Features and benefits

The Security Automations for AWS WAF solution provides the following features and benefits.

Secure your web applications with AWS Managed Rules rule groups

AWS Managed Rules for AWS WAF provides protection against common application vulnerabilities or other unwanted traffic. This solution includes AWS Managed IP reputation rule groups, AWS Managed baseline rule groups and AWS Managed use-case specific rule groups. You have the option of selecting one or more rules groups for your web ACL, up to the maximum web ACL capacity unit (WCU) quota.

Provide layer 7 flood protection with predefined HTTP Flood custom rule

The HTTP Flood custom rule protects against a web-layer Distributed Denial-of-Service (DDoS) attack for a customer-defined period of time. You can choose one of these options to activate this rule:

• AWS WAF rate-based rule

• Lambda log parser

• Amazon Athena log parser

The Lambda log parser or Athena log parser options allow you to define a request quota of less than 100. This approach can help you not reach the quota required by AWS WAF rate-based rules. For more information, see Log parser options.

You can also enhance the Athena log parser by adding a country and Uniform Resource Identifier (URI) to filtering conditions. This approach identifies and blocks HTTP flood attacks that have unpredictable URI patterns. For more information, refer to Use country and URI in HTTP Flood Athena log parser.

Block exploitation of vulnerabilities with predefined Scanners & Probes custom rule

The Scanners & Probes custom rule parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time. You can choose one of these options to activate this rule: Lambda log parser or Athena log parser. For more information, see Log parser options.

Detect and deflect intrusion with predefined Bad Bot custom rule

The Bad Bot custom rule sets up a honeypot endpoint, which is a security mechanism intended to lure and deflect an attempted attack. You can insert the endpoint in your website to detect inbound requests from content scrapers and bad bots. Once detected, any subsequent requests from the same origins will be blocked. For more information, see Embed the Honeypot link in your web application.

Block malicious IP addresses with predefined IP reputations lists custom rule

The IP reputation lists custom rule checks third-party IP reputation lists hourly for new IP ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.

Provide manual IP configuration with predefined allowed and denied IP lists custom rule

The allowed and denied IP lists custom rules allow you to manually insert IP addresses that you want to allow or deny. You can also configure IP retention on Allowed and Denied IP lists to expire IPs at a set time.

Build your own monitoring dashboard

This solution emits Amazon CloudWatch metrics such as allowed requests, blocked requests, and other relevant metrics. You can build a customized dashboard to visualize these metrics and gain insights into the pattern of attacks and protection provided by AWS WAF. For more information, refer to Build monitoring dashboard.