AWS WAF Security Automations
AWS WAF Security Automations

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Architecture Overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.


        AWS WAF Security Automations architectural overview

Figure 2: AWS WAF Security Automations architecture on AWS

At the core of the design is an AWS WAF web ACL, which acts as central inspection and decision point for all incoming requests to a web application. During initial configuration of the AWS CloudFormation stack, the user defines which protective components to activate. Each component operates independently and adds different rules to the web ACL.

The components of this solution can be grouped into the following areas of protection:

  • Manual IP lists (A and B): This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block (blacklist) or allow (whitelist).

  • SQL injection (C) and XSS (D): The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.

  • HTTP flood (E): This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt. With this rule, you set a threshold that defines the maximum number of incoming requests allowed from a single IP address within a five-minute period. Once this threshold is breached, additional requests from the IP address are temporarily blocked. You can implement this rule by using an AWS WAF rate-based rule or by processing AWS WAF logs using an AWS Lambda function or an Amazon Athena query. For more information about the tradeoffs related to HTTP flood mitigation options, see Appendix A.

  • Scanners and Probes (F): This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time. You can implement this rule using an AWS Lambda function or an Amazon Athena query. For more information about the tradeoffs related to Scanners and Probes mitigation options, see Appendix A.

  • IP Reputation Lists (G): This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.

  • Bad Bots (H): This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. The solution’s honeypot is a trap endpoint that you can insert in your website to detect inbound requests from content scrapers and bad bots. If a source accesses the honeypot, the Access Handler AWS Lambda function will intercept and inspect the request to extract its IP address, and then add it to an AWS WAF block list.

Each of the three custom AWS Lambda functions in this solution publish execution metrics to Amazon CloudWatch. For more information on these Lambda functions, see Appendix B.