© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Nate Dye, AWS WAF

Oct 28th, 2015

Introduction to AWS WAF

What to expect from this session

AWS WAFIntro

AWS WAF Setup

Security Automation

AWS WAF 301

What to expect from this session

AWS WAFIntro

AWS WAF Setup

Security Automation

AWS WAF 301

Why AWS WAF?

Application vulnerabilities

Good users

Bad guys

Web server Database

Exploit code

Why AWS WAF?

Abuse

Good users

Bad guys

Web server Database

Why AWS WAF?

Application DDoS

Good users

Bad guys

Web server Database

What is AWS WAF?

Good users

Bad guys

Web server Database

AWSWAF

What is AWS WAF?

Good users

Bad guys

Web server Database

AWSWAF

AWS WAF rules:1: BLOCK requests from bad guys.2: ALLOW requests from good guys.

What is AWS WAF?

Good users

Bad guys

Web server Database

AWSWAF

1-Minute Metrics &Sampled Requests

What is AWS WAF?

APIs for Security Automation

Good users

Bad guys

Server

AWS WAF

Logs

Threatanalysis

Rule updater

Notification

Security Engineer

AWS WAF

Block or allow web requests Monitor security events

AWS WAF

New API and console Protect websites and content

AWS WAF

Amazon CloudFront

What to expect from this session

AWS WAFIntro

AWS WAF Setup

Security Automation

AWS WAF 301

Setting Up AWS WAF

1. Create a web ACL.

ALLOW requests by default, but…

2. Add a rule.

BLOCK if…

3. Add match conditions.

the source IP matches this list…

4. Assign to CloudFront.

for any request tod123.cloudfront.net.

Setting Up AWS WAF

<First Run Demo>

But wait, there’s more

Match conditions•IP•String•SQLi

Flexible rules•AND/OR•Block, allow, or count•Ordered conditions

Fast feedback•~1 minute for changes•1-minute metrics•Request samples

But wait, there’s more

Match conditions•IP•String•SQLi

Flexible rules•AND/OR•Block, allow, or count•Ordered conditions

Fast feedback•~1 minute for changes•1-minute metrics•Request samples

Match conditions: Strings and bytesExample #1: Whitelist Referer

Host: www.example.comUser-Agent: Mozilla/5.0 (Macintosh; …Accept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: http://www.example.com/Connection: keep-alive

AWSWAF

RAW request headers

CloudFront

Check: Header “Referrer”Match Type: ContainsMatch: “example.com”

Action: ALLOW

RuleString match condition

Good users

Match conditions: Strings and bytesExample #2: Blacklist User-Agents

Host: www.example.comUser-Agent: badbotAccept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferrer: http://www.example.com/Connection: keep-alive

AWSWAF

RAW request headers

CloudFront

Check: Header “User-Agent”Match Type: ContainsMatch: “badbot”

Action: BLOCK

RuleString match condition

Scraper bot

Match conditions: Strings and bytesExample #2: Blacklist User-Agents

Host: www.example.comUser-Agent: bAdBoTAccept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferrer: http://www.InTeRnEtkItTiEs.com/Connection: keep-alive

AWSWAF

RAW request headers

CloudFront

Check: Header “User-Agent”Transform: To lowerMatch Type: ContainsMatch: “badbot”

Action: BLOCK

RuleString match condition

Scraper bot

Match conditions: IPSetsExample #3: Blacklist IP Address

Host: www.example.comUser-Agent: bAdBoTAccept: image/png,image/*;q=0.8,*/*;q=0.5Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferrer: http://www.InTeRnEtkItTiEs.com/Connection: keep-alive

AWSWAF

RAW request headers

CloudFront

Check: Header “User-Agent”Transform: To lowerMatch Type: ContainsMatch: “badbot”

Action: BLOCK

RuleString match condition

Scraper bot

Source IP: 192.168.45.67

Setting Up AWS WAF

<Prevent Content Abuse Demo>

But wait, there’s more

Match conditions•IP•String•SQLi

Flexible rules•AND/OR•Block, allow, or count•Ordered conditions

Fast feedback•~1 minute for changes•1-minute metrics•Request samples

Reuse conditions

Example #4: Reusable IP Blacklist

Web ACL #1

Web ACL #2

Shared blacklist

CloudFrontdistributions

AND/OR multiple conditions

Example #5: Restricted Admin URLs

AWSWAF

Site Admins

/admin/login.aspx

/mainsite/images

Users

Setting Up AWS WAF

<Demo: Customizing Conditions>

But wait, there’s more

Match conditions•IP•String•SQLi

Flexible rules•AND/OR•Block, allow, or count•Ordered conditions

Fast feedback•~1 minute for changes•1-minute metrics•Request samples

Observing rules in action

Finding requests that match your rules.

Set alarms for WAF

Use count rules to find bad actors

Count mode Alert on Amazon CloudWatch metrics

Get sampled requestsAdd bad IPs to BlackList

Setting up detection alarms

<Example Demo>

What to expect from this session

AWS WAFIntro

AWS WAF Setup

Security Automation

AWS WAF 301

Automatic incident reports

CloudWatch

Alarm

SNS

Topic

AWS Lambda

AWS WAF

Operator

SNS

Topic

1. Alarm on count 2. Send Amazon SNS notification

4. Formatsampled requests

5. Getsampled requests

6. Send emailnotification

Automating Detection Alarms

<Example Demo>

Thank you!

Get started with AWS WAF: https://console.aws.amazon.com/waf