AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide

(1)

AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Developer Guide

(2)

AWS WAF, AWS Firewall Manager, and AWS Shield Advanced: Developer Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What are AWS WAF, AWS Shield, and AWS Firewall Manager?

AWS WAF is a web application ﬁrewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API. AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, Amazon CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync responds to requests either with the requested content or with an HTTP 403 status code (Forbidden).

You also can conﬁgure CloudFront to return a custom error page when a request is blocked.

At the simplest level, AWS WAF lets you choose one of the following behaviors:

• Allow all requests except the ones that you specify – This is useful when you want Amazon

CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync to serve content for a public website, but you also want to block requests from attackers.

• Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identiﬁable by properties in web requests, such as the IP addresses that they use to browse to the website.

• Count requests that match your criteria – You can use the count action to track your web traffic without modifying how you handle it. You can use this for general monitoring and also to test your new web request handling rules. When you want to allow or block requests based on new properties in the web requests, you can first configure AWS WAF to count the requests that match those properties.

This lets you conﬁrm your new conﬁguration settings before you implement new allow or block actions.

• Run CAPTCHA checks against requests that match your criteria – You can implement CAPTCHA controls against requests to help reduce bot traﬃc to your protected resources.

Using AWS WAF has several beneﬁts:

• Additional protection against web attacks using conditions that you specify. You can deﬁne conditions by using characteristics of web requests such as the following:

• IP addresses that requests originate from.

• Country that requests originate from.

• Values in request headers.

• Strings that appear in requests, either speciﬁc strings or strings that match regular expression (regex) patterns.

• Length of requests.

• Presence of SQL code that is likely to be malicious (known as SQL injection).

• Presence of a script that is likely to be malicious (known as cross-site scripting).

• Rules that can allow, block, or count web requests that meet the specified conditions. Alternatively, rules can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.

• Rules that you can reuse for multiple web applications.

• Managed rule groups from AWS and AWS Marketplace sellers.

• Real-time metrics and sampled web requests.

• Automated administration using the AWS WAF API.

(9)

AWS Shield

You can use AWS WAF web access control lists (web ACLs) to help minimize the eﬀects of a Distributed Denial of Service (DDoS) attack. For additional protection against DDoS attacks, AWS also provides AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is automatically included at no extra cost beyond what you already pay for AWS WAF and your other AWS services. AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator accelerators.

AWS Shield Advanced incurs additional charges.

For more information about AWS Shield Standard and AWS Shield Advanced, see AWS Shield (p. 380).

AWS Firewall Manager

AWS Firewall Manager simpliﬁes your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall. With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources.

For more information about Firewall Manager, see AWS Firewall Manager (p. 300).

Which should I choose?

You can use AWS WAF (p. 6), AWS Firewall Manager (p. 300), and AWS Shield (p. 380) together to create a comprehensive security solution.

It all starts with AWS WAF. You can automate and then simplify AWS WAF management using AWS Firewall Manager. Shield Advanced adds additional features on top of AWS WAF, such as dedicated support from the Shield Response Team (SRT) and advanced reporting.

If you want granular control over the protection that is added to your resources, AWS WAF alone is the right choice. If you want to use AWS WAF across accounts, accelerate your AWS WAF conﬁguration, or automate protection of new resources, use Firewall Manager with AWS WAF.

Finally, if you own high visibility websites or are otherwise prone to frequent DDoS attacks, you should consider purchasing the additional features that Shield Advanced provides.

NoteTo use the services of the SRT, you must be subscribed to the Business Support plan or the Enterprise Support plan.

(10)

Setting up

This topic describes preliminary steps, such as creating an AWS account, to prepare you to use AWS WAF, AWS Firewall Manager, and AWS Shield Advanced. You are not charged to set up this account and other preliminary items. You are charged only for AWS services that you use.

After you complete these steps, see Getting started with AWS WAF (p. 8) to continue getting started with AWS WAF.

NoteAWS Shield Standard is included with AWS WAF and does not require additional setup. For more information, see How AWS Shield works (p. 380).

Before you use AWS WAF or AWS Shield Advanced for the ﬁrst time, complete the following tasks:

• Step 1: Sign up for an AWS account (p. 3)

• Step 2: Create an IAM user (p. 3)

• Step 3: Download tools (p. 5)

Step 1: Sign up for an AWS account

When you sign up for Amazon Web Services (AWS), your AWS account is automatically signed up for all services in AWS, including AWS WAF. You are charged only for the services that you use.

If you have an AWS account already, skip to the next task. If you don't have an AWS account, use the following procedure to create one.

To sign up for AWS

1. Open https://portal.aws.amazon.com/billing/signup.

2. Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a veriﬁcation code on the phone keypad.

Note your AWS account number, because you'll need it for the next task.

Step 2: Create an IAM user

To use the AWS WAF console, you must sign in to conﬁrm that you have permission to perform AWS WAF operations. You can use the root credentials for your AWS account, but we don't recommend it.

For greater security and control of your account, we recommend that you use AWS Identity and Access Management (IAM) to do the following:

• Create an IAM user account for yourself or your business.

(11)

• Either add the IAM user account to an IAM group that has administrative permissions, or grant administrative permissions directly to the IAM user account.

• Verify that the account has full access to AWS WAF and related services, for general use and for console access. For information, see AWS managed (predeﬁned) policies for AWS WAF (p. 168).

You then can sign in to the AWS WAF console (and other service consoles) by using a special URL and the credentials for the IAM user. You also can add other users to the IAM user account, and control their level of access to AWS services and to your resources.

NoteFor information about creating access keys to access AWS WAF by using the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or the AWS WAF API, see Managing Access Keys for IAM Users.

