Validation in staging environment
After you choose an application, AWS recommends setting up a staging environment. This approach allows you to experiment with AWS WAF without negatively impacting production traffic. There are two approaches to staging (according to practices in your organization):
-
Replicate your entire application stack to a staging environment including AWS WAF.
-
Create a new endpoint for your production environment. Your staging environment is based on this new endpoint with AWS WAF deployed. For example, you can create a new CloudFront distribution with WAF web ACL attached and set the origin to your existing Application Load Balancer.
Note
If you are already using CloudFront, you can still create a new CloudFront distribution but you can’t reuse the same domain attached to the existing distribution.
With your WAF staging environment set up, AWS recommends that you restrict access to the entirety of this environment to the authorized developer team. There are multiple options for achieving this:
-
Use the AWS WAF to block requests that do not come from your organization’s public IP address range. However, this approach doesn’t offer authentication and can be difficult to manage if developers work remotely, unless they are required to VPN into the corporate network environment.
-
Implement an authorization mechanism in your application, and forward the authorization header in CloudFront’s cache behavior configuration.
-
If you do not want to make a change to your application, you can offload authorization to your endpoint. For example, if you are using CloudFront, you can add a Lambda@Edge function that provides access control, or use CloudFront native signed cookies for the same purpose.
Deployment in staging
When deploying a web ACL, AWS recommends starting with the following setup:
-
Add rules based on your defined requirement.
If you are new to AWS WAF, or do not have specific requirements, you can start with coverage for common web vulnerabilities offered by AWS Managed Rules. It is important to think about the order of rules in your web ACL, because AWS WAF processes rules in order of priority, and stops the web ACL evaluation when there is a match to implement the action of the matching rule.
Note
Deploying rules in block mode allows you to see how rules impact test traffic in your staging environment. However, consider implementing your production deployment procedures in staging so that your operators understand how AWS WAF behaves before moving to production. In many cases, it is common to start new rules in count mode before switching to block mode when deploying to production. This way, you avoid compromising the availability of your application because of a misconfigured AWS WAF rule that could block legitimate traffic.
-
Enable rate-based rules to protect yourself against DDoS types of attack (for example, HTTP flood).
The rate-based rule keeps track of the number of requests seen per IP address based on a sliding time window of five minutes. The sliding window is updated every 30 seconds, and after the rate limit is reached, the rule immediately takes action pertinent to the IP address. It does not wait until the five minutes has passed before taking the action. The rate-based rule keeps blocking requests from the offending IP address until the address lowers the rate of requests being sent from it.
Note
You are able to set the limit as low as 100 requests per five minutes; however, AWS recommends that you start with 2,000 requests and gradually reduce this number as needed.
After you are satisfied with the rules you created within the staging environment, you can duplicate them to your production environment or another account by simply copying the rules from the web ACL. In the web ACL overview page, there is an option to download the entire web ACL configuration, including all rules, in a JSON file. After downloading the configuration, you can either manually copy the rules and recreate the web ACL or convert the JSON to YAML and use it in a CloudFront template to deploy the web ACL
