AWS WAF
Strengthen your Web Application Security
Overview
Over the past decade, security has been one of the core concerns for most enterprises. With the increase in security vulnerabilities and constant external attacks on applications, organizations need to re-evaluate their strategy for protecting applications that can be readily exploited. The threats to the application from external security vulnerabilities such as cross-site scripting (XSS), SQL injection, and DDOS attacks are rapidly expanding and can disrupt the normal functioning of enterprise applications. Fortunately, AWS provides many services such as AWS WAF, AWS Shield and CloudFront to improve the overall security of AWS environment. AWS WAF or Web application Firewall is an AWS services which helps to protect the web applications against a range of external threats.
AWS WAF helps to protect the applications from a wide variety of application layer attacks such as cross-site scripting, SQL injection, Cookie poisoning and DDOS, among others. The AWS WAF can be used to monitor and protect AWS CloudFront Distribution, AWS API Gateway, Application Load Balancer and AWS AppSync GraphQL APIs.
Key Learnings and Best Practices
Use WAF automation
Configuring AWS WAF rules can be challenging, especially for an organization with no dedicated security teams. WAF Automation on AWS Solution helps to automate the deployment of AWS WAF rules as a single web access control list (web ACL) that can filter common web-based attacks. Preconfigured rules can be selected during the deployment, and once deployed, it can protect CloudFront and the application load balancer by inspecting web requests.
Enable Web ACL traffic logging
Detailed logging can be enabled to get the information about the traffic that is being analyzed by the web ACL. The logs contain the information, including the time of the request received, detailed request information, and details of the rules that the request matched. These logs can be either sent to AWS CloudWatch or can be stored in S3 for long-term retention or Kinesis Data firehose.
Test WAF on a non-production environment
As a best practice, the WAF ACL rules must be tested in non-production environments such as staging environments and rules should be fine-tuned according to the traffic pattern analysis. Deploy the WAF implementation on the production environment on a selected date when the lowest user traffic is expected. Always have your rollback plan and mitigation operations well documented in case a rollback is required for WAF implementation.
Post-deployment traffic analysis
Once the WAF is implemented in the production environment, it is important to regularly monitor the application and the traffic pattern. Though the AWS, WAF dashboard provides basic metrics for monitoring, the logs can be further streamed to Amazon OpenSearch or S3 (with Amazon Athena) to analyze the traffic pattern in detail and identify the past trends in application traffic and changes in behavior.
Use rate-based rules for specific IP Addresses or URLs
It is common to get a high volume of requests during a specific time of the day or any period. To handle such scenarios, it is important that rate-based rules are configured to block any suspicious traffic originating from an IP address or from specific URLs. Rate-based rules help to monitor such traffic and place a low threshold on such traffic so that it can be blocked without interrupting the normal volume of requests from these suspected sources. Instead of completely blocking such sources which are suspected of malicious traffic, it is a good idea to rate limit them to a certain threshold and monitor it further before blocking them out completely.
Regular testing of application security
It is good practice to regularly schedule penetration testing for your application secured with AWS WAF. It ensures that you regularly analyze your application traffic and stay on top of the latest threats to address vulnerabilities and it also provides feedback on your current security measures and their effectiveness against future threats and attacks. After the initial implementation of WAF rules, there is normally a scope of tuning to mitigate potential false positives and false negatives. False positives include legitimate requests that were considered by WAF wrongly as attacks and blocked as a result. False negatives are attacks that were not caught by your WAF rules and require you to update your rules.
Keep AWS ACL rules updated
It is important to keep the WAF ACL rules updated to defend against recently identified threats. It is recommended to use Managed rules instead of custom rules as Managed rules are kept up to date by the WAF vendor i.e., AWS or partners based on the evolving threat landscape. It is equally important to review and regularly update any custom rules or your application-specific rules to mitigate potential threats. AWS Lambda, Kinesis, and Event Bridge can be used to automate the custom rules based on specific conditions.
Use AWS WAF with AWS Shield
The AWS WAF helps to minimize layer 7 DDoS attacks and it can be used along with an AWS shield which can further strengthen your application and infrastructure security against HTTP floods or DNS query floods by baselining traffic to your application. It not only helps to mitigate layer 7 attacks but also blocks layer 3 and layer 4 attacks. This integration of AWS WAF with advanced AWS Shield also reduces per request charges. When AWS WAF is used along with resources protected by AWS Shield advanced there are no additional charges for using AWS WAF and AWS Firewall manager.
