Integrating with AWS WAF - AWS Verified Access

Integrating with AWS WAF

In addition to the authentication and authorization rules enforced by Verified Access, you may also want to apply perimeter protection. This can help you protect your applications from additional threats. You can accomplish this by integrating AWS WAF into your Verified Access deployment. AWS WAF is a web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources. For more information about AWS WAF, see AWS WAF in the AWS WAF Developer Guide.

You can integrate AWS WAF with Verified Access by associating an AWS WAF web access control list (ACL) with a Verified Access instance. A web ACL is a AWS WAF resource that gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. While the AWS WAF association or disassociation request is being processed, the status of any Verified Access endpoints attached to the instance are shown as updating. After the request is complete, the status returns to active. You can view the status in the AWS Management Console or by describing the endpoint with the AWS CLI.

Note

You can also use the AWS WAF console or API to accomplish this integration. You will need the Amazon Resource Name (ARN) of your Verified Access instance. You can construct this ARN using the following format: arn:${Partition}:ec2:${Region}:${Account}:verified-access-instance/${VerifiedAccessInstanceId}.

IAM permissions required to integrate AWS WAF

Integrating AWS WAF with Verified Access includes permission-only actions that don't directly correspond to an API operation. These actions are indicated in the AWS Identity and Access Management Service Authorization Reference with [permission only]. See Actions, resources, and condition keys for Amazon EC2 in the Service Authorization Reference.

To work with a web ACL, your AWS Identity and Access Management principal must have the following permissions.

  • ec2:AssociateVerifiedAccessInstanceWebAcl

  • ec2:DisassociateVerifiedAccessInstanceWebAcl

  • ec2:DescribeVerifiedAccessInstanceWebAclAssociations

  • ec2:GetVerifiedAccessInstanceWebAcl

Associate an AWS WAF web ACL

The following steps demonstrate how to associate an AWS WAF web access control list (ACL) with a Verified Access instance using the AWS Management Console.

Tip

You will need to have an existing AWS WAF web ACL to complete the procedure below. For more information about web ACLs see Web access control lists in the AWS WAF Developer Guide.

To associate an AWS WAF web ACL to a Verified Access instance
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Verified Access instances.

  3. Select the Verified Access instance.

  4. Select the Integrations tab.

  5. Choose Actions, then Associate Web ACL.

  6. For Web ACL, choose an existing web ACL, then choose Associate Web ACL.

You can also use the AWS Management Console for AWS WAF to accomplish this task. For more information, see Associating or disassociating a web ACL with an AWS resource in the AWS WAF Developer Guide.

Check status of AWS WAF integration

You can verify whether an AWS WAF web access control list (ACL) is associated with a Verified Access instance or not by using the AWS Management Console.

To view the status of AWS WAF integration with a Verified Access instance
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Verified Access instances.

  3. Select the Verified Access instance.

  4. Select the Integrations tab.

  5. Check the details listed under WAF integration status. The status will be shown as Associated or Not associated, along with the web ACL identifier, if in the Associated state.

Disassociate an AWS WAF web ACL

The following steps demonstrate how to disassociate an AWS WAF web access control list (ACL) with a Verified Access instance using the AWS Management Console.

To disassociate an AWS WAF web ACL from a Verified Access instance
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Verified Access instances.

  3. Select the Verified Access instance.

  4. Select the Integrations tab.

  5. Choose Actions, then Disassociate Web ACL.

  6. Confirm by choosing Disassociate Web ACL.

You can also use the AWS Management Console for AWS WAF to accomplish this task. For more information, see Associating or disassociating a web ACL with an AWS resource in the AWS WAF Developer Guide.