Use Case: How to Implement AWS WAF Security Automations on a Project

What is AWS WAF (Web Application Firewall)

As a managed service, AWS WAF protects web applications at the application layer from common web exploits that can compromise security or consume excessive resources.

Structure

The core component of a typical AWS WAF instance is the web ACL (Access Control List). It contains rule groups or individual rules that are used to recognize some malicious patterns in the captured traffic.

Another essential part is IP sets. They help to block malicious IP addresses. In case you want to add some AWS managed protection, you can actually add managed role groups. These AWS managed rules can cover some general malicious inputs or are designed for the specific use cases, such as Wordpress application protection.

Where can you apply this?

You can apply AWS WAF to protect global or regional resources, such as Application Load Balancers, Amazon API Gateway REST APIs CloudFront, etc.

Simplified Deployment with AWS WAF Security Automation

Deploying AWS WAF from scratch can be complex. In most cases, it is essential to have a baseline template from which you can start and later extend it with your own custom rules, modify existing rules, and adapt them to your needs.

Here, the Security Automations for AWS WAF comes into the picture. It simplifies deployment by providing a baseline template with existing sets of rules and required components.

This solution is easy to integrate, and it can be deployed quickly using a CloudFormation template. Moreover, you can easily integrate it with CloudFront, Application Load Balancer, or AWS API Gateway.

The web ACL intercepts and analyzes web traffic, automatically blocking malicious requests and providing comprehensive logging and monitoring capabilities for continuous improvement. You can easily track your changes to the deployed AWS WAF rules and learn from detected attack patterns in order to enhance your protection.

Solution Architecture

The solution's core includes the AWS WAF instance and web ACL, with default rules deployed via the provided template. Application logs are stored in Amazon S3 and analyzed using Lambda functions to detect and block malicious IPs based on predefined criteria. Additional components like IP reputation lists use external threat intelligence sources to block known malicious IPs, ensuring up-to-date protection.

Why We Chose Security Automations for AWS WAF

We chose Security Automations for AWS WAF solution for its simplicity and ease of deployment. This solution includes essential AWS WAF rules that can be easily extended and customized to fit our specific infrastructure needs.

Moreover, its architecture comprises various components that not only block malicious traffic but also analyze it and take actions based on the analysis. It helps us prevent common attacks like XSS and SQL injection, analyze logs for repeated 400 response codes from a single IP, and use threat intelligence to block known malicious IPs.

A CloudFormation template streamlines the setup, which minimizes deployment time. Once set up, you can integrate it with Amazon CloudFront, Application Load Balancer, or Amazon API Gateway among other supported AWS services.

Let’s take a look at some other key benefits of implementing Security Automations for AWS WAF.

• This solution highlights the presence of real attacks, reinforcing the need for robust security measures.
• We gain useful insights into potential malicious actors and their methods give us an opportunity to continuously improve our defenses.
• By analyzing patterns and behaviors, we can better understand and block more sophisticated attacks.

The core of our solution involves Security Automations for AWS WAF lambda functions and AWS WAF instances. Developing custom Lambda functions to further analyze the detected requests using modern AI tools simplifies the process. You can enable AWS WAF logging and analyze these logs to identify important characteristics such as rule names, detected URLs, and payloads.

For example, if multiple XSS attacks from the same IP address are detected, a Lambda function can analyze them and later block the offending IP for 48 hours. Additionally, it can send a notification about the blocked activity to the application team.

Usage of custom Lambda function also allows you to integrate your detection algorithms with services like AbuseIPDB and VirusTotal for enhanced threat intelligence. One more important feature of such a Lambda function is daily analytics that provides comprehensive insights into traffic patterns and potential threats, enabling a single security engineer to effectively monitor multiple AWS WAF instances.

One notable experience involved blocking over 220,000 requests from various scanners within 16 hours. The implemented solution effectively managed and analyzed this traffic, preventing most threats. In cases where certain traffic could not be blocked by existing AWS WAF rules, we introduced custom rules in the Lambda itself to analyze and block or blacklist specific IP addresses, such as those behaving like WPS scan tools.

