Learning More About AWS WAF

Learning more about Amazon's Web Application Firewall. I was having trouble earlier today when CloudFront and Application Load Balancer Web Application Firewalls were blocking some POST requests - I think due to the fact that the post request had a query parameter (Actually, I think it was due to Body size limit). While I was able to find out why the request was blocked due to the logs, I want to find out more about this service and about what the various rules mean.

Date Created:
Last Edited:

Resources


Introduction

AWS WAF helps you protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.

  • AWS WAF is a web application firewall service that leys you monitor web requests that are forwarded to an Amazon API Gateway API, an Amazon CloudFront distribution, or an Application Load Balancer. You can protect those resources based on conditions that you specify, such as the IP addresses that the requests originate from.
  • AWS WAF rule propagation and updates take just under a minute.
  • AWS WAF gives near real-time visibility into your web traffic, which you can use to create new rules or alerts in Amazon CloudWatch. It offers comprehensive logging, allowing you to capture each inspected web request's full header data.
  • Use Cases
    • Filter Web Traffic
      • Create rules to filter web requests based on conditions such as IP addresses, HTTP headers, and body, or custom URIs.
    • Prevent Account Takeover Fraud
      • Monitor your application's login page for unauthorized access to user accounts using compromised credentials.
    • Administer AWS WAF with APIs
      • Create and maintain rules automatically and incorporate them into the development and design process.


AWS WAF Access Control Lists

  • A web access control list (web ACL) gives you fine-grained control over all of the HTTP(s) web requests that your protected resources responds to.
  • You can use the following criteria to allow or block requests:
    • IP address origin of the request
    • Country of origin of the request
    • String match or regular expression (regex) match in a part of the request
    • Size of a particular part of the request
    • Detection of malicious SQL code or scripting
    • Any combination of the above
  • You can also implement some kind of rate limit. You can also run CAPTCHA puzzles and silent client session challenges against requests.
  • You provide your matching criteria and the action to take on matches in AWS WAF rule statements. You can define rule statements directly inside your web ACL and in reusable rule groups that you use in your web ACL.
  • To specify your web application inspection and handling criteria, perform the following tasks:
    • Choose the web ACL default action, either allow or block, for web requests that don't match any of the rules that you specify.
    • Add any rule groups that you want to use in your web ACL. Managed rule groups usually contain rules that block web requests
    • Specify additional matching criteria and handling instructions in one or more rules. To add more than one rule, start with ADD or OR rule statements and nest the rules that you want to combine under those. If you negate a rule option, nest the rule in a NOT statement. You can optionally use a rate-based rule instead of a regular rule to limit the number of requests from any single IP address that meets the conditions.
  • If you add more than one rule to a web ACL, AWS WAF evaluates the rules in the order that they're listed for the web ACL.


Web ACL Rule and Group Evaluation

  • The way a web ACL handles a web request depends on the following:
    • The numeric priority settings of the rules in the web ACL and inside rule groups
      • The evaluation order of the rules is determined using numeric priority settings. Each rule in a web ACL must have a unique priority setting within that web ACL. Rules with the lowest numeric priority are checked first.
    • The action settings on the rules and web ACL
      • The rule action tells WAF what to do with a web request when it matches the criteria defined in the rule.
      • Here are the rule action options:
        • Allow - WAF allows request to be forwarded to the protected AWS resource for processing and response. This is a terminating action.
        • Block - AWS WAF blocks the request. This is a terminating action. By default, your AWS resource responds with an HTTP 403 Forbidden status code.
        • Count - AWS WAF counts the request but does not determine whether to allow it or block it. This is a non-terminating action. In rules that you can define, you can insert custom headers into the request and you can add labels that other rules can match against.
        • CAPTCHA and Challenge - AWS WAF uses CAPTCHA puzzles and silent challenges to very that the request is not coming from a bot, and AWS WAF uses tokens to track recent successful client responses. CPATCH puzzles and silent challenges can only run when browsers are accessing HTTPS endpoints. This comes with additional fees. These rule actions can be terminating or non-termination, depending on the state of the token in the request.
          • Non-terminating for valid, unexpired token - If the token is valid and unexpired according to the configured CAPTCHA or challenge immunity time, AWS WAF handles the request similar to the Count action.
          • Terminating with blocked request for invalid or expired token - If the token is invalid or the indicated timestamp is expired, AWS WAF terminates the inspection of the web request and blocks the request, similar to the Block action. AWS WAF then responds to the client with a custom response code. For CAPTCHA, if the request contents indicate that the client browser can handle it, AWS WAF sends a CAPTCHA puzzle in a JavaScript interstitial, which is designed to distinguish human clients from bots. For the Challenge action, AWS WAF sends a JavaScript interstitial with a silent challenge that is designed to distinguish normal browsers from sessions that are being run by bots.
    • Any overrides that you place n the rule groups that you add
  • You can customize customize request and response handling in your rule action settings and default web ACL action settings.
A terminating action allows stops the web ACL evaluation of the request and either lets it continue to the protected application or blocks it.


The Web ACL Default Action

  • When you create and configure a web ACL, you must set the web ACL default action. AWS WAF applies this action to any request that makes it through all of the web ACLs rule evaluations without having a terminating action applied to it.
  • The web ACL default action must determine the final disposition of the web request, so it's a terminating action:
    • Allow - If you want to allow most users to access your application, then choose Allow for the default action. then, you can apply rules to block specific users from your application.
    • Block - If you want to prevent most users from accessing your website, then choose block for the default action. Then, you can apply rules to allow specific users to access your application. By default, the Block action responds with an HTTP 403 (Forbidden) status code.


