WAF

 WAF


  • To simplify centralized management of AWS WAF, AWS Firewall Manager allows you to define security policies that automatically deploy WAF across accounts within your AWS Organization.
  • The central security team uses AWS Firewall Manager with a WAF policy to deploy a central web ACL (based on AWS managed baseline rule groups) to each team’s account without automatic remediation. This policy is configured to deploy a copy of the web ACL but not automatically associate it to application resources (e.g., CloudFront, Application Load Balancer, Amazon API Gateway). Although this approach does not force the protection on the application teams, it provides the central security team with visibility of which applications have WAF attached to their endpoints. 
  • Application teams can choose to apply the central web ACL as it is, or modify it before application.
  • 2nd Option - The central security team creates two AWS Firewall Manager WAF policies with automatic remediation. Firewall manager automatically associates the web ACLs to the appropriate resources as configured by the policy. When this occurs, existing WAF web ACLs associated to those resources are overridden.
  • Firewall Manager allows you to identify if resources have the correct WAF web ACL associated as configured by the Firewall Manager policy. You can also integrate AWS Security Hub with AWS Firewall Manager to detect resources that are not properly protected by WAF rules.
  • By default, logging is not enabled when you create a web ACL.AWS WAF provides near-real-time logs through Amazon Kinesis Data Firehose.
  • Enable rate-based rules to protect yourself against DDoS types of attack.
  • Monitoring - For each rule, CloudWatch emits near-real-time metrics like AllowedRequests, BlockedRequests and PassedRequests which are recorded for a period of two weeks.
  • Cost - For workloads with high volumes of requests, consider evaluating AWS Shield Advanced to reduce the per request charges. When AWS WAF is used with resources protected by AWS Shield Advanced, there is no additional charges for using AWS WAF and AWS Firewall Manager. You simply pay for the charges associated with AWS Shield Advanced. This approach can help optimize cost for request-heavy workloads.
  • You use AWS WAF to control how an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API responds to HTTP(S) web requests.
  • You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and specify how to handle requests that match the criteria. 
  • Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. 
  • AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups.

  • You can associate each AWS resource with only one web ACL. 

  • The relationship between web ACL and AWS resources is one-to-many.

  • You can associate a web ACL with one or more CloudFront distributions. Once connected with CF it cannot be connected with other types.

  • An IP set provides a collection of IP addresses and IP address ranges that you want to use together in a rule statement. IP sets are AWS resources.

  • A regex pattern set provides a collection of regular expressions that you want to use together in a rule statement. Regex pattern sets are AWS resources.

  • You can enable logging to get detailed information about traffic that is analyzed by your web ACL.
  • You can send your logs to an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose. Using  KDF this can be sent to a third-party auditing application for further evaluation.
  • You can access the list of IP addresses that are currently blocked by a rate-based rule by using the CLI, the API, or any of the SDKs.
  • When you create a web ACL, you can specify one or more CloudFront distributions that you want AWS WAF to inspect. 
  • By default, when AWS WAF blocks a web request based on the conditions that you specify, it returns HTTP status code 403 (Forbidden) to CloudFront, and CloudFront returns that status code to the viewer. 
  • If you want to block web requests from specific countries and also block requests based on other conditions, you can use CloudFront geo restriction in conjunction with AWS WAF. CloudFront returns the same HTTP status code to viewers—HTTP 403 (Forbidden)—whether they try to access your content from a country on a CloudFront geo restriction deny list or whether the request is blocked by AWS WAF.
  • When you use AWS WAF with CloudFront, you can protect your applications running on any HTTP webserver.

Comments

Post a Comment

Popular posts from this blog

Serverless - Lambda functions

 Lambda All operational activities of applying patch, capacity provisioning, monitoring fleet health, code deployment etc is taken care by Lamda. Best suited for use cases which are event based, such as changes to S3 buckets,  serverless processing of streaming data, updates to Dynamo DB table or custom event generated by apps/devices. All code uploaded to Lambda is encrypted. Each Lambda has built-in ephemeral storage of 512 MB. In-bound network connections are blocked by Lambda. Total Metrics, Account and Function level concurrency usage, latency and throttled requests are metrics shared by Lambda through Cloud Watch. Each Lambda function has a log group which can be traced in Cloudwatch logs. We can define the memory to be set for the function. Lambda function max execution time is 15 mins. Lambda can do polling of resources that do not publish events. Or it can be triggered basis events. S3 Integration - The S3 Bucket notifications can be sent to Lambda functions. Lambda c...
Read more

Cloudwatch, CloudTrail, X-Ray

A  namespace  is a container for CloudWatch metrics. Metrics in different namespaces are isolated from each other, so that metrics from different applications are not mistakenly aggregated into the same statistics. There is no default namespace. You must specify a namespace for each data point you publish to CloudWatch. You can specify a namespace name when you create a metric.  Metrics  are the fundamental concept in CloudWatch. A metric represents a time-ordered set of data points that are published to CloudWatch.  Metrics exist only in the Region in which they are created. Metrics cannot be deleted, but they automatically expire after 15 months if no new data is published to them.  A  dimension  is a name/value pair that is part of the identity of a metric. You can assign up to 10 dimensions to a metric. CloudWatch treats each unique combination of dimensions as a separate metric, even if the metrics have the same metric name.  Each metric...
Read more

AWS Storage Services

Storage Gateway Hybrid cloud storage Caches frequently used data for low latency access from on-premises Supports NFS, SMS, iSCSI, iSCSI-VTL  HIPAA and PCI-DSS compatible Use cases Backup and Archiving Disaster recovery Transfer data for cloud workflows Tiered storage Types File - Store in S3 (Object storage) using SMB and NFS protocols. Backing up at object level. Supports POSIX style file metadata on objects. Max file size of 5TB - same as S3. S3 Classes supported - Standard, Standard IA and One Zone IA. Uses multi-part uploads to speed up upload process. Objects managed through the gateway should not be modified outside the gateway. Volume - Uses block storage with iSCSI and stores in S3 as well.  Integrates with AWS Backup S3 Bucket is managed by gateway and we don't have control. Data cannot be accessed through the S3 API unlike File gateway. Supports upto 32 volumes. Cache mode - Primary data is in S3 with a local cache. 32TB per volume and max of 1 PB. Stored mode - Sto...
Read more