Securing EC2 Applications with AWS WAF: Balancing Protection and Performance
vikram chaudhary
Your company has developed a web application and its hosted on on a group of Amazon EC2 instances behind an Application Load Balancer. You want to improve the security posture of the application and plan to use AWS WAF web ACLs. This change should not affect legitimate traffic to the application.
This is an important scenario to solve and you need to be careful here to not to adversely impact the application traffic.
To enhance the security of the web application using AWS WAF web ACLs without adversely affecting legitimate traffic, the solutions architect should follow these steps:
1. Configure the Web ACL
A web ACL (Web Access Control List) contains rules that define how AWS WAF filters HTTP and HTTPS requests. Configure it as follows:
Step 1.1: Add Managed Rule Groups
Use AWS Managed Rules:
AWS provides pre-configured rule groups that address common security threats such as SQL injection, cross-site scripting (XSS), and bot traffic.
Recommended rule groups:
AWSManagedRulesCommonRuleSet: Protects against common web exploits.
AWSManagedRulesSQLiRuleSet: Protects against SQL injection attacks.
AWSManagedRulesKnownBadInputsRuleSet: Blocks requests with known malicious payloads.
Step 1.2: Create Custom Rules (Optional)
Define additional custom rules tailored to the application's needs:
IP Match Conditions: Block or allow traffic from specific IP addresses or CIDR ranges (e.g., block malicious IPs).
Rate-Based Rules: Limit the rate of requests from individual IPs to protect against DDoS or brute-force attacks.
String Match Conditions: Detect and block specific patterns in request headers, URIs, or query strings.
Step 1.3: Configure Default Action
Set the default action for the web ACL to Allow:
- This ensures that requests not explicitly blocked by rules are allowed through, minimizing the risk of blocking legitimate traffic.
2. Deploy the Web ACL
Associate the web ACL with the Application Load Balancer (ALB):
Navigate to the Web ACL settings in the AWS Management Console.
Select the ALB as the associated resource.
3. Enable Logging and Monitoring
Enable AWS WAF Logging:
Configure logging to capture request details for analysis.
Send logs to Amazon S3, Amazon CloudWatch Logs, or a Kinesis Data Firehose delivery stream.
Use logging to:
Monitor rule effectiveness.
Identify and fine-tune rules to minimize false positives and negatives.
4. Test Rules in Count Mode
Use the Count Mode for initial rule testing:
Evaluate how each rule affects traffic without actively blocking requests.
Analyze the logs to identify false positives or legitimate traffic that might be inadvertently flagged.
Transition to Block Mode once confident in the rule configuration.
5. Optimize Rules Based on Application Traffic
Analyze legitimate traffic patterns:
- Use logs and metrics to understand typical application usage and fine-tune rules.
Adjust custom rules to minimize disruptions:
- Modify IP or rate-based rules based on observed traffic behavior.
6. Use Additional Security Layers
Implement these additional AWS services to enhance security:
AWS Shield Standard: Provides DDoS protection (included with AWS WAF).
AWS Certificate Manager (ACM): Ensures secure communication with SSL/TLS certificates.
Amazon CloudFront: Distribute traffic globally and add another layer of WAF protection with edge-based filtering.
Summary of Configuration
Add AWS Managed Rules to the web ACL.
Create custom rules (if needed) to address application-specific needs.
Set the default action of the web ACL to Allow.
Test rules in Count Mode to minimize disruptions to legitimate traffic.
Enable logging and monitoring to refine rules.
Transition to Block Mode after testing.
By following this approach, you can improve the application's security posture while ensuring minimal impact on legitimate traffic.
Subscribe to my newsletter
Read articles from vikram chaudhary directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by