With a growing number of web apps now using cloud solutions, hacker attacks on such environments are also on the rise. Knowing exactly how to protect yourself and choosing the right type of web application firewall (WAF) is critical. In the case of the AWS environment, the ideal solution is to combine AWS WAF and AWS Shield.
A web application firewall (WAF) filters and examines all HTTP traffic on the web. This enables protection against web app security vulnerabilities, including cross-site scripting (XSS), SQL injection, file inclusion, as well as security misconfigurations.
If you’re already using WAF and are looking to boost your web app security in the AWS environment, a perfect supplement to AWS WAF is AWS Shield, which offers additional protection against distributed-denial-of-service (DDoS) attacks.
This article describes the ins and outs of proper web app security and how to achieve this with the help of AWS WAF and AWS Shield.
The Benefits of AWS WAF
Flexibility—essentially agile responses—in face of new threats is key for defending against web attacks. To this end, AWS WAF allows for quick, on-demand implementation and updating of rules. AWS WAF enables fast security updates of the entire environment, even during security incidents. New security rules can be propagated within just one minute.
AWS WAF allows you to choose from hundreds of managed rules—managed by AWS Marketplace sellers—that are easy to deploy in your environment. The rules—which cover the OWASP top 10 security risks, CMS, and CVE, and more—are capable of inspecting every part of the web request, without impacting incoming traffic. Using rules, you can filter any requests (IP addresses, HTTP headers, HTTP body, or URI strings) to help detect common attack vectors, such as SQL injection and cross-site scripting (XSS). In addition, all managed rules are updated automatically and do not require any maintenance or additional configuration.
Real-time visibility of web traffic is yet another benefit AWS WAF offers. This allows for the creation of customized rules and alerts in Amazon CloudWatch. AWS WAF users have full control over events logging and all inbound network traffic. They also have access to detailed logging of each inspected request, allowing the data to be investigated later for auditing purposes.
Moreover, the service provides scalable and effective web app protection. Integration with AWS Firewall Manager enables you to centrally define and manage security rules and apply those that are appropriate across all your web applications. There is no need to install or configure any additional software to begin working with AWS WAF, and there are no minimum fees; customers only pay for what they use.
Following is a summary of the AWS WAF operation process and workflow:
- Creation and deployment of the rules: Creating your own customized set of rules (via the visual rule builder) or using the rules already available and maintained in the AWS Marketplace. The next step is to deploy them in AWS WAF.
- Blocking and filtering process: Active blocking and filtering against exploitation, vulnerabilities, DDoS attacks, and other threats in accordance with the previously specified and deployed rules (e.g., blocking specific IP addresses).
- Monitoring: Through additional tools like Amazon CloudWatch, monitoring and analyzing network traffic to correct and fine-tune the rules as needed.
DDoS Robustness Using AWS Shield
With DDoS attacks so widespread, it is critical to be prepared. When a DDoS attack is underway, AWS WAF automatically deploys a network ACL (access control list) to the AWS network border. However, for organizations that require additional protection, the complementary should be AWS Shield. AWS Shield provides ongoing automatic detection and mitigation of DDoS attacks based on your web application architecture. This ensures minimal application latency and downtime.
The solution offers two levels of protection: AWS Shield Standard and AWS Shield Advanced. The AWS Shield Standard tier protects web apps and websites against most DDoS attacks in the network and transport layers, covering the most widely known attacks on OSI layers 3 and 4. AWS Shield Standard is available to AWS customers at no extra charge. Amazon CloudFront and Amazon Route 53 customers can therefore benefit from comprehensive protection of these network layers without incurring additional costs.
The AWS Shield Advanced tier is appropriate for more demanding users and systems. It provides a broader scope of protection than the Standard tier and offers customers more customized protection. Protection can also be added to:
- Elastic Load Balancing (ELB) load balancers
- Amazon Elastic Compute Cloud (Amazon EC2) Elastic IP addresses
- Amazon CloudFront distributions
- Amazon Route 53 hosted zones
- AWS Global Accelerators
It’s important to note that AWS Shield Advanced does not offer automatic resource protection. Instead, the customer decides what to protect, as all protection rules must be specified in advance. The following can also be used for resource protection:
- Customized AWS WAF web ACL
- Rate-based rule
- Amazon CloudWatch alarm
- Amazon Route 53 health check for health-based detection
AWS Shield Advanced customers can take advantage of a 24/7 DDoS response team (DRT). This technical support can be particularly helpful for DDoS attacks already underway.
Another aspect that distinguishes AWS Shield Advanced from the Standard version is that detection and mitigation of potential attacks is also enabled for Layer 7 of the OSI (the application layer).
For those already using AWS Shield Advanced, AWS WAF is now available at no additional charge.
AWS WAF combined with AWS Shield serve as a comprehensive solution for improving application security in the AWS environment. With cyberattacks—particularly DDoS attacks—only expected to increase, efficient and quick detection and response are crucial.
Among the many reasons for the increasing popularity of these two AWS solutions is the fact that both AWS WAF and AWS Shield are available to registered Amazon clients at no additional charge. Moreover, both products are highly scalable, allowing you to dynamically develop your system without compromising on security.
Deploying AWS WAF and AWS Shield to your AWS environment is easy and will help you stay on top of your ever-increasing business security requirements.