If you signed up for AWS but have not created an IAM user for yourself, you can create one using the IAM console. If you aren't familiar with using the console, see Working with the AWS Management Console for an overview.

To create an administrator user for yourself and add the user to an administrators group (console)

1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

NoteWe strongly recommend that you adhere to the best practice of using the Administrator IAM user that follows and securely lock away the root user credentials. Sign in as the root user only to perform a few account and service management tasks.

2. In the navigation pane, choose Users and then choose Add user.

3. For User name, enter Administrator.

4. Select the check box next to AWS Management Console access. Then select Custom password, and then enter your new password in the text box.

5. (Optional) By default, AWS requires the new user to create a new password when ﬁrst signing in. You can clear the check box next to User must create a new password at next sign-in to allow the new user to reset their password after they sign in.

6. Choose Next: Permissions.

7. Under Set permissions, choose Add user to group.

8. Choose Create group.

9. In the Create group dialog box, for Group name enter Administrators.

10. Choose Filter policies, and then select AWS managed - job function to ﬁlter the table contents.

11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.

Note

You must activate IAM user and role access to Billing before you can use the

AdministratorAccess permissions to access the AWS Billing and Cost Management console. To do this, follow the instructions in step 1 of the tutorial about delegating access to the billing console.

12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to see the group in the list.

13. Choose Next: Tags.

14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM, see Tagging IAM entities in the IAM User Guide.

15. Choose Next: Review to see the list of group memberships to be added to the new user. When you are ready to proceed, choose Create user.

(12)

You can use this same process to create more groups and users and to give your users access to your AWS account resources. To learn about using policies that restrict user permissions to speciﬁc AWS resources, see Access management and Example policies.

To sign in as this new IAM user, ﬁrst sign out of the AWS Management Console. Then use the following URL, where your_aws_account_id is your AWS account number without the hyphens. For example, if your AWS account number is 1234-5678-9012, your AWS account ID is 123456789012:

https://your_aws_account_id.signin.aws.amazon.com/console/

Enter the IAM user name and password that you just created. When you're signed in, the navigation bar displays "your_user_name @ your_aws_account_id".

If you don't want the URL for your sign-in page to contain your AWS account ID, you can create an account alias. From the IAM dashboard, choose Customize and enter an alias, such as your company name. To sign in after you create an account alias, use the following URL:

https://your_account_alias.signin.aws.amazon.com/console/

To verify the sign-in link for IAM users for your account, open the IAM console and check under the IAM users sign-in link on the dashboard.

After you complete these steps, you can stop here and go to Getting started with AWS WAF (p. 8) to continue getting started with AWS WAF using the console. If you want to access AWS WAF programmatically using the AWS WAF API, continue on to the next step, Step 3: Download tools (p. 5).

Step 3: Download tools

The AWS Management Console includes a console for AWS WAF, but if you want to access AWS WAF programmatically, the following documentation and tools will help you:

• If you want to call the AWS WAF API without having to handle low-level details like assembling raw HTTP requests, you can use an AWS SDK. The AWS SDKs provide functions and data types that encapsulate the functionality of AWS WAF and other AWS services. To download an AWS SDK, see the applicable page, which also includes prerequisites and installation instructions:

• Java

• JavaScript

• .NET

• Node.js

• PHP

• Python

• Ruby

For a complete list of AWS SDKs, see Tools for Amazon Web Services.

• If you're using a programming language for which AWS doesn't provide an SDK, the AWS WAF API Reference documents the operations that AWS WAF supports.

• The AWS Command Line Interface (AWS CLI) supports AWS WAF. The AWS CLI lets you control multiple AWS services from the command line and automate them through scripts. For more information, see AWS Command Line Interface.

• AWS Tools for Windows PowerShell supports AWS WAF. For more information, see AWS Tools for PowerShell Cmdlet Reference.

(13)

AWS WAF

AWS WAF is a web application ﬁrewall that lets you monitor the HTTP(S) requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API.

AWS WAF also lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, the service associated with your protected resource responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). You can also conﬁgure CloudFront to return a custom error page when a request is blocked.

NoteYou can also use AWS WAF to protect your applications that are hosted in Amazon Elastic Container Service (Amazon ECS) containers. Amazon ECS is a highly scalable, fast container management service that makes it easy to run, stop, and manage Docker containers on a cluster. To use this option, you conﬁgure Amazon ECS to use an Application Load Balancer that is enabled for AWS WAF to route and protect HTTP(S) layer 7 traﬃc across the tasks in your service. For more information, see Service Load Balancing in the Amazon Elastic Container Service Developer Guide.

Topics

• How AWS WAF works (p. 6)

• Getting started with AWS WAF (p. 8)

• Managing and using a web access control list (web ACL) (p. 12)

• Rule groups (p. 24)

• AWS WAF rules (p. 58)

• Web request body inspection (p. 84)

• IP sets and regex pattern sets (p. 85)

• Customized web requests and responses in AWS WAF (p. 90)

• Labels on web requests (p. 95)

• AWS WAF managed protections (p. 102)

• Logging web ACL traﬃc (p. 139)

• Listing IP addresses blocked by rate-based rules (p. 158)

• How AWS WAF works with Amazon CloudFront features (p. 158)

• Security in AWS WAF (p. 160)

• AWS WAF quotas (p. 180)

• Migrating your AWS WAF Classic resources to AWS WAF (p. 182)

How AWS WAF works

You use AWS WAF to control how an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API responds to HTTP(S) web requests.

