Ref: https://learn.cantrill.io/courses/1820301/lectures/42087577

• Summary:
• Contents:

Web Application Firewall (WAF) Architecture

• 🔧 WAF = AWS implementation of a robust L7 FW (application firewall)
  • Can protect web resources that support WAF (CloudFront, ALBs, APIGW, AppSync…)
  • Main unit of configuration: WEBACL (Web Access Control List)
    • Associated to resources (e.g. CF distribution, ALB…)
    • Has rules and rule groups → control how WAF reacts to incoming traffic
• Some high-level features
  • Filter valid users from bots or attackers
  • Manual (human) or automatic update of WEBACL
    • Automatic updates can leverage event-driven security response architecture (e.g. scheduled rules from EventBridge can regularly pass publicly maintained IP lists)
  • Log outputs: directly to S3 (~5 min delay), CWLogs and/or Data Firehose
    • ❗ Don't use S3 directly for reacting quickly! Instead, use Data Firehose (which can also dump logs to S3 if required)

• Architecture supports feedback loops
  1. Take data (logs)
  2. Identify actionable intelligence (Athena, Lambda…)
  3. Automate changes based on that intelligence (Lambda updates WEBACL)

WAF Components

Web Access Control List (WEBACL)

• 🔧 WAF’s main unit of configuration
  • Controls whether traffic is allowed or blocked
• Resource type:
  1. CloudFront (global)
  2. Regional service → Must pick region
     • ALB, APIGW, AppSync…
  • ❗ Can't assign regional WEBACL to CF, nor CF WEBACL to regional services!
• Default Action: ALLOW or BLOCK non-matching traffic (choose one)
  • Triggers when traffic doesn't match any rule in the WEBACL
  • Choose ALLOW to only allow known good traffic
  • Choose BLOCK to explicitly protect against certain exploits
• Rule Groups and Rules processed in order
  • 💡 A WEBACL doesn't do anything on its own, must add rules and rule groups!
• WEBACL Capacity Units (WCUs) = maximum compute (limit) that WEBACL rules can use
  • Default=1500 (can be increased via support ticket)
• Resource Association
  • 1-to-many relationship
    • 1 WAF can be associated to multiple resources
    • A resource can only have 1 associated WAF
  • Takes time
    • e.g. Associating WAF to CF distribution needs to propagate to all edge locations
    • ❗ Adjusting/Editing a WEBACL takes much less time than associating it
• Currently can't be used with AWS Outposts

WAF Rule Groups