Scribd
Upload
76 views52 pages

2020 0317-SID Slide-Deck

- The document discusses AWS Managed Rules for AWS WAF, which provides a set of pre-configured rules that customers can deploy on their applications to protect against common attacks and threats. - It explains the differences between the original AWS WAF and the new AWS WAF v2 API, which offers enhancements like simplified service limits, document-based rule writing in JSON, and support for nested logical operations. - The document demonstrates how to get started with AWS Managed Rules and provides tips for writing custom rules using the new WAF v2 API.

Uploaded by

m m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views52 pages

2020 0317-SID Slide-Deck

- The document discusses AWS Managed Rules for AWS WAF, which provides a set of pre-configured rules that customers can deploy on their applications to protect against common attacks and threats. - It explains the differences between the original AWS WAF and the new AWS WAF v2 API, which offers enhancements like simplified service limits, document-based rule writing in JSON, and support for nested logical operations. - The document demonstrates how to get started with AWS Managed Rules and provides tips for writing custom rules using the new WAF v2 API.

Uploaded by

m m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

Protecting Your Web Application Using

AWS Managed Rules for AWS WAF

Kevin Lee, Sr. Product Manager

March 30, 2020

© 2020, Amazon Web Services, Inc. or its Affiliates.


Learning Objectives

• Learn about AWS Managed Rules for AWS WAF

• Understand the difference between AWS WAF Classic and the new
AWS WAF

• Get deeper insight into the new WAFv2 API and how rule writing
works using JSON

• Get tips on how you can plan your migration from AWS WAF Classic
to the new AWS WAF

© 2020, Amazon Web Services, Inc. or its Affiliates.


Quick Service Overview

© 2020, Amazon Web Services, Inc. or its Affiliates.


What is AWS WAF?

Highly configurable and scalable cloud-native web application firewall –


giving you the first line of defense to incoming threats.

AWS WAF

© 2020, Amazon Web Services, Inc. or its Affiliates.


How AWS WAF Works

© 2020, Amazon Web Services, Inc. or its Affiliates.


Key Terminology

AWS WAF

Amazon API
Gateway

Web ACL (Web Access Control List)

· · · Rule Statements · · ·

Request Amazon
CloudFront

Sampled
Logging Metrics
Request

IP Set Rule Group Regex Set


Application
Load Balancer

Amazon Kinesis Amazon


© 2020, Amazon Web Services, Inc. or its Affiliates. CloudWatch
Firehose
What’s New in AWS WAF?

© 2020, Amazon Web Services, Inc. or its Affiliates.


AWS Managed Rules for AWS WAF

Set of pre-configured rules that you can


deploy on your application
• Covers common attack vectors and
threats
• Curated and maintained by threat
research team
• Influenced by OWASP Top 10 Web
Application Security Risks

Available to all customers at no extra


charge

© 2020, Amazon Web Services, Inc. or its Affiliates.


AWS Managed Rules: Available Rule Groups

Baseline Use-case IP Reputation


Specific List

© 2020, Amazon Web Services, Inc. or its Affiliates.


AWS Managed Rules: Customer Testimonial

https://www.twitch.tv/videos/529888575
© 2020, Amazon Web Services, Inc. or its Affiliates.
New API (“wafv2”)

Single API for managing global and regional


resources
• CloudFormation support for all rule types “waf-regional” “waf”
• Brand new console experience
• Recreate resources again to use with new API

Simplified service limits


• Removed various limits and increased some limits “wafv2”
• e.g., rules per web ACL, regex pattern set, regex
length, etc.

© 2020, Amazon Web Services, Inc. or its Affiliates.


Document-based Rule Writing in JSON

Rules are tied down to your security


policy (web ACL) Web ACLs

• Rules can be copied, pasted, and


deleted without restriction
• Provide top-down level overview Rule Statements

Shareable Elements

IP Set Rule Group Regex Set

© 2020, Amazon Web Services, Inc. or its Affiliates.


Enhancements to Rule Expression Schema

Introduction of Web ACL Capacity Unit (WCU)


• Dimension that is used to calculate and control the operating resources
that are used to process your rules within a web ACL
• By default, max WCU allowed per web ACL is 1,500

Match Statement WCU Consumed


Geographic match 1
IP set match (containing up to 10,000 IPs) 1
Size constraint match 1
String match (starts and end with) / String match (contains) 2 / 10
Regex set match (containing up to 10 patterns) 25
SQLi detection / XSS detection 20 / 40
Managed Rules Varies

© 2020, Amazon Web Services, Inc. or its Affiliates.


Enhancements to Rule Expression Schema

Support for statement nesting and OR logical operation


• Create rules with nested logical operations
• e.g., [A AND (B OR C)], [(A OR B) AND (C OR D)], and etc.

Full CIDR range support


• Through /1 to /32 for IPv4 and 1/ to /128 for IPv6

Chainable text transformations


• Useful for sanitizing field before inspection

© 2020, Amazon Web Services, Inc. or its Affiliates.