(14)

• Web ACLs – You use a web access control list (ACL) to protect a set of AWS resources. You create a web ACL and deﬁne its protection strategy by adding rules. Rules deﬁne criteria for inspecting web requests and specify how to handle requests that match the criteria. You set a default action for the web ACL that indicates whether to block or allow through those requests that pass the rules inspections.

• Rules – Each rule contains a statement that deﬁnes the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can conﬁgure rules to block matching requests, allow them through, count them, or run CAPTCHA controls against them.

• Rules groups – You can use rules individually or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also deﬁne your own rule groups.

After you create your web ACL, you can associate it with one or more AWS resources. The resource types that you can protect using AWS WAF web ACLs are an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, and an AWS AppSync GraphQL API.

AWS WAF is available in the Regions listed at AWS service endpoints.

• For an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API, you can use any of the Regions in the list.

• For a CloudFront distribution, AWS WAF is available globally, but you must use the Region US East (N.

Virginia) for all of your work. You must create your web ACL using the Region US East (N. Virginia). You must also use this Region to create any other resources that you use in your web ACL, like rule groups, IP sets, and regex pattern sets.

Some interfaces oﬀer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".

You can associate a web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see Using AWS WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.

You can only associate a web ACL to an Application Load Balancer within AWS Regions. For example, you cannot associate a web ACL to an Application Load Balancer that is on AWS Outposts.

Restrictions on multiple associations

You can associate a single web ACL with one or more AWS resources, according to the following restrictions:

• You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many.

• You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.

AWS WAF Web ACL capacity units (WCU)

AWS WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs. AWS WAF enforces WCU limits when you configure your rule groups and web ACLs. WCUs don't affect how AWS WAF inspects web traffic.

AWS WAF calculates capacity diﬀerently for each rule type, to reﬂect each rule's relative cost. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power.

For example, a size constraint rule statement uses fewer WCUs than a statement that inspects against a regex pattern set.

(15)

AWS WAF manages capacity for rules, rule groups, and web ACLs:

• Rule capacity – AWS WAF calculates rule capacity when you create or update a rule. For some basic guidelines for rule capacity requirements, see the listings for the various rule statements at AWS WAF rule statements (p. 60). You can also get an idea of the capacity required for the various rule types in the AWS WAF console by creating a web ACL or rule group and adding individual rules to it. The console displays the capacity units used as you add the rules.

• Rule group capacity – AWS WAF requires that each rule group is assigned an immutable capacity at creation. This is true for managed rule groups and rule groups that you create through AWS WAF.

When you modify a rule group, your changes must keep the rule group's WCU within its capacity. This ensures that web ACLs that are using the rule group remain within their maximum capacity.

• Web ACL capacity – The maximum capacity for a web ACL is 1,500, which is suﬃcient for most use cases. If you need more capacity, contact the AWS Support Center.

Getting started with AWS WAF

This tutorial shows how to use AWS WAF to perform the following tasks:

• Set up AWS WAF.

• Create a web access control list (web ACL) using the wizard in the AWS WAF console.

• Choose the AWS resources that you want AWS WAF to inspect web requests for. This tutorial covers the steps for Amazon CloudFront. The process is essentially the same for an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API.

• Add the rules and rule groups that you want to use to filter web requests. For example, you can specify the IP addresses that the requests originate from and values in the request that are used only by attackers. For each rule, you specify how to handle matching web requests. You can block them, allow them, count them, or insert a CAPTCHA check against them. You define an action for each rule that you define inside a web ACL and for each rule that you define inside a rule group.

• Specify a default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes when a web request doesn't match any of the rules.

NoteAWS typically bills you less than US $0.25 per day for the resources that you create during this tutorial. When you're ﬁnished with the tutorial, we recommend that you delete the resources to prevent incurring unnecessary charges.

Topics

• Step 1: Set up AWS WAF (p. 8)

• Step 2: Create a Web ACL (p. 9)

• Step 3: Add a string match rule (p. 9)

• Step 4: Add an AWS Managed Rules rule group (p. 10)

• Step 5: Finish your Web ACL conﬁguration (p. 11)

• Step 6: Clean up your resources (p. 11)

Step 1: Set up AWS WAF

If you already signed up for an AWS account and created an IAM user as described in Setting up (p. 3), go to Step 2: Create a Web ACL (p. 9).

(16)

If not, go to Setting up (p. 3) and perform at least the ﬁrst two steps. (You can skip downloading tools for now because this Getting Started topic focuses on using the AWS WAF console.)

Step 2: Create a Web ACL

The AWS WAF console guides you through the process of conﬁguring AWS WAF to block or allow web requests based on conditions that you specify, such as the IP addresses that the requests originate from or values in the requests. In this step, you create a web ACL. For more information about AWS WAF web ACLs, see Managing and using a web access control list (web ACL) (p. 12).

To create a web ACL

1. Sign in to the AWS Management Console and open the AWS WAF console at https://

console.aws.amazon.com/wafv2/.

2. From the AWS WAF home page, choose Create web ACL.

3. For Name, enter the name that you want to use to identify this web ACL.

NoteYou can't change the name after you create the web ACL.

4. (Optional) For Description - optional, enter a longer description for the web ACL if you want to.

5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default_Action."

NoteYou can't change the CloudWatch metric name after you create the web ACL.

6. For Resource type, choose CloudFront distributions. The Region automatically populates to Global (CloudFront) for CloudFront distributions.

7. (Optional) For Associated AWS resources - optional, choose Add AWS resources. In the dialog box, choose the resources that you want to associate, and then choose Add. AWS WAF returns you to the Describe web ACL and associated AWS resources page.

