In this article, I will delve into the recent advancements in AWS WAF that facilitate the management of a multi-layered security policy for web applications. These enhancements are designed to streamline the deployment and maintenance of web application firewall configurations across various deployment stages and application types.
This discussion is divided into two parts. The first part focuses on AWS Managed Rules for AWS WAF and their role in enhancing security. The second part will elaborate on the application of these AWS Managed Rules.
AWS Managed Rules for AWS WAF is a service that offers groups of rules developed by Amazon Web Services (AWS) or its technology partners. By utilizing AWS Managed Rules, you can significantly reduce the administrative burden associated with configuring AWS WAF rules. However, it remains essential to maintain a thorough strategy for web application policy enforcement to maximize the effectiveness of AWS Managed Rules within your applications.
Employing a layered enforcement strategy enables you to tailor policies to specific parts of your applications. This approach eliminates the need to manage cumbersome, monolithic AWS WAF configurations for each application. By separating policies for the edge network and the application layer, you can replicate specific policies across larger workloads in a modular fashion. This agility enhances your application security, allowing you to protect public-facing web applications without the need to create new rules or include irrelevant ones.
The administrative workload related to policy enforcement is further diminished when employing AWS Firewall Manager, which enforces policies across multiple accounts. This ensures robust policy enforcement across various accounts, enhancing visibility at the application layer.
The updated JSON document-style configuration for AWS WAF allows for a more traditional code review process. You can now effectively manage AWS WAF configurations across multiple layers of your web applications. Additionally, this advancement has empowered partners to create dynamic and robust rules that can be implemented on AWS WAF, assisting customers in managing their web application security policies.
AWS WAF Enhancements
AWS WAF utilizes web ACL capacity units (WCU) to determine and manage the resources required to operate your rules, rule groups, and web ACLs.
The introduction of a JSON key-value pair document-based configuration makes it easier for organizations to integrate AWS WAF into their development practices. As previously mentioned, this document-style configuration eliminates the necessity for multiple API calls to create objects in the correct sequence before deploying a web ACL to protect your applications.
This method allows for firewall changes to be implemented alongside standard development and operational best practices, effectively adopting infrastructure as code. This approach facilitates version control and code reviews prior to deploying updates in your production environment.
Overview of the Solution
The diagram below illustrates the various layers and functions of a defense-in-depth solution, with subsequent text detailing each layer.
Edge Network Layer Policy Enforcement
The edge network serves as the initial layer of policy enforcement, suitable for broad security measures. This is where rules such as the AWS Managed Rules Core rule set (CRS), geo-location blocks, IP reputational lists, anonymous IP lists, and basic rate limits should be implemented. By limiting known malicious traffic at the edge, the CRS minimizes the exposure of the application layer to harmful IP ranges, malicious requests, bad bots, and traffic floods. This broad protection for the inner application layer can be applied universally, regardless of the specific web application involved.
Combining Amazon CloudFront with AWS Shield’s DDoS mitigation capabilities enhances your outer layer of web application security enforcement. A common misconception is that CloudFront serves solely as a content delivery service; however, it also provides robust transparent reverse proxy capabilities. This helps safeguard your environment from various web application risks, ensuring that HTTP requests adhere to standards on the outer layer while delivering content closer to users.
Application Layer Policy Enforcement
The next enforcement level should involve an application load balancer located in a public subnet, equipped with an additional web ACL at the CloudFront origin. This layer is where you can create a regional web ACL for the CloudFront origin and apply application-specific rules. For instance, if your web application is built on a LAMP stack, it would be prudent to utilize AWS Managed Rules for SQL Injection, Linux, and PHP at this enforcement layer.
Note: IP-based enforcement is ineffective at this stage. Consider implementing an origin custom header on the CloudFront distribution, using this custom header to establish a BLOCK rule within the web ACL. This rule should be the first in your web ACL list to deny any request missing the origin custom header. This requirement must be created manually and will not be configured by the provided templates.
(Optional) Third-Party Web Application Firewall Layer Policy Enforcement
AWS WAF applies policies to inbound requests but lacks capabilities for outbound inspection. If your security needs extend to outbound responses, consider utilizing Amazon Machine Image (AMI)-based web application firewalls available through the AWS Marketplace.
This instance-based firewall is particularly useful because it can handle the computational load that AWS WAF’s enforcement layers manage. The third-party layer is where you can enforce policies that necessitate requests to be stateful, providing access to features like enhanced visibility, threat intelligence, and robust firewall rules, thereby adding another layer of security to your environment.
(Optional) Private Layer Policy Enforcement
In a traditional three-tier web architecture, an additional enforcement layer may be applied to the private layer, which can be utilized for web front ends. At this stage, deploying an application load balancer in a private subnet for your web front ends can be beneficial. This load balancer can manage any computationally intensive regex-based rules that you prefer not to enforce on the instance-based WAF. It also enhances visibility before requests reach the web front ends themselves.
For further insights on similar topics, consider reading this blog post and for authoritative information, check out this resource. Moreover, if you’re interested in understanding the pitfalls that Amazon works to avoid, you might find this resource invaluable.
Conclusion
The AWS CloudFormation templates provided can be deployed modularly. For instance, if the application load balancer is situated in the us-east-1 region, you can deploy a single template named Amazon-CloudFront-Application-Load-Balancer-AMR.yml. If the application load balancer is in a different region, utilize the Amazon-CloudFront-EdgeLayer-AMR.yml template to set up the stack in us-east-1 to support the web ACL on CloudFront, followed by deploying ApplicationLayer-Load-Balancer-AMR.yml in the region where the original application load balancer was deployed for its web ACL.
All CloudFormation templates are readily available on the Github project page, and a summary of each can be located in the main readme.md file.
Leave a Reply