Add rule group.”
- Select “Create rule” and define the rule’s components (filters by IP, size constraints, SQL injection, etc.)
- Assign an action to each rule (allow, block, or count).
- Deploy the Web ACL:
After creating rules, you need to add the Web ACL to the resource.
- Choose the “Rules” tab and review your rule order and actions.
- Choose “Associations,” then attach the Web ACL to an AWS resource.
- Save your changes.
AWS WAF Rule Example
Here’s a pseudo-example for creating an AWS WAF rule to block requests from a specific IP address:
{
“RuleId”: “ExampleRuleId123”,
“Name”: “BlockSpecificIP”,
“Priority”: 1,
“Action”: {
“Block”: {}
},
“Statement”: {
“IPSetReferenceStatement”: {
“ARN”: “arn:aws:wafv2:region:account-id:ipset/ipset-id”
}
},
“VisibilityConfig”: {
“SampledRequestsEnabled”: true,
“CloudWatchMetricsEnabled”: true,
“MetricName”: “BlockSpecificIPMetric”
}
}
AWS Shield
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. AWS Shield provides automatic inline mitigation that minimizes application downtime and latency. There are two tiers of AWS Shield – Standard and Advanced.
AWS Shield Standard
AWS Shield Standard is automatically enabled on all AWS accounts at no additional charge. It provides basic protection against the most common and frequently occurring types of DDoS attacks.
- No configuration is required for AWS Shield Standard.
- It supports Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources.
AWS Shield Advanced
- Enroll in AWS Shield Advanced:
- Visit the AWS Management Console.
- Navigate to AWS Shield.
- Choose “Get started” with AWS Shield Advanced.
- Select the resources to protect (e.g., ELB, CloudFront).
- Configure AWS Shield Advanced:
- Create health checks in Amazon Route 53 for your resources.
- Configure rate-based rules to help mitigate DDoS attacks.
- Set up DDoS alarms in Amazon CloudWatch.
- Use AWS WAF with AWS Shield Advanced:
For more refined control, integrate AWS WAF with AWS Shield Advanced. The rules in AWS WAF can be managed in conjunction with the AWS Shield Advanced protections.
Comparison of AWS WAF and AWS Shield Features
| Feature | AWS WAF | AWS Shield Standard | AWS Shield Advanced |
|---|---|---|---|
| Protection Scope | Web applications/APIs | AWS services (ELB, Amazon CloudFront, Route 53) | AWS services with detailed attack diagnostics |
| Rule Customization | Highly customizable | Automatic | Automatic + Customizable |
| DDoS Protection | Not a DDoS protection service (focus on web ACLs) | Basic DDoS attack protection | Enhanced DDoS attack protection |
| Pricing | Pay per rule per web ACL | Free | Paid subscription with additional charges for usage |
| Visibility | Detailed request-level inspection | Aggregate attack visibility | Real-time attack visibility and reporting |
| Support | Standard AWS Support | Standard AWS Support | 24×7 access to AWS DDoS Response Team (DRT) |
In conclusion, configuring and managing AWS WAF and AWS Shield are crucial tasks in protecting your AWS environment from web attacks and DDoS threats. Understanding how to effectively implement these services is a key aspect of the AWS Certified SysOps Administrator – Associate exam and is vital for maintaining a secure and resilient AWS infrastructure.
Answer the Questions in Comment Section
True or False: AWS WAF can only be applied to protect Amazon CloudFront distributions.
- A) True
- B) False
Answer: B) False
Explanation: AWS WAF can be applied to protect Amazon CloudFront distributions, but it can also be used with Application Load Balancers (ALB), Amazon API Gateway, and AWS AppSync.
AWS Shield provides protection against which of the following types of attacks?
- A) SQL injection
- B) DDoS attacks
- C) Cross-site scripting
- D) Malware uploads
Answer: B) DDoS attacks
Explanation: AWS Shield is a managed service specifically designed to protect against Distributed Denial of Service (DDoS) attacks.