8. Choose Next.

Step 3: Add a string match rule

In this step, you create a rule with a string match statement and indicate what to do with matching requests. A string match rule statement identiﬁes strings that you want AWS WAF to search for in a request. Usually, a string consists of printable ASCII characters, but you can specify any character from hexadecimal 0x00 to 0xFF (decimal 0 to 255). In addition to specifying the string to search for, you specify the web request component that you want to search, such as a header, a query string, or the request body.

This statement type operates on a web request component, and requires the following request component settings:

• Request components – The part of the web request to inspect, for example, a query string or the body.

Warning

If you use the request component Body or JSON body, AWS WAF only inspects the ﬁrst 8 KB.

For information, see Web request body inspection (p. 84).

For information about web request components, see Request component (p. 75).

• Optional text transformations – Transformations that you want AWS WAF to perform on the request component before inspecting it. For example, you could transform to lowercase or normalize white

(17)

space. If you specify more than one transformation, AWS WAF processes them in the order listed. For information, see Text transformations (p. 78).

For additional information about AWS WAF rules, see AWS WAF rules (p. 58).

To create a string match rule statement

1. On the Add rules and rule groups page, choose Add rules, Add my own rules and rule groups, Rule builder, then Rule visual editor.

NoteThe console provides the Rule visual editor and also a Rule JSON editor. The JSON editor makes it easy for you to copy conﬁgurations between web ACLs and is required for more complex rule sets, like those with multiple levels of nesting.

This procedure uses the Rule visual editor.

2. For Name, enter the name that you want to use to identify this rule.

3. For Type choose Regular rule.

4. For If a request choose matches the statement.

The other options are for the logical rule statement types. You can use them to combine or negate the results of other rule statements.

5. On Statement, for Inspect, open the dropdown and choose the web request component that you want AWS WAF to look for your string in. For this example, choose Header.

When you choose Header, you also specify which header you want AWS WAF to inspect. Enter User-Agent. This value isn't case sensitive.

6. For Match type, choose where the speciﬁed string must appear in the User-Agent header.

For this example, choose Exactly matches string. This indicates that AWS WAF inspects the user- agent header in each web request for a string that is identical to the string that you specify.

7. For String to match, specify a string that you want AWS WAF to search for. The maximum length of String to match is 200 characters. If you want to specify a base64-encoded value, you can specify up to 200 characters before encoding.

For this example, enter MyAgent. AWS WAF will inspect the User-Agent header in web requests for the value MyAgent.

8. Leave Text transformation set to None.

9. For Action, select the action that you want the rule to take when it matches a web request. For this example, choose Count and leave the other choices as they are. The count action creates metrics for web requests that match the rule, but doesn't aﬀect whether the request is allowed or blocked. For more information about action choices, see AWS WAF rule action (p. 59) and Web ACL rule and rule group evaluation (p. 13).

10. Choose Add rule.

Step 4: Add an AWS Managed Rules rule group

AWS Managed Rules oﬀers a set of managed rule groups for your use, most of which are free of charge to AWS WAF customers. For more information about rule groups, see Rule groups (p. 24). We'll add an AWS Managed Rules rule group to this web ACL.

To add an AWS Managed Rules rule group

1. On the Add rules and rule groups page, choose Add rules, and then choose Add managed rule groups.

(18)

2. On the Add managed rule groups page, expand the listing for the AWS managed rule groups.

(You'll also see listings oﬀered for AWS Marketplace sellers. You can subscribe to their oﬀerings and then use them in the same way as for AWS Managed Rules rule groups.)

3. For the rule group that you want to add, do the following:

a. In the Action column, turn on the Add to web ACL toggle.

b. Select Edit and, in the rule group's Rules listing, turn on the Set all rule actions to count toggle. This sets the action for all rules in the rule group to count only. This allows you to see how all of the rules in the rule group behave with your web requests before you put any of them to use.

c. Choose Save rule.

4. In the Add managed rule groups page, choose Add rules. This returns you to the Add rules and rule groups page.

Step 5: Finish your Web ACL conﬁguration

When you're done adding rules and rule groups to your web ACL configuration, finish up by managing the priority of the rules in the web ACL and configuring settings like metrics, tagging, and logging.

To ﬁnish your web ACL conﬁguration

1. On the Add rules and rule groups page, choose Next.

2. On the Set rule priority page, you can see the processing order for the rules and rule groups in the web ACL. AWS WAF processes them starting from the top. You can change the processing order by moving them up and down. To do this, select one in the list and choose Move up or Move down.

3. Choose Next.

4. On the Conﬁgure metrics page, for Amazon CloudWatch metrics, you can see the planned metrics for your rules and rule groups and you can see the web request sampling options. For information about Amazon CloudWatch metrics, see Monitoring with Amazon CloudWatch (p. 439). For information about viewing sampled requests, see Viewing a sample of web requests (p. 23).

5. Choose Next.

6. On the Review and create web ACL page, review your settings, then choose Create web ACL.

The wizard returns you to the Web ACL page, where your new web ACL is listed.

Step 6: Clean up your resources

You've now successfully completed the tutorial. To prevent your account from accruing additional AWS WAF charges, clean up the AWS WAF objects that you created. Alternatively, you can change the conﬁguration to match the web requests that you really want to manage using AWS WAF.

NoteAWS typically bills you less than US $0.25 per day for the resources that you create during this tutorial. When you're ﬁnished, we recommend that you delete the resources to prevent incurring unnecessary charges.

To delete the objects that AWS WAF charges for

1. In the Web ACL page, select your web ACL from the list and choose Edit.

2. On Associated AWS resources - optional, select all associated resources, and then choose Remove.

This disassociates the web ACL from your AWS resources.