Implementation Steps for AWS WAF Security Automations

Implementing Security Automations for AWS WAF involves several key steps, which help to ensure effective deployment and continuous protection for your web applications. To explore them, download our free guide:

Real Use Case: AWS WAF Optimization Tips

In our work with Security Automations for AWS WAF, we learned several valuable tips and tricks from real projects. One particularly illustrative use case is our implementation for Elements Cloud, a B2B solution for visualizing and organizing business processes and Salesforce orgs.

This solution also helps get some useful analytics from Salesforce orgs, effectively manage them, and actually track all the changes in order to stay effective and actually use your Salesforce orgs in the most efficient way.

Here are some key takeaways:

• Use rule labels. They extend standard filter options to monitor only the traffic and rules that matter most to you.
• Focus on one rule at a time. When working on multiple rules, it will be hard for you to identify the root cause of the issue and it will slow down the update instead. So, avoid working on multiple rules simultaneously to easily identify and address issues.
• Test before blocking. Change the action to 'Block' only after testing in 'Count' mode for a few days or a week. That will help you concentrate on modifying this exact rule and not spread your attention to all other rules in an attempt to find whether the web requests were exactly blocked.
• Automate AWS WAF logs processing. Use automation to extract the most useful data and be more effective in terms of how fast you adapt to the changes.
• Set low sensitivity for SQLi and XSS rules. Prevent false positives by adjusting sensitivity levels to avoid blocking valid traffic.

For example, seeking for injection, you can adjust a single quote, but it also can be a part of a valid payload. However, once you have a sensitivity level High, a rule can be triggered even if the payload is valid and does not pose any risks for the application. That's why in this particular case you should adjust your sensitivity level to Low.

Changing the sensitivity level allows you to avoid having a lot of false positive requests that were blocked by WAF and to make your AWS WAF itself more effective in terms of detecting malicious traffic.

• Use nested statements. Create more complex rules with necessary exceptions to reduce false positives.

By default, each rule allows you to have statements that are not nested. However, at some point, you will need to have more complex rules, and for this purpose, you should use scope-down statements. They will allow you to add some required exceptions and cover more possible use cases, reducing the level of possible false positives.

• Leverage regular expressions. Simplify rule management, reduce the length of search terms, and enhance effectiveness by using regular expressions for similar patterns.

Implementation of AWS WAF Logs Parser Lambda

AWS WAF logs parser or monitoring lambda helps you effectively monitor multiple AWS WAF instances. It extracts crucial information to keep you up to date with ongoing attacks. Additionally, it implements automated responses to the detected malicious traffic.

Not all rules require blocking traffic from the start. Often, further processing and analysis are necessary. Based on this analysis, you can decide whether to block a particular IP address and traffic. For this purpose, we have developed a custom  AWS Lambda.

How does it work and what are its main functions?

Lambda analyzes AWS WAF logs and produces early analytics. You can adjust the update rate to meet your needs.

• Log analysis

You can receive updates on an hourly basis or even more frequently, depending on your preference. The AWS WAF log parser also produces daily analytics reports, summarizing the previous day's activities. These reports detail the number of requests blocked by various rules and list the malicious blacklisted IPs.

Tracking changes over the long term is particularly useful when you lack a dedicated SOC center or cannot monitor your AWS WAF around the clock. For example, receiving analytics on Monday can help you understand weekend activities and stay updated on possible attacks during that period.

• Slack integration

The AWS WAF log parser sends analytics to Slack, a widely used communication tool, making it easier for teams to stay effective. It leverages parallel processing using Node.js worker threads, which accelerates the processing of retrieved AWS logs. This efficiency allows you to spend less time running AWS log reviews and to process more malicious requests.

• Parallel processing

Utilizing Node.js worker threads, the lambda function processes AWS logs in parallel, significantly reducing the time required to review logs.

As a result, you can cover more threats than if you were using a single thread for analysis. Overall, the AWS WAF log parser significantly reduces the time required to review AWS logs and monitor them. It also helps detect ongoing attacks and react to them promptly, even if existing mitigation measures are not already in place.