Using AWS WAF with CloudFront geo-restriction
AWS WAF integrates well with AWS CloudFront and provides additional security to your web applications. Amazon CloudFront geo restriction feature, also known as geo-blocking, helps to prevent users in specific geographic locations from accessing content that you distribute through a CloudFront web distribution. If there is a requirement to block web requests from specific countries and block requests based on some other criteria, you can use CloudFront geo-restriction in conjunction with AWS WAF. CloudFront returns the same HTTP status code to viewers—HTTP 403 (Forbidden)—whether they try to access your content from a country on a CloudFront geo restriction deny list or whether the request is blocked by AWS WAF.
Our Experience
Securing the HR compensation portal
One of the critical security components of infrastructure implemented by LTIMindtree was AWS WAF, which works along with CloudFront to protect the Executive Compensation portal (ECS). This portal is heavily used for compensation details of the employees and contains sensitive employee information, which should be protected as well as should be available on-demand to other external systems such as SAP and Workday and HR/Employee portals. AWS WAF is configured mostly with the AWS-managed rules to mitigate threats like SQL injection, cross-site scripting, and DDoS attack. The rules allow (whitelists) known portal and integration points based on IP address range as it is an internal application. Apart from that it also includes rate-based rules which count the expected volume of traffic for any given time and block all the requests after a specific threshold. This is being optimized based on the number of integrations with this portal.
Defense in depth for HR hub portal
The HR hub portal provides a unified platform to serve diverse types of data to external applications and consumes data from these applications. This portal uses AWS WAF along with AWS shield to protect the web application (API Gateway and AppSync APIs) from common security vulnerabilities. Managed rules such as Amazon IP reputation and Core rule set (CRS) are used against the exploitation of a wide range of risks and vulnerabilities described in the OWASP publication. Rate-based rules are also used to limit the number of requests which can be received in a period of 5 minutes from these external systems. AWS shield, along with AWS WAF, also provides in-depth defense against DDoS attacks, which can hamper the normal functioning of this critical data portal.
LTIMindtree’s Service Offering for WAF
1. Consulting
Our consulting service offering focuses on application assessment using the LTIMindtree infinity platform and domain-led app transformation to build the right disposition strategy, cloud migration roadmap, and target cloud architecture using secured architecture patterns which includes services like AWS WAF, AWS Shield and AWS CloudFront. We have the expertise in designing secure web applications for our clients using the automation, customized rules, and best practices of AWS WAF, which protects your workloads against common attacks and vulnerabilities.2. Modern web application development and support
LTIMindtree has deep expertise in transforming customer-facing web applications and re-platforming legacy integration platforms into cloud-native or serverless PaaS-based architecture. Application modernization journey to AWS serverless PaaS is accelerated by 25-30% with the LTIMindtree’s reusable lambda layers, best practices based on Well Architect Framework, observability solution, and Infinity DevOps platform for end-to-end continuous integration and delivery. As security lies at the core of our web applications, AWS WAF, along with AWS Shield, not only provides a cost-effective firewall but improves the web traffic visibility in your applications. The modern development approach not only enables Fast response and flexibility, but you also gain control over application access behavior.3. Low code Development for simple and medium complexity web applications
Low code development offering is responsible for modern application development using AWS amplify and LTIMindtree Infinity Studio. AWS WAF provides automated pre-built web application firewall rules, which enable powerful and effective security of your web application without writing any rules, which compliments the Low Code development approach for your web applications.Conclusion
Businesses today are heavily investing in cloud security and controls to protect their data and infrastructure and AWS WAF is helping them to quickly guard against the common attack vectors and vulnerabilities, which occur while adopting public cloud infrastructure such as AWS. AWS WAF not only serves as an additional layer of security but can also be readily integrated with existing security automation controls. Also, WAF is not just a reactive security measure but can also serve as proactive control when integrated with current CI/CD pipelines. Security should be the main feature of your infrastructure and application, something which is continually improved and updated to fit the needs of the organization.