3. In each of the following screens, choose Next until you return to the Web ACL page.

(19)

In the Web ACL page, select your web ACL from the list and choose Delete.

Rules and rule statements don't exist outside of rule group and web ACL deﬁnitions. If you delete a web ACL, this deletes all individual rules that you've deﬁned in the web ACL. When you remove a rule group from a web ACL, you just remove the reference to it.

Managing and using a web access control list (web ACL)

A web access control list (web ACL) gives you ﬁne-grained control over all of the HTTP(S) web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.

You can use criteria like the following to allow or block requests:

• IP address origin of the request

• Country of origin of the request

• String match or regular expression (regex) match in a part of the request

• Size of a particular part of the request

• Detection of malicious SQL code or scripting

You can also test for any combination of these conditions. You can block or count web requests that not only meet the speciﬁed conditions, but also exceed a speciﬁed number of requests in any 5-minute period. You can combine conditions using logical operators. You can also run CAPTCHA controls against requests.

You provide your matching criteria and the action to take on matches in AWS WAF rule statements.

You can deﬁne rule statements directly inside your web ACL and in reusable rule groups that you use in your web ACL. For a full list of the options, see AWS WAF rule statements (p. 60) and AWS WAF rule action (p. 59).

To specify your web request inspection and handling criteria, perform the following tasks:

1. Choose the default action, either allow or block, for web requests that don't match any of the rules that you specify. For more information, see Deciding on the default action for a web ACL (p. 15).

2. Add any rule groups that you want to use in your web ACL. Managed rule groups usually contain rules that block web requests. For information about rule groups, see Rule groups (p. 24).

3. Specify additional matching criteria and handling instructions in one or more rules. To add more than one rule, start with AND or OR rule statements and nest the rules that you want to combine under those. If you want to negate a rule option, nest the rule in a NOT statement. You can optionally use a rate-based rule instead of a regular rule to limit the number of requests from any single IP address that meets the conditions. For information about rules, see AWS WAF rules (p. 58).

If you add more than one rule to a web ACL, AWS WAF evaluates the rules in the order that they're listed for the web ACL. For more information, see Web ACL rule and rule group evaluation (p. 13).

When you create a web ACL, you specify the types of resources that you want to use it with. For information, see Creating a web ACL (p. 16). After you deﬁne a web ACL, you can associate it with your resources to begin providing protection for them. For more information, see Associating or disassociating a web ACL with an AWS resource (p. 20).

(20)

How AWS resources handle response delays from AWS WAF

On some occasions, AWS WAF might encounter an internal error that delays the response to associated AWS resources about whether to allow or block a request. On those occasions, CloudFront typically allows the request or serves the content, while the Regional services typically deny the request and don't serve the content.

Topics

• Web ACL rule and rule group evaluation (p. 13)

• Deciding on the default action for a web ACL (p. 15)

• Working with web ACLs (p. 16)

Web ACL rule and rule group evaluation

The way a web ACL handles a web request depends on the following:

• The ordering of the rules and rule groups

• The action settings on the rules and web ACL

• Any overrides that you place on the rules and rule groups that you add

For a list of the rule action settings, see AWS WAF rule action (p. 59).

You can customize request and response handling in your rule action settings and default web ACL action settings. For information, see Customized web requests and responses in AWS WAF (p. 90).

Processing order of rules and rule groups in a web ACL

If you add more than one rule or rule group to a web ACL, AWS WAF evaluates each web request against them in the order that you prioritize them in the web ACL. For rule group evaluation, AWS WAF evaluates the contained rules in the order in which they're prioritized.

For example, say you have the following rules and rule groups in your web ACL, prioritized as shown:

• Rule1 – priority 0

• RuleGroupA – priority 100

• RuleA1 – priority 10,000

• RuleA2 – priority 20,000

• Rule2 – priority 200

• RuleGroupB – priority 300

• RuleB1 – priority 0

• RuleB2 – priority 1

AWS WAF would evaluate the rules for this web ACL in the following order:

• Rule1

• RuleGroupA RuleA1

• RuleGroupA RuleA2

• Rule2

• RuleGroupB RuleB1

(21)

• RuleGroupB RuleB2

Basic handling of the rule and rule group actions in a web ACL

When you conﬁgure your rules and rule groups, you choose how you want AWS WAF to handle matching web requests:

• Allow and block are terminating actions – Allow and block actions stop all other processing of the web ACL on the matching web request. If a rule in a web ACL ﬁnds a match for a request and the rule action is allow or block, that match determines the ﬁnal disposition of the web request for the web ACL. AWS WAF doesn't process any other rules in the web ACL that come after the matching one. This is true for rules that you add directly to the web ACL and rules that are inside an added rule group.

With the block action, the protected resource doesn't receive or process the web request.

• Count is a non-terminating action – When a rule with a count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the web ACL rule set. If the only rules that match have count action set, AWS WAF applies the web ACL default action setting.

• CAPTCHA can be a non-terminating or a terminating action – When a rule with a CAPTCHA action matches a request, AWS WAF checks its CAPTCHA status. If the request has a valid CAPTCHA token, AWS WAF continues processing the rules that follow in the web ACL rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and runs a CAPTCHA challenge puzzle that the caller must solve.

The actions that AWS WAF applies to a web request are aﬀected by priority of the rules in the web ACL.

For example, say that a web request matches a rule that allows requests and matches another rule that counts requests. If the rule that allows requests has a lower priority, then AWS WAF won't count the request because the request evaluation terminates with the allow action.

In your web ACL, you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see Overriding the actions of a rule group or its rules (p. 14).

