AWS WAF for Risk Mitigation
According to research conducted by Purplesec in 2018, on average 80,000 cyber attacks are being initiated per day, in other words over 30 million attacks per year. When managing a publicly facing application or API, in any environment, it’s not a matter of IF, but WHEN the next cyber attack attempt will occur.
In every layer of infrastructure tied to an application, there are numerous architectural aspects to be considered when creating meaningful controls to mitigate attacks from any known or unknown vectors. These types of controls should be implemented and tested continuously, ideally before production release and before exposing the workload to the world.
AWS Web Application Firewall (WAF) focuses on web based threats and mitigates attacks against vulnerabilities to protect the application layer (7) of the network, thus providing security to the application or APIs.
AWS Web Application Firewall should not be confused with AWS Network Firewall which is focused on the data transfer between networks and designed to permit, or deny, access from networks targeting layers 3/4 of the OSI model.
This article will highlight in detail AWS WAF key benefits, best practices and features to consider in order to further enhance an application’s security on AWS.
WAF Key Benefits:
1. API Support - Agile Protection Against Web Attacks
AWS WAF can be completely managed via APIs. This provides organizations with the ability to create and maintain rules and ACLs programmatically and incorporate them into the development and design process. This capability allows developers to incorporate security into their infrastructure or application lifecycle process and centrally manage the configuration while avoiding complex, manual handoffs to other teams.
API managed capabilities also means that AWS WAF can be deployed and managed by a variety of Infrastructure as a Code tools, such as Hashicorp Terraform and AWS CloudFormation, which help to configure and deploy these WAF components consistently and reliably.
2. Significant ROI for Highly-Available Service
While there are other third party WAF solutions that provide similar capabilities to AWS WAF, none of them offer the same extensive API support or seamless synergy with other AWS native services (for example, AWS Kinesis and CloudWatch for detailed monitoring and logging).
Moreover, the AWS WAF cost benefits compared to other products are clear. For example, as highlighted in the screenshot below, a single m5.xlarge node license of a well-known third party WAF product could cost $14,000 a year. In order to support high-availability for an application, and prevent the WAF from being a single point of failure, it is recommended to have at least three nodes spread across multiple availability zones. Thus, the licensing fees could easily skyrocket and multiply for each additional node/license.
On the other hand, AWS WAF is a cloud native solution designed to be highly-available. In addition, the pricing model is on-demand which concludes the amount of requests to the application endpoint + the amount paid for each rule associated with the designated WAF ACL.
By doing a quick calculation, a significant ROI will be presented by using AWS WAF without committing to any contract, licensing, and most importantly without managing the compute layer.
3. Address Required Regulatory Controls
Third-party auditors assess the security and compliance of AWS WAF as part of multiple AWS compliance programs, including but not limited to SOC, PCI, FedRAMP and HIPAA. AWS WAF holds all accreditations for the highest regulatory standard requirements (i.e. FedRAMP High). Therefore, adopting a WAF solution would help meet specific regulatory control requirements.
One such example is PCI-DSS 6.6, a control which deals with the security of web applications. Using AWS WAF would help meet this requirement by creating an additional layer to filter out and mitigate common web based threats for publicly faced applications/APIs intended to process credit card data.
Best Practices & Guidelines:
1. Leverage AWS Native Capabilities Integrated with WAF
AWS consistently releases meaningful enhancements to the AWS WAF service intended to help organizations address specific operational challenges and use-cases.
Below are a few significant features:
AWS Managed Rules for WAF provide protection against common vulnerabilities without having to write your own rules. This feature is quite appealing for developers without a security related background or experience understanding how they can close holes quickly without writing their own rules. This is an addition to third party marketplace managed rules which are also available.
AWS Firewall Manager is a service which is designed to simplify the management of all WAF rules, VPC security groups deployed across multiple accounts and centralized in a single Organization. Firewall Manager enables teams to set predefined rules to ensure compliance and enforces mandatory security policies across AWS accounts. For example, deploying multiple WAF Managed Rules can reduce operational overhead in order to protect similar workloads across AWS accounts. Firewall Manager is intended to seamlessly integrate with AWS WAF to provide an easy way to deploy pre-configured rules for applications.
WAF Automation v2 is essentially a solution which leverages AWS CloudFormation to automatically deploy a set of WAF rules to filter common web-based attacks that address issues like the OWASP Top 10 Security Risks. It has many configurations or parameters and is designed to protect and integrate with applications hosted behind Amazon CloudFront or an Application Load Balancer. Using WAF Automation, users can select from a set of preconfigured protective features that essentially define the rules included in an AWS WAF web access control list (web ACL).
Stream WAF logs to a centralized AWS Elasticsearch or SIEM via Kinesis Delivery Stream to assess ACL effectiveness and visualization. WAF service is directly integrated with Amazon Kinesis Data Firehose stream to store and analyze logs in real-time. Recently, AWS enhanced Kinesis by introducing a built-in streaming support to Amazon Elasticsearch. This capability allows organizations to reliably process and stream data from AWS WAF to AWS Elasticsearch using a cloud native process.
2. Continuous Monitoring and Vulnerability Scans
Creating a WAF ACL and integrating with the supported service is a great starting point. However, continuous research to find vulnerable patterns is a process that should be regularly scheduled using vulnerability scan tools (such as, Nexpose or Nessus) and/or thorough penetration tests to identify existing holes that occur due to misconfigurations.
3. Test and Monitor ACL Rules
Before enabling an ACL Rule which could potentially block legitimate traffic, monitoring the effectiveness of the rules using the Count mode would allow teams to understand if non-malicious requests are being blocked or not. This step is critical to prevent negative end-user experience.
With rapidly-evolving attack patterns, organizations understand these days that they should continuously review their architecture, and assess new ways to improve their publicly facing applications security posture.
As demonstrated above, AWS WAF is a cloud native solution which offers critical capabilities and should be considered in common architectures on AWS.
By leveraging and integrating AWS WAF to existing and new workloads, businesses would not only mitigate operational risks, but potentially prevent unrecoverable damage to their business.
A Cloud Native Solution
With rapidly-evolving attack patterns, organizations understand these days that they should continuously review their architecture, and assess new ways to improve their publicly facing applications security posture. As demonstrated above, AWS WAF is a cloud native solution which offers critical capabilities and should be considered in common architectures managed on AWS. By leveraging and integrating AWS WAF to existing and new workloads, businesses would not only mitigate operational risks, but potentially prevent unrecoverable damage to their business.
The information presented in this article is accurate as of 1/14/2021. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.