What Remains the Same

Existing features and terminology


• e.g., rate-based rule behavior, performance, and etc.
• AWS Marketplace managed rules are still supported

Existing APIs will continue to be supported


• Service has been re-labeled to AWS WAF Classic

© 2020, Amazon Web Services, Inc. or its Affiliates.


Demo
Deploying AWS Managed Rules to your web
application

© 2020, Amazon Web Services, Inc. or its Affiliates.


What We Covered So Far

AWS Managed Rules is the quickest and easiest way to get started
• Variety of rules to choose depending on your use case
• Rules are curated and managed for you
• Access to third-party rules through AWS Marketplace

The new WAFv2 API offers more flexibility


• e.g., less limits, rule schema enhancements, new console, and etc.

However, what if you have a more intricate security policy?

© 2020, Amazon Web Services, Inc. or its Affiliates.


Rule Writing Deep Dive

© 2020, Amazon Web Services, Inc. or its Affiliates.


Writing Your Own Rules for AWS WAF

Console Code
(Rule Builder) (JSON/YAML)

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Creation)
>> cat hello-world.json
{
"Name": "hello-world",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [
{ ... }
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world"
}
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Creation)
>> cat hello-world.json
{ Action taken if none of the
"Name": "hello-world",
"DefaultAction": { rules matched
},
"Allow": {}
(set to Block for positive
"Description": "My first web ACL on AWS WAF", security model)
"Rules": [
{ ... }
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world"
}
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Creation)
>> cat hello-world.json
{
"Name": "hello-world",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [ List of all rule statements
{ ... }
], (will explore this later)
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world"
}
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Creation)
>> cat hello-world.json
{
"Name": "hello-world",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [
{ ... }
],
"VisibilityConfig": {
"SampledRequestsEnabled": true, Visibility configuration
"CloudWatchMetricsEnabled": true, options at web ACL level
"MetricName": "hello-world"
}
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Creation)
>> cat hello-world.json
{
"Name": "hello-world",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [
{ ... }
],
"VisibilityConfig": {
You must set region to
"SampledRequestsEnabled": true, us-east-1 for configuring
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world" web ACL in CloudFront!
}
}

>> aws wafv2 create-web-acl --scope=CLOUDFRONT --region=us-east-1 --cli-input-json file://hello-world.json


>> aws wafv2 create-web-acl --scope=REGIONAL --region=us-east-1 --cli-input-json file://hello-world.json

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Post Creation)
>> aws wafv2 get-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --id=f2fe2787-9fc6-4a26-b944
{
"WebACL": {
"Name": "hello-world",
"Id": "f2fe2787-9fc6-4a26-b944",
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/hello-world/f2fe2787-9fc6-4a26-b944",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [
{ ... }
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world"
},
"Capacity": 700
},
"LockToken": "b806c708-edc1"
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Web ACL (Post Creation)
>> aws wafv2 get-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --id=f2fe2787-9fc6-4a26-b944
{
"WebACL": {
"Name": "hello-world",
"Id": "f2fe2787-9fc6-4a26-b944",
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/hello-world/f2fe2787-9fc6-4a26-b944",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [
{ ... }
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world" Call get-web-acl
},
"Capacity": 700
first to get a token
},
"LockToken": "b806c708-edc1"
}

>> aws wafv2 update-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --lock-token=b806c708-edc1


--id=f2fe2787-9fc6-4a26-b944 --cli-input-json file://hello-world.json
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "watermelon",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Example: Simple String Match Rule
{
"Name": "Fruit", Sequence in which the rule will execute in
"Priority": 1,
"Action": { (lower value represents higher priority)
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "watermelon",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": { Action taken by the rule if it matches
"Block": {}
}, (can be “Allow” or “Count”)
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "watermelon",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true, Visibility configuration options
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit" at individual rule level
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "watermelon",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit"
},
"Statement": { Rule signature, instructing
"ByteMatchStatement": {
"FieldToMatch": { where and what to inspect
},
"Body": {}
(format varies depending on
"PositionalConstraint": "CONTAINS",
"SearchString": "watermelon",
statement type)
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit" Available fields:
},
"Statement": {
• SingleHeader
"ByteMatchStatement": { • SingleQueryArgument
"FieldToMatch": { Single FieldToMatch • AllQueryArguments
• UriPath
},
"Body": {}
per rule statement • QueryString
"PositionalConstraint": "CONTAINS", • Body
"SearchString": "watermelon", • Method
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Fruit"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS", Available transformation:
"SearchString": "watermelon", • NONE
"TextTransformations": [ List desired • COMPRESS_WHITE_SPACE
{
"Type": "NONE", transformations in • HTML_ENTITY_DECODE
• LOWERCASE
}
"Priority": 0
order • CMD_LINE
] • URL_DECODE
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
}
Available Rule Statements