Overriding the actions of a rule group or its rules

When you add a rule group to your web ACL, you can alter how it manages your web requests, so that it counts matching requests rather than acting on them. This can be useful for activities like testing and monitoring a rule group's behavior before you use it. Doing this doesn't alter the rule group itself. It only alters how AWS WAF uses the rule group in the context of the web ACL.

Setting the rule actions to count

You can override the actions of the rules inside a rule group, setting them to count for some or all of the rules. If a rule's action is conﬁgured inside the rule group to something other than Count, this override changes that action so that matching requests are only counted.

When AWS WAF evaluates a web request against a rule with this count setting, if the request matches the rule, AWS WAF processes the match as a count and then continues evaluating the subsequent rules in the rule group. The matching request generates count metrics, logs, and sampled requests.

You can use this option to test a rule group before you implement it with its normal action settings. If you apply this setting to all rules in a rule group, AWS WAF evaluates web requests against all of the rules and reports the matches that it ﬁnds in metrics, request samples, and logs. At the end of the rule group evaluation, AWS WAF continues evaluating the rest of the rules that are in the web ACL.

You can also use this option to troubleshoot a rule group that's generating false positives. False positives occur when a rule group blocks traﬃc that you aren't expecting it to block. If you identify a rule within a rule group that would block requests that you want to allow through, you can keep this count action override on that rule, to exclude it from acting on your requests.

(22)

For more information about using this in testing, see Testing web ACLs (p. 21).

For information about how to use this option, see Setting rule actions to count in a rule group (p. 19).

Overriding the resulting rule group's action to count

You can override the action that the rule group returns, setting it to count.

Note

This is not a good option for testing the rules in a rule group, because it doesn't alter how AWS WAF evaluates the rule group itself. It only aﬀects how AWS WAF handles results that are returned to the web ACL from the rule group evaluation. If you want to test the rules in a rule group, use the option described in the preceding section, Setting the rule actions to count (p. 14).

When you override the rule group action to count, AWS WAF processes the rule group evaluation normally.

If no rules in the rule group match or if all matching rules have a count action, then this override has no eﬀect on the processing of the rule group or the web ACL.

The ﬁrst rule in the rule group that matches a web request and that has a terminating rule action causes AWS WAF to stop evaluating the rule group and return the terminating action result to the web ACL evaluation level. At this point, in the web ACL evaluation, this override takes eﬀect. AWS WAF overrides the terminating action so that the result of the rule group evaluation is only a count action. AWS WAF then continues processing the rest of the rules in the web ACL.

For information about how to use this option, see Overriding a rule group's action to count (p. 19).

Deciding on the default action for a web ACL

When you create and conﬁgure a web ACL, you set the web ACL default action, which determines how AWS WAF handles web requests that don't match any rules in the web ACL. The default action must be a terminating action:

• Allow – If you want to allow most users to access your website, but you want to block access to attackers whose requests originate from specified IP addresses, or whose requests appear to contain malicious SQL code or specified values, choose allow for the default action. Then, when you add rules to your web ACL, add rules that identify and block the specific requests that you want to block. With this action, you can insert custom headers into the request before forwarding it to the protected resource.

• Block – If you want to prevent most users from accessing your website, but you want to allow access to users whose requests originate from specified IP addresses, or whose requests contain specified values, choose block for the default action. Then when you add rules to your web ACL, add rules that identify and allow the specific requests that you want to allow in. By default, for the block action, the AWS resource responds with an HTTP 403 (Forbidden) status code, but you can customize the response.

For information about customizing requests and responses, see Customized web requests and responses in AWS WAF (p. 90).

Your conﬁguration of your own rules and rule groups depends in part on whether you want to allow or block most web requests. For example, if you want to allow most requests, you would set the web ACL default action to allow, and then add rules that identify web requests that you want to block, such as the following:

• Requests that originate from IP addresses that are making an unreasonable number of requests

• Requests that originate from countries that either you don't do business in or are the frequent source of attacks

(23)

• Requests that include fake values in the User-agent header

• Requests that appear to include malicious SQL code

Managed rule groups usually use the block action. For information about managed rule groups, see Managed rule groups (p. 25).

Working with web ACLs

When you make changes to web ACLs or web ACL components, like rules and rule groups, AWS WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might brieﬂy be blocked in one area while still allowed in another. This temporary inconsistency can occur when you ﬁrst associate a web ACL with an AWS resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.

Topics

• Creating a web ACL (p. 16)

• Editing a web ACL (p. 18)

• Managing rule group behavior in a web ACL (p. 19)

• Associating or disassociating a web ACL with an AWS resource (p. 20)

• Deleting a web ACL (p. 21)

• Testing web ACLs (p. 21)

Creating a web ACL

To create a web ACL

2. Choose Web ACLs in the navigation pane, and then choose Create web ACL.

3. For Name, enter the name that you want to use to identify this web ACL.

NoteYou can't change the name after you create the web ACL.

4. (Optional) For Description - optional, enter a longer description for the web ACL if you want to.

5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default_Action."

NoteYou can't change the CloudWatch metric name after you create the web ACL.

6. For Resource type, choose the category of AWS resource that you want to associate with this web ACL. For more information, see Associating or disassociating a web ACL with an AWS resource (p. 20).

7. For Region, if you've chosen a Regional resource type, choose the Region where you want AWS WAF to store the web ACL.

You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, us-east-1, for Global (CloudFront) applications.

(24)

8. (Optional) For Associated AWS resources - optional, choose Add AWS resources. In the dialog box, choose the resources that you want to associate, and then choose Add. AWS WAF returns you to the Describe web ACL and associated AWS resources page.

