AWS WAF Security Automations
AWS WAF Security Automations

Architecture Overview

Deploying this solution with the default parameters builds the following environment in the AWS Cloud.

        AWS WAF Security Automations architectural overview

Figure 2: AWS WAF Security Automations architecture on AWS

At the core of the design is an AWS WAF web ACL, which acts as central inspection and decision point for all incoming requests to a web application. During initial configuration of the AWS CloudFormation stack, the user defines which protective components to activate. Each component operates independently and adds different rules to the web ACL.

The components of this solution can be grouped into the following areas of protection:

  • Honeypot (A) for bad bots and scrapers: This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. This solution’s honeypot is a trap endpoint that you can insert in your website to detect inbound requests from content scrapers and bad bots. If a source accesses the honeypot, the Access Handler AWS Lambda function will intercept and inspect the request to extract its IP address, and then add it to an AWS WAF block list.

  • SQL injection (B) and cross-site scripting (C) protection: The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.

  • Log parsing (D): This component is the Log Parser AWS Lambda function that parses access logs to identify suspicious behavior, such as an abnormal amount of errors. It then blocks those suspicious source IP addresses for a customer-defined period of time.

    As Amazon CloudFront or an Application Load Balancer receives requests on behalf of your web application, it sends access logs to an Amazon S3 bucket, triggering the Lambda function. Note that you can use an existing S3 bucket or have the template create a new bucket during launch (see Step 1 for more information about this resource).

  • Manual IP lists (E): This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block (blacklist) or allow (whitelist).

  • IP-list parsing (F): This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new IP ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended Drop (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.

  • HTTP flood protection (G): This component configures a rate-based rule to protect against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt. The rate-based rule is automatically triggered when web requests from a client exceed a configurable threshold, which defines the maximum number of incoming requests allowed from a single IP address within a five-minute period. Once this threshold is breached, additional requests from the IP address are blocked until the request rate falls below the threshold.

Each of the three custom AWS Lambda functions in this solution publish execution metrics to Amazon CloudWatch. For more information on these Lambda functions, see Appendix A: Component Details.