Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Tutorial: Quickly Setting Up AWS WAF Protection Against Common Attacks

This tutorial shows you how to use AWS CloudFormation to quickly configure AWS WAF to protect against the following common attacks:

  • Cross-site scripting attacks – Attackers sometimes insert scripts into web requests in an effort to exploit vulnerabilities in web applications. Cross-site scripting match conditions identify the parts of web requests, such as the URI or the query string, that you want AWS WAF to inspect for possible malicious scripts.

  • SQL injection attacks – Attackers sometimes insert malicious SQL code into web requests in an effort to extract data from your database. SQL injection match conditions identify the part of web requests that you want AWS WAF to inspect for possible malicious SQL code.

  • Attacks from known bad IP addresses – You can use IP match conditions to allow, block, or count web requests based on the IP addresses that the requests originate from. An IP match condition lists up to 1,000 IP addresses or IP address ranges that you specify.

Note

This tutorial assumes that you have a CloudFront distribution that you use to deliver content for your web application. If you don't have a CloudFront distribution, see Creating or Updating a Web Distribution Using the CloudFront Console in the Amazon CloudFront Developer Guide.

Solution Overview

AWS CloudFormation uses a template to set up the following AWS WAF conditions, rules, and a web ACL.

Conditions

AWS CloudFormation creates the following conditions.

IP Match Condition

Filters requests that come from known bad IP addresses. This lets you easily add IPs to a list to block access to your website. You might want to do this if you're receiving a lot of bad requests from one or more IP addresses. If you want to allow, block, or count requests based on the IP addresses that the requests come from, see Step 3: (Optional) Add IP Addresses to the IP Match Condition later in this tutorial.

The name of the condition is prefixManualBlockSet where prefix is the name that you specify for the web ACL when you create the AWS CloudFormation stack.

Size Constraint Condition

Filters requests for which the body is longer than 8,192 bytes. AWS WAF evaluates only the first 8,192 bytes of the request part that you specify in a filter. If valid request bodies never exceed 8,192 bytes, you can use a size constraint condition to catch malicious requests that might otherwise slip through.

For this tutorial, AWS CloudFormation configures AWS WAF only to count, not block, requests that have a body longer than 8,192 bytes. If the body in your requests never exceeds that length, you can change the configuration to block requests that have longer bodies. For information about how to view the count of requests that exceed 8,192 bytes and how to change the web ACL to block requests that contain bodies larger than 8,192 bytes, see Step 4: (Optional) Update the Web ACL to Block Large Bodies.

The name of the condition is prefixLargeBodyMatch where prefix is the name that you specify for the web ACL when you create the AWS CloudFormation stack.

SQL Injection Condition

Filters requests that contain possible malicious SQL code. The condition includes filters that evaluate the following parts of requests:

  • Query string (URL decode transformation)

  • URI (URL decode transformation)

  • Body (URL decode transformation)

  • Body (HTML decode transformation)

The name of the condition is prefixSqliMatch where prefix is the name that you specify for the web ACL when you create the AWS CloudFormation stack.

Cross-site Scripting Condition

Filters requests that contain possible malicious scripts. The condition includes filters that evaluate the following parts of requests:

  • Query string (URL decode transformation)

  • URI (URL decode transformation)

  • Body (URL decode transformation)

  • Body (HTML decode transformation)

The name of the condition is prefixXssMatch where prefix is the name that you specify for the web ACL when you create the AWS CloudFormation stack.

Rules

When you create the AWS CloudFormation stack, AWS CloudFormation creates the following rules and adds the corresponding condition to each rule:

prefixManualIPBlockRule

AWS CloudFormation adds the prefixManualBlockSet condition to this rule.

prefixSizeMatchRule

AWS CloudFormation adds the prefixLargeBodyMatch condition to this rule.

prefixSqliRule

AWS CloudFormation adds the prefixSqliMatch condition to this rule.

prefixXssRule

AWS CloudFormation adds the prefixXssMatch condition to this rule.

Web ACL

AWS CloudFormation creates a web ACL that has the name that you specify when you create the AWS CloudFormation stack. The web ACL contains the following rules with the specified settings:

prefixManualIPBlockRule

By default, the condition in this rule doesn't contain any IP addresses. If you want to allow, block, or count requests based on the IP addresses that the requests come from, see Step 3: (Optional) Add IP Addresses to the IP Match Condition later in this tutorial.

prefixSizeMatchRule

By default, AWS WAF counts requests for which the body is longer than 8,192 bytes.

prefixSqliRule

AWS WAF blocks requests based on the settings in this rule.

prefixXssRule

AWS WAF blocks requests based on the settings in this rule.

Requirements

This tutorial assumes that you have a CloudFront distribution that you use to deliver content for your web application. If you don't have a CloudFront distribution, see Creating or Updating a Web Distribution Using the CloudFront Console in the Amazon CloudFront Developer Guide. This tutorial also uses AWS CloudFormation to simplify the provisioning process. For more information, see the AWS CloudFormation User Guide.

Estimated Time

The estimated time to complete this tutorial is 15 minutes if you already have a CloudFront distribution, or 30 minutes if you need to create a CloudFront distribution.

Costs

There is a cost associated with the resources that you create during this tutorial. You can delete the resources after you finish the tutorial to stop incurring charges. For more information, see AWS WAF Pricing and Amazon CloudFront Pricing.

