In this session, we provide a summary of the basics of AWS's WAF (Web Application Firewall) and cover some of the benefits of using the service. Example scenarios are provided and a walkthrough of pricing is described.

1. AWS WAF
Tom Witman

2. What is a WAF?
• A Web Application Firewall (WAF): WAF is an appliance, server
plugin, or filter that applies a set of rules to HTTP traffic
• WAFs Come in Four Flavors
• Pure Play: stand alone appliance or software
• CDN: bundled with Content Delivery Network
• Load Balancer: bundled with a load balancer
• Universal Threat Manager (UTM): catch-all for misc. security

3. Why use WAF?
• WAFs help protect web sites & applications against attacks that
cause data breaches and downtime.
• General WAF use cases
• Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
• Prevent Web Site Scraping, Crawlers, and BOTs
• Mitigate DDoS (HTTP/HTTPS floods)

4. What is AWS WAF?
• AWS WAF is a CDN bundled WAF
• Create rule based web ACL’s to block requests
• Unique aspects of AWS WAF are:
• Customizable rules created by customers to avoid false positives
• Full-feature API: this is a DevOps WAF that can be deployed inline with
new web sites and applications
• Integrated with AWS (CloudFront, CloudWatch with more to come) and
with partners (Alert Logic, TrendMicro, Imperva, more to come)
• Pay as you go pricing

5. CloudFront w/o WAF
CloudFront
Edge
Location
EC2
users
hackers
bad bots
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic
ELBS3
AND/OR
Customer On Premises Environment
Origin Server Origin Storage

6. Traditional WAF Deployment
CloudFront
Edge
Location
users
hackers
bad bots
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic
EC2ELBWAFELB
ELB Sandwich
Customer On Premises Environment
Origin Origin Storage
WAF on EC2 in ELB sandwich (complexity & latency)

7. CloudFront w/ AWS WAF
CloudFront
Edge
Location
EC2
users
hackers
bad bots
site
scraping
SQL Injection,
XSS, other attacks
legitimate
traffic
ELBS3
AND/OR
Customer On Premises Environment
Origin Server Origin Storage
Malicious traffic is blocked by WAF rules at edge locations
-can be custom origin
-can be static and dynamic content
-show the other on premises + S3

8. Amazon CloudFront, Amazon Route 53, and AWS WAF Locations
54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
CloudFront Amazon
Route 53
AWS WAF

9. North America
Cities: 15
PoPs: 21
Ashburn, VA (3)
Atlanta, GA
Chicago, IL
Dallas/Fort Worth, TX (2)
Hayward, CA
Jacksonville, FL
Los Angeles, CA (2)
Miami, FL
New York, NY (3)
Newark, NJ
Palo Alto, CA
San Jose, CA
Seattle, WA
South Bend, IN
St. Louis, MO
Amazon CloudFront, Amazon Route 53, and AWS WAF Locations
54 CloudFront Edge Locations (PoPs), 38 Cities, 5 Continents
South America
Cities: 2
PoPs: 2
Rio de Janeiro,
Brazil
São Paulo, Brazil
Europe / Middle East /
Africa
Cities: 10
PoPs: 16
Amsterdam, The Netherlands (2)
Dublin, Ireland
Frankfurt, Germany (3)
London, England (3)
Madrid, Spain
Marseille, France
Milan, Italy
Paris, France (2)
Stockholm, Sweden
Warsaw, Poland
Asia Pacific
Cities: 11
PoPs: 15
Chennai, India
Hong Kong, China (2)
Manila, the Philippines
Melbourne, Australia
Mumbai, India
Osaka, Japan
Seoul, Korea (2)
Singapore (2)
Sydney, Australia
Taipei, Taiwan
Tokyo, Japan (2)
CloudFront Amazon
Route 53
AWS WAF
Edge
location
AWS
Region

10. AWS WAF Component Questions
1. What do I want to take action on?
(Conditions – IP / String Match Set / SQL injection match sets)
2. Should I block, allow, count?
(Rules - Precedence / Rule / Action)
3. What sites/distributions need these rules?
(CloudFront Distribution)
4. What should I call the container of these rules?
(Web Access Control Lists – Web ACLs)
5. How do I see if the rules are working?
(Real Time Metrics, Sampled Web Requests)

11. AWS WAF: web ACLs
• Web ACLs contain a set of conditions,
rules, and actions.
• Web ACLs are applied to one or many
CloudFront distributions.
• Web ACLs show you Real-Time Metrics
& Sampled Web Requests for each
rule.

12. AWS WAF: Conditions
• Conditions are lists of criteria that
identify components of web requests.
• Conditions include matching on the
following:
• IP address i.e., /8, /16, /24, /32
• Strings, i.e., URI, query string, header, etc.
• SQL injection, i.e., looks for valid SQL
statements
• Conditions are logically disjoined, i.e.
“OR”.

13. /login?x=test%20Id=10%20AND=1
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL Decode
True
Match: SQL Injection
False
Match Conditions: SQLi

14. AWS WAF: Rules
• Rules are sets of conditions with a
predetermined action.
• Available actions are:
– Block
– Allow
– Count
• Rules can logically join conditions, i.e.,
“AND”.
• Rules can be applied to many
WebACLs.