To learn more about implementing Logs Parser Lambda, download our step-by-step guide:

Essential Web ACL Сomponents

Let’s dive into the Web ACL and its components. The Web ACL is attached to Amazon CloudFront, and we have deployed our Security Automations for AWS WAF Web ACL from a CloudFormation template. This template provides several out-of-the-box rules, which can be adjusted according to your needs.

Important points to consider

Capacity units

The first key point to mention is the capacity units. It is important to constantly track them because once you reach more than 1,500 units, you will incur additional charges for your AWS WAF implementation.  The maximum limit is 5,000 capacity units, beyond which you will need to contact the AWS team.

Ensuring your rules are efficient can help avoid unnecessary costs. Each statement can add capacity units, so understanding which statements cost more, such as geographical or specific pattern rules, is essential.

You can refer to AWS WAF documentation to understand the cost of different statements in terms of capacity units. For example, regular expression match statements typically cost more than byte match statements.

So please ensure that your rules are as effective as possible and that you are not reaching this limit because it will increase your monthly cost. In fact, it can be one of the requirements. So you should constantly keep your eye on it.

Custom response bodies

It is also essential to define custom response bodies to identify blocked requests by AWS WAF. This helps in taking necessary measures and involving your team in the response process.

Every time we receive our AWS WAF rules, it can help us to determine that this request was exactly blocked by our AWS WAF, take all required measures to fix it and involve the team in this process. This way, they will also be able to take this into account and react appropriately.

Lambda integration

Ensure your AWS WAF Lambda function has permissions to access AWS WAF logs, manage IP sets, and create log groups, streams, and log events in Amazon CloudWatch. It also needs to have appropriate permissions to access S3 buckets for storing processing results.

Depending on your specific requirements, you might need to adjust configurations related to memory and ephemeral storage to handle the volume of requests effectively. Our setup includes a Slack channel where we receive logs from the Lambda function, so it is required to configure a Slack webhook URL and provide it in the lambda environment variables. This enables the team to review details and monitor multiple AWS WAF instances efficiently, ensuring robust protection against attackers.

Wrapping Up

Security Automations for AWS WAF is definitely an advancement in web application security management. Integrating AWS WAF with AWS Lambda and other AWS services will help you effectively monitor, analyze, and respond to security threats.

To start, you can use the CloudFormation template that streamlines the deployment process. It includes predefined rules and components, allowing you to set up and start protecting your web applications quickly.

The solution's architecture is designed to be flexible and scalable. It leverages AWS WAF for traffic filtering, AWS Lambda for log analysis and automated responses, and Amazon S3 for log storage. This combination ensures that you can scale your security measures as your application grows.

Security Automations for AWS WAF solution provides comprehensive threat detection and response capabilities. Thanks to analyzing traffic patterns and utilizing additional threat intelligence sources like VirusTotal and AbuseIPDB in the custom WAF logs parser lambda, the solution can identify and block malicious traffic. Automated IP blocking and customizable rule sets ensure that your defenses are always up to date.

It is important to remember that security is an ongoing process. You can fine-tune rules, monitor performance, and adjust settings based on real-time analytics. This iterative approach helps you stay ahead of threats and maintain a strong security posture.

As you can see, this solution has been tested and proven effective in real-world scenarios, such as managing and analyzing large volumes of requests, blocking sophisticated attacks, and providing detailed threat intelligence. So, by implementing Security Automations for AWS WAF together with a custom AWS Lambda for extended monitoring, you gain a powerful and flexible toolset to protect your web applications from a wide range of threats.

FAQ

1. What is WAF automation?

   As a managed service, AWS WAF protects web applications at the application layer from common web exploits that can compromise security or consume excessive resources.

1. Does AWS WAF prevent SQL injection?

   Security Automations for AWS WAF solution comprises various components that not only block malicious traffic but also analyze it and take actions based on the analysis. It helps us prevent common attacks like XSS and SQL injection, analyze logs for repeated 400 response codes from a single IP, and use threat intelligence to block known malicious IPs.