Attack Traffic Pattern Logical


Prevention Filtering Matching Operation
• SqliMatch • RateBased • RegexPattern • AndStatement
Statement Statement SetReference
• OrStatement
• IPSetReference Statement
• XssMatch • NotStatement
Statement Statement • ByteMatch
Statement
• Managed • GeoMatch
RuleGroup Statement • SizeConstraint
Statement Statement

Please check out the AWS WAFv2 API Reference for full detail

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Nesting Rules Using Logical Operators
{
"Name": “nesting-example",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": { ... },
"Statement": {
"AndStatement": {
"Statements": [
{
"XssMatchStatement": { ... }
},
{
"OrStatement": {
"Statements": [
{
"NotStatement": {
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
“GeoMatchStatement": { ... }
}
]
}
}
]
}
}
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Nesting Rules Using Logical Operators
{
"Name": “nesting-example",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": { ... },
"Statement": {
"AndStatement": {
"Statements": [
{
"XssMatchStatement": { ... }
},
{
"OrStatement": { Let’s zoom into
"Statements": [
{
"NotStatement": {
this portion
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
“GeoMatchStatement": { ... }
}
]
}
}
]
}
}
}

© 2020, Amazon Web Services, Inc. or its Affiliates.


Example: Nesting Rules Using Logical Operators

{A AND [NOT(B) OR C]}


"Statement": {
"AndStatement": {
"Statements": [
{

},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators

{A AND [NOT(B) OR C]}


"Statement": {
"AndStatement": {
"Statements": [
{

},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators

{A AND [NOT(B) OR C]}


"Statement": {
"AndStatement": {
"Statements": [
{

},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators

{A AND [NOT(B) OR C]}


"Statement": {
"AndStatement": {
"Statements": [
{

},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators

{A AND [NOT(B) OR C]}


"Statement": {
"AndStatement": {
"Statements": [
{

},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators
"Statement": {
"AndStatement": {
"Statements": [
{
"XssMatchStatement": { ... } // WCU = 40
},
{
"OrStatement": {
"Statements": [
{
"NotStatement": { Logical operators do
"Statement": {
"ByteMatchStatement": { ... } // WCU = 10
not consume any WCU
}
}
}, Total WCU = 51
{
"GeoMatchStatement": { ... } // WCU = 1
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Some Caveats to Rule Writing

Leverage console’s built-in JSON editor for schema validation


• Copy and paste the code into the editor to check

For string match, the inspection is done in Base64


• API: encode string in Base64
• CloudFormation: use SearchString or SearchStringBase64
• CLI, SDK, Console: string will be Base64 encoded automatically

For regex match, the inspection is done in UTF-8


• Perl Compatible Regular Expressions (PCRE) with some restrictions

© 2020, Amazon Web Services, Inc. or its Affiliates.


Demo
Writing your own rules using JSON editor

© 2020, Amazon Web Services, Inc. or its Affiliates.


Tips on Troubleshooting Rules

Test rules by putting into Count mode first


• Use tools such as Postman or Curl to generate test requests

Use CloudWatch metric and sampled requests for quick sanity check
• Provides summary of what WAF has seen over specific period of time
• Limited header information

Use logging if you require full detail


• First create Kinesis Firehose with name starting with “aws-waf-logs-”
• Can also use ElasticSearch and Kibana for dashboard

© 2020, Amazon Web Services, Inc. or its Affiliates.


Migrating from Classic
to New AWS WAF

© 2020, Amazon Web Services, Inc. or its Affiliates.


Some Caveats Before Migrating

Start out with AWS Managed Rules in Count mode


• Use logging and metrics to establish baseline

Plan out your rules


• Content from OWASP whitepaper (July 2017) is still valid but may
overlap
• Create rule group for reusability across multiple web ACL

© 2020, Amazon Web Services, Inc. or its Affiliates.


Some Caveats Before Migrating

If you are using AWS WAF


Security Automations:
• Do not attempt to
migrate manually, as
internal components will
be referenced to old
rules and web ACL
• Version 3.0 will support
the new “wafv2” API

© 2020, Amazon Web Services, Inc. or its Affiliates.


Sneak Peek: Migration API

1. Fetch 2. Generate 3. Deploy

© 2020, Amazon Web Services, Inc. or its Affiliates.


Q&A

© 2020, Amazon Web Services, Inc. or its Affiliates.


Parting Words

AWS WAF provides first-line of defense to your web application


• Highly scalable rule engine, now with AWS Managed Rules
• Many customers are using AWS WAF to protect their production
workload today

Look out for the following helpful materials in near future:


• Whitepaper: Guidance for Implementing AWS WAF
• Blog: Migrating your firewall rules from Classic to the new AWS WAF
• Github: https://github.com/aws-samples/wafv2-json-yaml-samples/
• Solution: AWS WAF Security Automations v3.0

© 2020, Amazon Web Services, Inc. or its Affiliates.


Thank You!
We welcome your feedback. Please share your
thoughts on social media.

© 2020, Amazon Web Services, Inc. or its Affiliates.

You might also like