9. Choose Next.

10. (Optional) If you want to add managed rule groups, on the Add rules and rule groups page, choose Add rules, and then choose Add managed rule groups. Do the following for each managed rule group that you want to add:

a. On the Add managed rule groups page, expand the listing for AWS managed rule groups or for the AWS Marketplace seller of your choice.

b. For the rule group that you want to add, turn on the Add to web ACL toggle in the Action column.

If you want to set the actions for any rules in the rule group to count only, choose Edit, then either turn on the Count toggle for individual rules or turn on the Set all rules actions to count toggle. Choose Save rule. For information about this option, see Overriding the actions of a rule group or its rules (p. 14).

Choose Add rules to ﬁnish adding managed rules and return to the Add rules and rule groups page.

11. (Optional) If you want to add your own rule group, on the Add rules and rule groups page, choose Add rules, and then choose Add my own rules and rule groups. Do the following for each rule group that you want to add:

a. On the Add my own rules and rule groups page, choose Rule group.

b. For Name, enter the name that you want to use for the rule group rule in this web ACL.

c. Choose your rule group from the list, and then choose Add rule.

12. (Optional) If you want to add your own rule, on the Add rules and rule groups page, choose Add rules, Add my own rules and rule groups, Rule builder, then Rule visual editor.

NoteThe console Rule visual editor supports one level of nesting. For example, you can use a single logical AND or OR statement and nest one level of other statements inside it, but you can't nest logical statements within logical statements. To manage more complex rule statements, use the Rule JSON editor. For information about all options for rules, see AWS WAF rules (p. 58).

This procedure covers the Rule visual editor.

a. For Name, enter the name that you want to use to identify this rule.

b. Enter your rule deﬁnition, according to your needs. You can combine rules inside logical AND and OR rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see AWS WAF rules (p. 58).

c. For Action, select the action you want the rule to take when it matches a web request. For information on your choices, see AWS WAF rule action (p. 59) and Web ACL rule and rule group evaluation (p. 13).

If you are using the CAPTCHA action, adjust the Immunity time conﬁguration as needed for this rule. For more information, see CAPTCHA tokens and token expiration (p. 136).

If you want to customize the request or response, choose the options for that and ﬁll in the details of your customization. For more information, see Customized web requests and responses in AWS WAF (p. 90).

If you want to have your rule add labels to matching web requests, choose the options for that and ﬁll in your label details. For more information, see Labels on web requests (p. 95).

(25)

13. Choose the default action for the web ACL. This is the action that AWS WAF takes when a web request doesn't match any of the rules in the web ACL. For more information, see Deciding on the default action for a web ACL (p. 15).

If you want to customize the default action, choose the options for that and ﬁll in the details of your customization. For more information, see Customized web requests and responses in AWS WAF (p. 90).

14. Choose Next.

15. In the Set rule priority page, select and move your rules and rule groups to the order that you want AWS WAF to process them. For more information, see Web ACL rule and rule group evaluation (p. 13).

16. Choose Next.

17. In the Conﬁgure metrics page, review the options and apply any updates that you need. You can combine metrics from multiple sources by providing the same CloudWatch metric name for them.

18. Choose Next.

19. In the Review and create web ACL page, check over your deﬁnitions. If you want to change any area, choose Edit for the area. This returns you to the page in the web ACL wizard. Make any changes, then choose Next through the pages until you come back to the Review and create web ACL page.

20. Choose Create web ACL. Your new web ACL is listed in the Web ACLs page.

Editing a web ACL

To add or remove rules from a web ACL or change the default action, access the web ACL using the following procedure:

To edit a web ACL

2. In the navigation pane, choose Web ACLs.

3. Choose the name of the web ACL that you want to edit. The console takes you to the web ACL's description, where you can edit it.

NoteWeb ACLs that are managed by AWS Firewall Manager have names that start with FMManagedWebACLV2-. The Firewall Manager administrator manages these in Firewall Manager AWS WAF policies. These web ACLs might contain rule group sets that are designated to run ﬁrst and last in the web ACL, on either side of any rules or rule groups that you add and manage. The ﬁrst and last rule groups have names that start with PREFMManaged- and POSTFMManaged-, respectively. For more information about these policies, see AWS WAF policies (p. 335).

4. Page through the web ACL deﬁnitions, and make your changes. This is similar to the procedure that you use to create the web ACL in Creating a web ACL (p. 16), with the following exceptions.

• Some fields that you set at creation aren't modifiable. For example, you can't change the name of a web ACL, and for web ACLs that are managed by Firewall Manager, you can't change any first and last rule group specifications.

• You can only set the CAPTCHA conﬁguration for the web ACL when you edit an existing web ACL.

You can ﬁnd this setting under the web ACL's Rules tab. For information about using CAPTCHA, see AWS WAF CAPTCHA (p. 133).

(26)

Managing rule group behavior in a web ACL

This section describes your options for modifying how you use a rule group in your web ACL. This

information applies to all rule group types. After you add a rule group to a web ACL, you can override the actions of the individual rules in the rule group to count. You can also override the rule group's resulting action to count, which has no eﬀect on how the rules are evaluated inside the rule group.

For information about these options, see Overriding the actions of a rule group or its rules (p. 14).

Setting rule actions to count in a rule group

For each rule group in a web ACL, you can override the contained rule's actions to count for some or all of the rules. Rules that you alter like this are described as being excluded rules in the rule group. If you have metrics enabled, you receive COUNT metrics for each excluded rule. This change alters how the rules in the rule group are evaluated.

To set rule actions to count in a rule group

1. After you've added your rule group to your web ACL, edit the web ACL.

2. In the web ACL page Rules tab, select the rule group, then choose Edit.

3. In the Rules section for the rule group, do one of the following:

• (Option) Turn on the Set all rule actions to count toggle.

