Securing web applications in the cloud using AWS WAF
By Dinesh Kumar
Security is an essential part of enterprise applications, especially if they are hosted on the cloud. Cloud storage providers like AWS help organizations meet core security and compliance requirements, like data protection and confidentiality.
This blog describes how a leading e-learning platform secured its web applications with AWS Web Application Firewall (WAF).
The e-learning platform deployed on AWS used serverless services like Lambda, API gateway, etc. Though they had a commercial threat detection product installed, the version in use did not support serverless applications and required installing an agent for the same. Since upgrading the product was expensive, the e-publication was looking for an integrated AWS serverless security solution.
How we addressed the problem
Considering the above challenges, we used AWS WAF to provide application-level security for Lambda APIs in the e-learning platform. AWS WAF protects your APIs and web applications against web exploits by creating security rules to block common attack patterns, thereby controlling how traffic reaches your applications. WAF is a filter component that intercepts each request targeted to the web or API. To decide whether to allow or deny the request, it resorts to pre-defined Access Control List (ACL) rules.
Our solution blueprint is detailed below:
Setting up rules in WAF:
WAF deployment depends on the configuration of Web ACL rules. There were two options — writing custom rules or purchasing managed rules from AWS Marketplace. We opted for a mix of both — implemented managed rules to address common vulnerabilities and created custom rules to address specific requirements.
1) Implementing managed rules: We implemented ‘F5 Rules for AWS WAF — API Security Rules’ from AWS Marketplace to address common threats. We recommend using these managed rules because they are:
a. Written and curated by security experts
b. Automatically updated as new vulnerabilities are detected
2) Implementing custom rules: This provides flexibility, security policy portability, and traffic management control. You can write your own custom rules with AWS WAF. For example, we wanted to block specific IPs due to unprecedented traffic from those addresses. Therefore, we created a custom rule to blacklist these IPs using web ACLs.
The screenshot below depicts how we implemented managed and customized rules together:
Once security rules are implemented, it is crucial to monitor and analyze their usage patterns to ensure they are updated at regular intervals. Therefore, after deploying AWS WAF, we monitored the logs using AWS services to enhance web application security.
To enable WAF log analysis, we implemented the following steps as detailed in the diagram below:
1) Enabled logging on AWS WAF Rule
2) Created a Kinesis Data Firehose delivery stream for AWS WAF logs and set up the destination as an S3 bucket
3) Used Amazon Elasticsearch for log analysis and QuickSight for insights
Continuous analysis of WAF logs and access data helped us blacklist approximately 100 IPs in six months, which were flooding the platform with unusual traffic. Using AWS WAF enabled us to provide end-to-end protection of API endpoints leveraging best-in-class managed and customized rules.
Impetus is an AWS Advanced Consulting Partner, helping enterprises design, architect, build, migrate, and manage their workloads and applications on AWS. To know more about how we rearchitected the e-learning platform on AWS to support global expansion, read the case study.