Step 1: Create an AWS CloudFormation Stack That Sets Up AWS WAF Protection Against Common Attacks

In the following procedure, you use an AWS CloudFormation template to create a stack that sets up AWS WAF protection against common attacks.

Important

You begin to incur charges for the different services when you create the AWS CloudFormation stack that deploys this solution. Charges continue to accrue until you delete the AWS CloudFormation stack. For more information, see Step 5: (Optional) Delete Your AWS CloudFormation Stack.

To create an AWS CloudFormation stack for blocking IP addresses that submit bad requests

  1. To start the process that creates an AWS CloudFormation stack, choose the link for the region in which you want to create AWS resources:

  2. If you are not already signed in to the AWS Management Console, sign in when prompted.

  3. On the Select Template page, choose Specify an Amazon S3 template URL. For the template URL, type https://s3.amazonaws.com/cloudformation-examples/community/common-attacks.json.

  4. Choose Next.

  5. On the Specify Details page, specify the following values:

    Stack Name

    You can use the default name (CommonAttackProtection), or you can change the name. The stack name must not contain spaces and must be unique within your AWS account.

    Name

    Specify a name for the web ACL that AWS CloudFormation will create. The name that you specify is also used as a prefix for the conditions and rules that AWS CloudFormation will create, so you can easily find all the related objects.

  6. Choose Next.

  7. (Optional) On the Options page, enter tags and advanced settings or leave the boxes blank.

  8. Choose Next.

  9. On the Review page, review the configuration, and then choose Create.

    After you choose Create, AWS CloudFormation creates the AWS WAF resources that are identified in Solution Overview.

Step 2: Associate a Web ACL with a CloudFront Distribution

After AWS CloudFormation creates the stack, you must associate your CloudFront distribution to activate AWS WAF.

Note

You can associate a web ACL with as many distributions as you want, but you can associate only one web ACL with a given distribution.

To associate a web ACL with a CloudFront distribution

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the web ACL that you want to associate with a CloudFront distribution.

  4. On the Rules tab, under AWS resources using this web ACL, choose Add association.

  5. When prompted, use the Resource list to choose the distribution that you want to associate this web ACL with.

  6. Choose Add.

  7. To associate this web ACL with additional CloudFront distributions, repeat steps 4 through 6.

Step 3: (Optional) Add IP Addresses to the IP Match Condition

When you created the AWS CloudFormation stack, AWS CloudFormation created an IP match condition for you, added it to a rule, added the rule to a web ACL, and configured the web ACL to block requests based on IP addresses. The IP match condition doesn't include any IP addresses, though. If you want to block requests based on IP addresses, perform the following procedure.

To edit AWS CloudFormation parameter values

  1. Open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose IP addresses.

  3. In the IP match conditions pane, choose the IP match condition that you want to edit.

  4. To add an IP address range:

    1. In the right pane, choose Add IP address or range.

    2. Type an IP address or range by using CIDR notation. Here are two examples:

      • To specify the IP address 192.0.2.44, type 192.0.2.44/32.

      • To specify the range of IP addresses from 192.0.2.0 to 192.0.2.255, type 192.0.2.0/24.

      AWS WAF supports /8, /16, /24, and /32 IP address ranges. For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

      Note

      AWS WAF supports both IPv4 and IPv6 IP addresses.

    3. To add more IP addresses, choose Add another IP address, and then type the value.

    4. Choose Add.

Step 4: (Optional) Update the Web ACL to Block Large Bodies

When you created the AWS CloudFormation stack, AWS CloudFormation created a size constraint condition that filters requests that have request bodies longer than 8,192 bytes. It also added the condition to a rule, and added the rule to the web ACL. In this example, AWS CloudFormation configured the web ACL to count requests, not to block requests. This is useful when you want to confirm you are not blocking valid requests inadvertently.

If you want to block requests that are longer than 8,192 bytes, perform the following procedure.

To change the action for a rule in a web ACL

  1. Open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the web ACL that you want to edit.

  4. In the right pane, choose the Rules tab.

  5. Choose Edit Web ACL.

  6. To change the action for the prefixLargeBodyMatchRule, choose the preferred option. (prefix is the value that you specified for the name of the web ACL.)

  7. Choose Save changes.

Step 5: (Optional) Delete Your AWS CloudFormation Stack

If you want to stop protecting from common attacks as described in Solution Overview, delete the AWS CloudFormation stack that you created in Step 1: Create an AWS CloudFormation Stack That Sets Up AWS WAF Protection Against Common Attacks. This deletes the AWS WAF resources that AWS CloudFormation created and stops the AWS charges for those resources.

To delete an AWS CloudFormation stack

  1. Sign in to the AWS Management Console and open the AWS CloudFormation console at https://console.aws.amazon.com/cloudformation.

  2. Select the check box for the stack. The default name is CommonAttackProtection.

  3. Choose Delete Stack.

  4. Choose Yes, Delete to confirm.

  5. To track the progress of the stack deletion, select the check box for the stack, and choose the Events tab in the bottom pane.

Related Resources

For AWS WAF samples, including Lambda functions, AWS CloudFormation templates, and SDK usage examples, go to GitHub at https://github.com/awslabs/aws-waf-sample.