Appendix E: Monitoring Dashboard - AWS WAF Security Automations

Appendix E: Monitoring Dashboard

AWS recommends that customers configure a custom baseline monitoring system for each critical endpoint. For information on creating and using Customized Metric Views, see CloudWatch Dashboards.

The dashboard below shows an example of a custom baseline monitoring system:

      Monitoring Dashboard

Figure 12: Monitoring Dashboard

The dashboard displays the following metrics:

  • Allowed vs Blocked Requests: Shows if you receive a surge in allowed access (2 times normal peak access), or blocked access (any period that identifies more than 1K blocked requests). Amazon CloudWatch sends an alert to a Slack channel. This metric can be used to track known DDoS (when blocked requests increase), or a new version of an attack (when the requests are allowed to access the system). Note that this metric is provided by this solution.

  • BytesDownloaded vs Uploaded: Helps identify when a DDoS attack targets a service that normally doesn’t receive a large amount of access in order to exhaust resources (e.g. search engine component sending MBs of information for one specific request parameters set).

  • ELB Spillover and Queue length: Helps verify if an attack is causing damage to the infrastructure and the attacker is bypassing Amazon CloudFront or the AWS WAF layer, and attacking directly unprotected resources.

  • ELB Request Count: Helps identify damage to the infrastructure. This metric shows if the attacker is bypassing the protection layer, or if an Amazon CloudFront cache rule should be reviewed to increase the cache hit rate.

  • ELB Healthy Host: Can be used as another system health check metric.

  • ASG CPU Utilization: Helps identify if the attacker is bypassing the Amazon CloudFront and AWS WAF, and Elastic Load Balancing. This metric can also be used to identify the damage of an attack.