15. AWS WAF: Resources
• web ACLs: applied to CloudFront distributions today
• Rule R: use one Web ACL for all distributions
• Flexibility: use individual Web ACL for each distribution
• AWS Partners: developing integrations with AWS WAF
– Trend Micro: Deep Security
– Imperva: Threat Radar
– Alert Logic: Web Security Manager

16. AWS WAF: Reporting & Logs
• Real-Time Metrics
(CloudWatch):
– Blocked web requests
– Allowed web requests
– Counted web requests
• Adjustments to rules in
response to real time analysis.
• Time period can be adjusted
by sliding graph end points or
via filters.

17. HTTP/HTTPS
Request made for
content to CloudFront
WAF reviews request;
instructs CF to
allow/deny
CF checks if request
needs WAF
inspection
WAF sends metric to
CW; customer can
update rules via API
Content Delivered via
CloudFront
Error Page Delivered by CloudFront
AWS WAF: Request Process
DENY
REQUEST
ALLOW
REQUEST

18. AWS WAF: End to End Flow
1. Create Web ACL
2. Create Conditions (IP, string match, SQL)
3. Create Rules and Actions (order, rule, action)
4. Associate Web ACL to CloudFront distribution
5. Review and Create

19. AWS WAF: API & Data Types
API Actions
• Create
• Delete
• Get
• List
• Update
Data Types
• ChangeToken
• ChangeTokenStatus
• WebACL
• IPSet
• StringeMatchSet
• SQLinjectionMatchSet
• Rule

20. AWS WAF: APIs
1. Get Change Token – a change token can only be
used once to make a change to WAF resources.
2. Use Token to Make a Change – provide the change
token to the change request
3. Check Status Using Token – use token to determine
the status of your changes. INSYNC means changes
were propagated

21. AWS WAF Example: Blocking Bad Bots

22. AWS WAF Example: Blocking Bad Bots
What We Need…
• IP Set: contains our list of blocked IP addresses
• Rule: blocks requests if requests match IP in our IP Set
• Web ACL: allow requests by default, contains our Rule
and…
• Mechanism to detect bad bots
• Mechanism to add bad bot IP address to IP Set

23. AWS WAF Example: Blocking Bad Bots
• Use robots.txt to specify
which areas of your site or
webapp should not be
scraped
• Place file in your web root
• Ensure there are links
pointing to non-scrapable
content
• Hide a trigger script that
normal users don’t see and
good bots ignore
$ cat
webroot/robots.txt
User-agent: *
Disallow: /honeypot/
<a href="/honeypot/"
class="hidden" aria-
hidden="true">click
me</a>

24. AWS WAF Example: Blocking Bad Bots
• Bad bots (ignoring your
robots.txt) will request the
hidden link
• Trigger script will detect the
source IP of the request
• Trigger script requests change
token
• Trigger script adds source IP to
IP Set blacklist
• Web ACL will block subsequent
request from that source
$ aws --endpoint-url
https://waf.amazon.com/ waf get-change-
token
{
"ChangeToken": "acbc53f2-46db-4fbd-b8d5-
dfb8c466927f”
}
$ aws --endpoint-url
https://waf.amazon.com/ waf update-ip-set
--cli-input-json '{ "IPSetId": ”<<IP SET
ID>>", "ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f", "Updates": [ {
"Action": "INSERT", "IPSetDescriptor": {
"Type": "IPV4", "Value": ”<<SOURCE
IP>>/32" } } ] }’
{
"ChangeToken": "acbc53f2-46db-4fbd-b8d5-
dfb8c466927f”
}

25. Pricing
Three Pricing Dimensions
• Web ACL monthly charge: $5 / Web ACL
• Rule monthly charge: $1 / rule
• Request Fee charge: $0.60 / million requests
Pricing is available online at: http://aws.amazon.com/waf/pricing/

26. Pricing Example
ACME corporation runs 5 CloudFront distributions, one for each web
site. ACME sets up 1 Web ACLs, with 10 shared rules and apply the
Web ACL to each website. Each website has an average HTTP /
HTTPS request volume of about 5.5 million, or a total of 275 million
requests.
• ACME would be charged: (1 Web ACL @ $5) + (10 Rules @ $1 each)
+ (275 MM requests @ $0.60/MM)
• The total charge is: $5 for Web ACL + $10 for Rules + $165 for requests
= $170/month.
• This is in ADDITION to the CloudFront fees.

27. Which WAF Solution is Right?
1. Do you need basic WAF protection such as IP black
lists or referrer checking? (3)
2. Do you need protection against SQLi and XSS? (3)
3. Do you need rate based protection against attacks like
scrapers, bots, and/or HTTP floods? (1)
4. Do you need configurations that support basic
customizations for your applications? (1,3)
5. Do you need configurations that are highly customized
(e.g. full regex support) to your specific applications? (2)
6. Do you need to customize rules based on behavioral
analysis? (2)
7. Do you need a WAF that offers a large library of rules
and/or updates rules based on current and emerging
threats? (2,4)
8. Do you require a third party (AWS consulting partner) to
manage rules and customize your configurations? (4)

28. AWS WAF: Q&A