Managing Body Inspection Size Limits

  • The body inspection size limit is the maximum request body size that AWS WAF can inspect. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
    • For Application Load Balancer and AWS AppSync, the limit is fixed at 8KB
    • For other services, the default limit is 16KB but it can be raised to 64KB.
  • If you web traffic includes bodies that are larger than the limit, your configured oversize handling will apply.
  • You can be charged extra for bodies that are of a larger size.


Configurations for CAPTCHA, challenge, and tokens

  • You can configure options in your web ACL for the rules that use the CAPTCH or Challenge rule actions and for the application integration SDKs that manage silent client challenges for AWS WAF managed protections.
  • These features mitigate bot activity by challenging end users with CAPTCHA puzzles and by presenting client sessions with silent challenges. When the client responds successfully, AWS WAF provides a token for them to use in their web request, timestamped with the last successful puzzle and challenge responses.
  • In you web ACL configuration, you can configure how AWS WAF manages these tokens:
    • CAPTCHA and challenge immunity times - These specify how long a CAPTCHA timestamp remains valid. The web ACL settings are inherited by all rules that don't have their own immunity time settings configured and also by application integration SDKs.
    • Token domains - Can configure WAF to accept tokens from multiple domains.


Working with web ACLs

  • For any web ACL that you're using, you can access summaries of the web traffic metrics on the web ACL's page in the AWS WAF console, under the Traffic overview tab.
  • When you create or change a web ACL or other AWS WAF resources, the changes can take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.


Viewing WAF Blocked Requests in AWS CloudWatch

  • If you turn on requests for you WAF, a log group should be created in AWS CloudWatch which you can access by going to CloudWatch > Log Groups > [Created Log Group Name].
  • The log should contain blocked events that look similar to the JSON object below. To see why a request was blocked, look at the ruleGroupList attribute and see which rule has an action of Block. In this case, the rule ID is SizeRestrictions_BODY. You can investigate this rule in the AWS WAF console.
// "REMOVED" means that I removed the value for size restraints or for privacy
{
    "timestamp": 1717683815062,
    "formatVersion": 1,
    "webaclId": "REMOVED", // arn for web acl
    "terminatingRuleId": "AWS-AWSManagedRulesCommonRuleSet",
    "terminatingRuleType": "MANAGED_RULE_GROUP",
    "action": "BLOCK",
    "terminatingRuleMatchDetails": [],
    "httpSourceName": "CF", 
    "httpSourceId": "REMOVED",
    "ruleGroupList": [
        {
            "ruleGroupId": "AWS#AWSManagedRulesAmazonIpReputationList",
            "terminatingRule": null,
            "nonTerminatingMatchingRules": [],
            "excludedRules": null,
            "customerConfig": null
        },
        {
            "ruleGroupId": "AWS#AWSManagedRulesCommonRuleSet",
            "terminatingRule": {
                "ruleId": "SizeRestrictions_BODY",
                "action": "BLOCK",
                "ruleMatchDetails": null
            },
            "nonTerminatingMatchingRules": [],
            "excludedRules": null,
            "customerConfig": null
        }
    ],
    "rateBasedRuleList": [],
    "nonTerminatingMatchingRules": [],
    "requestHeadersInserted": null,
    "responseCodeSent": null,
    "httpRequest": {
        "clientIp": "REMOVED",
        "country": "US",
        "headers": [
            // REMOVED list of {name: string, value: string } headers
        ],
        "uri": "/admin/note/edit/111/systemd",
        "args": "active_v=1", // query parameters
        "httpVersion": "HTTP/2.0",
        "httpMethod": "POST",
        "requestId": "REMOVED"
    },
    "labels": [
        {
            "name": "awswaf:managed:aws:core-rule-set:SizeRestrictions_Body"
        }
    ],
    "requestBodySize": 9107,
    "requestBodySizeInspectedByWAF": 9107,
    "ja3Fingerprint": "b89ee5bf178305b000716ccbe59f087d"
}

Comments

You must be logged in to post a comment!

Insert Math Markup

ESC
About Inserting Math Content
Display Style:

Embed News Content

ESC
About Embedding News Content

Embed Youtube Video

ESC
Embedding Youtube Videos

Embed TikTok Video

ESC
Embedding TikTok Videos

Embed X Post

ESC
Embedding X Posts

Embed Instagram Post

ESC
Embedding Instagram Posts

Insert Details Element

ESC

Example Output:

Summary Title
You will be able to insert content here after confirming the title of the <details> element.

Insert Table

ESC
Customization
Align:
Preview:

Insert Horizontal Rule

#000000

Preview:

Insert Chart

ESC

View Content At Different Sizes

ESC

Edit Style of Block Nodes

ESC

Edit the background color, default text color, margin, padding, and border of block nodes. Editable block nodes include paragraphs, headers, and lists.

#ffffff
#000000

Edit Selected Cells

Change the background color, vertical align, and borders of the cells in the current selection.

#ffffff
Vertical Align:
Border
#000000
Border Style:

Edit Table

ESC
Customization:
Align:

Upload Lexical State

ESC

Upload a .lexical file. If the file type matches the type of the current editor, then a preview will be shown below the file input.

Upload 3D Object

ESC

Upload Jupyter Notebook

ESC

Upload a Jupyter notebook and embed the resulting HTML in the text editor.

Insert Custom HTML

ESC

Edit Image Background Color

ESC
#ffffff

Insert Columns Layout

ESC
Column Type:

Select Code Language

ESC
Select Coding Language