AWS WAF: How it helps organizations to secure their web applications from common web exploits.

Today businesses are more inclined towards moving their workloads to cloud to cut down the capital investments and to maximize their operational efficiency. Hosting the workloads to AWS cloud is one part and ensuring the security of the application is another that must be taken seriously. When it comes to Cloud, there is always a misunderstanding that the security will be taken care by default when you move the workloads to cloud. But this is not the case, security in cloud is a shared responsibility and the customer must make sure that preventive measures are in place to protect from ongoing threats. However, there are several services available from AWS to make sure your web application is protected. This is where AWS WAF comes into picture.

What is AWS WAF?

AWS WAF or Web Application Firewall acts as a barrier between your workloads and the internet protecting the web applications from common cyber attacks such as SQL injection or cross-site scripting. It also lets you to configure rules that allow, block, or monitor web requests based on the conditions that you define like IP address filtering, HTTP headers etc.

How does AWS WAF Work?

Instead of provisioning separate servers for managing the firewall, AWS WAF lets you integrate with the supported services. It works by inspecting the incoming traffic w.r.t the preconfigured rule sets. When an underlying service receives a request for your web application, this will get redirected to WAF which in turn checks the request to see if it complies to the preconfigured rule set. If it meets the required condition WAF will let the underlying service to accept the request otherwise it will get blocked as shown in the figure below.

How to deploy AWS WAF?

AWS WAF can be currently deployed along with the following services,

  1. Amazon CloudFront:

When deployed along with CloudFront, it will be part of the CDN network protecting the contents at the origin. It also ensures the protection of the resources cached at the edge locations.

  1. Application Load Balancer (ALB):

When deployed along with ALB, it will protect the instances that are running behind the load balancer.

  1. Amazon API Gateway:

When deployed along with API Gateway, it will protect the REST API’s from web exploits.

How to setup AWS WAF?

To get started with AWS WAF we need to create a web Access Control List (ACL) and associate it with the supported services. ACL’s should contain at least one rule or can have multiple rules that we specify to either block or allow incoming requests. There is a flexibility to write your own rule sets or use managed rule groups offered by AWS and AWS Marketplace sellers. Some of the AWS managed rules are shown in the figure below.

Additionally, you can also setup Rate-based Rules that allows you to block a specific IP address/range that requests more than the specified count for a given time. E.g. We can block an IP address that is requesting more than 1000 times within a 2-minute interval.

Both Rate-based rules and regular rules can be added as part of the same rules set so it adds more flexibility to the user.

How is WAF priced?

Like the other services, AWS WAF also has a pay as you go pricing model with no upfront commitments. There are different costing components for AWS WAF as mentioned below,

  1. $5/Month for each web ACL created
  2. $1/Month for each rule that is added to the web ACL
  3. $0.60/Month per million requests that are processed by WAF.

There are no additional charges for using AWS Managed Rules or Rate-based rules but if you are using a third-party Managed Rules from the Market Place additional charges will be applied as described by the seller.

To summarize, it is very important for organizations to ensure that perimeter level security is in place when they move their workloads into cloud. Tightly integrated with other AWS services, AWS WAF is a no-brainer in terms of setup and has a very straight forward pricing model which makes it an easy choice for protecting your workloads on AWS cloud.