• (Option) For each rule that you want to set to count, turn on the Rule action Count toggle.

4. Choose Save rule.

The following example JSON listing shows a rule group declaration inside a web ACL that sets the rule actions to count for the rules CategoryVerifiedSearchEngine and

CategoryVerifiedSocialMedia. Through the API, in order to set all rule actions to count when you add a rule group to a web ACL, you list them all by name in ExcludedRules speciﬁcation inside the rule group reference statement, as shown here.

{ "Name": "AWS-AWSBotControl-Example", "Priority": 5,

"Statement": {

"ManagedRuleGroupStatement": { "VendorName": "AWS",

"Name": "AWSManagedRulesBotControlRuleSet", "ExcludedRules": [

{

"Name": "CategoryVerifiedSearchEngine"

}, {

"Name": "CategoryVerifiedSocialMedia"

} ] },

"VisibilityConfig": {

"SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true,

"MetricName": "AWS-AWSBotControl-Example"

}}

Overriding a rule group's action to count

You can override the action that a rule group returns to count, without altering how the rules in the rule group are conﬁgured or evaluated.

(27)

To override the rule group's resulting action

1. After you've added your rule group to your web ACL, edit the web ACL.

2. In the web ACL page Rules tab, select the rule group, then choose Edit.

3. Enable the option Override rule group action.

4. Choose Save rule.

The following example JSON listing shows a rule group declaration inside a web ACL where the web ACL is conﬁgured to override the rule group action to count. The override settings are in bold.

{

"Name": "AWS-AWSBotControl-Example", "Priority": 5,

"Statement": {

"ManagedRuleGroupStatement": { "VendorName": "AWS",

"Name": "AWSManagedRulesBotControlRuleSet"

} },

"OverrideAction": { "Count": {}

},

"VisibilityConfig": {

"SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true,

"MetricName": "AWS-AWSBotControl-Example"

}}

Associating or disassociating a web ACL with an AWS resource

You can use AWS WAF to associate a web ACL with an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API.

You can associate a web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see Using AWS WAF to Control Access to Your Content in the Amazon CloudFront Developer Guide.

You can only associate a web ACL to an Application Load Balancer within AWS Regions. For example, you cannot associate a web ACL to an Application Load Balancer that is on AWS Outposts.

Restrictions on multiple associations

You can associate a single web ACL with one or more AWS resources, according to the following restrictions:

• You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many.

• You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.

To associate a web ACL with an AWS resource

3. Choose the web ACL that you want to associate with a resource.

(28)

4. On the Associated AWS resources tab, choose Add AWS resources.

5. When prompted, choose your resource that you want to associate this web ACL with. If you choose an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API, specify a Region.

6. Choose Add.

To disassociate a web ACL from an AWS resource

3. Choose the web ACL that you want to disassociate from your resource.

4. On the Associated AWS resources tab, deselect the resources that you want to disassociate this web ACL from.

5. Choose Save.

Deleting a web ACL

To delete a web ACL, you ﬁrst disassociate all AWS resources from the web ACL. Perform the following procedure.

To delete a web ACL

3. Select the name of the web ACL that you want to delete. The console takes you to the web ACL's description, where you can edit it.

4. On the Associated AWS resources tab, select all resources, and then choose Remove to disassociate the web ACL from all resources.

6. Select the radio button next to the web ACL that you are deleting, and then choose Delete.

Testing web ACLs

To ensure that you don't accidentally conﬁgure AWS WAF to block web requests that you want to allow or allow requests that you want to block, we recommend that you test your web ACL thoroughly before you start using it on your website or web application.

Topics

• Counting the web requests that match the rules in a web ACL (p. 21)

• Viewing a sample of web requests (p. 23)

Counting the web requests that match the rules in a web ACL

When you add rules to a web ACL, you specify whether you want AWS WAF to allow, block, or count the web requests that match all the conditions in that rule. We recommend that you begin with the following conﬁguration:

• Conﬁgure all the rules in a web ACL to count web requests. For information about how to do this for a rule group in a web ACL, see Setting rule actions to count in a rule group (p. 19).

AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide

AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Developer Guide

AWS WAF, AWS Firewall Manager, and AWS Shield Advanced: Developer Guide

Table of Contents

What are AWS WAF, AWS Shield, and AWS Firewall Manager?

AWS Shield

AWS Firewall Manager

Which should I choose?

Setting up

Step 1: Sign up for an AWS account

Step 2: Create an IAM user

Step 3: Download tools

AWS WAF

How AWS WAF works

AWS WAF Web ACL capacity units (WCU)

Getting started with AWS WAF

Step 1: Set up AWS WAF

Step 2: Create a Web ACL

Step 3: Add a string match rule

Step 4: Add an AWS Managed Rules rule group

Step 5: Finish your Web ACL conﬁguration

Step 6: Clean up your resources

Managing and using a web access control list (web ACL)

How AWS resources handle response delays from AWS WAF

Web ACL rule and rule group evaluation

Processing order of rules and rule groups in a web ACL

Basic handling of the rule and rule group actions in a web ACL

Overriding the actions of a rule group or its rules

Setting the rule actions to count

Overriding the resulting rule group's action to count

Deciding on the default action for a web ACL

Working with web ACLs

Creating a web ACL

Editing a web ACL

Managing rule group behavior in a web ACL

Setting rule actions to count in a rule group

Overriding a rule group's action to count

Associating or disassociating a web ACL with an AWS resource

Deleting a web ACL

Testing web ACLs

Counting the web requests that match the rules in a web ACL