True or False: AWS Shield Advanced provides additional DDoS protection for services such as Elastic Load Balancing (ELB), Amazon EC2, and Amazon Route 53, along with detailed attack diagnostics.
- A) True
- B) False
Answer: A) True
Explanation: AWS Shield Advanced offers expanded DDoS protection for AWS services, including ELB, EC2, and Amazon Route 53, as well as detailed attack diagnostics to understand the nature and impact of the attack.
Which of the following AWS services integrates directly with AWS WAF?
- A) Amazon S3
- B) Amazon RDS
- C) Amazon VPC
- D) Amazon CloudFront
Answer: D) Amazon CloudFront
Explanation: AWS WAF directly integrates with Amazon CloudFront, allowing you to create custom web ACLs to filter incoming traffic.
True or False: AWS WAF rules can be reused across multiple web applications.
- A) True
- B) False
Answer: A) True
Explanation: AWS WAF is designed to be reusable and rules can be applied to multiple web applications.
How does AWS Shield Standard differ from AWS Shield Advanced?
- A) Shield Standard offers unlimited DDoS protection.
- B) Shield Advanced provides access to the AWS DDoS Response Team (DRT).
- C) Shield Standard requires additional charges for every protected resource.
- D) Shield Advanced only protects Amazon CloudFront distributions.
Answer: B) Shield Advanced provides access to the AWS DDoS Response Team (DRT).
Explanation: AWS Shield Advanced offers additional features compared to Shield Standard, including 24/7 access to the AWS DDoS Response Team (DRT).
True or False: You can combine AWS WAF with AWS Shield for layered security.
- A) True
- B) False
Answer: A) True
Explanation: AWS WAF and AWS Shield can be used together for a layered approach to security, providing both application-level and infrastructure-level protection.
Which of the following is a benefit of using AWS WAF?
- A) Automatic encryption of data at rest and in transit.
- B) Real-time control of the traffic reaching your applications.
- C) Automatic patching of web application vulnerabilities.
- D) Backup and recovery of web application data.
Answer: B) Real-time control of the traffic reaching your applications.
Explanation: AWS WAF provides real-time control and monitoring of the HTTP/HTTPS traffic reaching your applications, allowing you to block or allow traffic based on conditions you specify.
AWS Shield is available in which of the following forms?
- A) Only as AWS Shield Advanced
- B) Only as AWS Shield Standard
- C) As both AWS Shield Standard and AWS Shield Advanced
- D) AWS Shield is not a standalone service but a feature of AWS WAF
Answer: C) As both AWS Shield Standard and AWS Shield Advanced
Explanation: AWS Shield is available in two levels: AWS Shield Standard, which is automatically included with AWS, and AWS Shield Advanced, which provides enhanced protection and service levels for a fee.
True or False: AWS WAF can inspect both HTTP and HTTPS traffic for potentially malicious content.
- A) True
- B) False
Answer: A) True
Explanation: AWS WAF can inspect both HTTP and HTTPS traffic, allowing for the detection of and response to malicious content.
For which of the following services does AWS Shield Standard NOT provide DDoS protection?
- A) Amazon EC2
- B) Amazon RDS
- C) Amazon CloudFront
- D) Amazon Route 53
Answer: B) Amazon RDS
Explanation: AWS Shield Standard provides DDoS protection for several services including Amazon EC2, Amazon CloudFront, and Amazon Route 53, but not for Amazon RDS.
Great post! Can anyone explain the difference between AWS WAF and AWS Shield?
Thanks for the detailed explanation. It clarifies things a lot!
I appreciate this blog post. Very informative.
Could someone elaborate on how to set up AWS WAF for a CloudFront distribution?
Thank you! This is exactly what I needed.
Very helpful post. Keep it up!
I tried using AWS Shield Advanced but found it a bit confusing. Any tips?
Appreciate the insights. Will try setting those up.