Read Time 5 mins | Written by: Jordan.X | Ryo Hang
The Challenge:
The challenges associated with safeguarding web applications are multi-faceted. Cyber attackers continuously devise new strategies to breach security measures, steal sensitive data, and disrupt services.
The array of common malicious web attacks encompasses:
-
SQL injection, where malicious code is injected into input fields to manipulate databases.
-
cross-site scripting (XSS), which targets users with malicious scripts.
-
DDoS attacks on layer 7 (HTTP Flood), which are designed to consume application resources.
-
More web application attacks and threats from the OWASP Top 10.
The ASCENDING Approach:
We can leverage AWS WAF, AWS Shield, and AWS Firewall Manager together to create a comprehensive security solution for your web application resources.
What is AWS WAF?
AWS WAF (Web Application Firewall) is usually placed logically between users and web servers and provides the capability to monitor/analyze HTTP and HTTPS requests directed towards your protected web application resources. 
Maintaining and configuring your own set of security rules can be a challenge. With AWS WAF, you can now apply AWS Managed Rules, which gives you protection against common vulnerabilities and emerging threats.
What is AWS Schield?
AWS Shield is a managed service designed to protect applications running on AWS from distributed denial of service (DDoS) attacks, and it comes in two tiers: Standard and Advanced.
What is AWS Firewall Manager?
AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced.
With Firewall Manager, you set up your security policies/protections just once and the service automatically applies them across your accounts and resources.
The Solution:
ASCENDING presents a cutting-edge WAFv2 Regional solution, equipped with AWS Managed Rulesets for OWASP Top 10. This innovative offering allows for seamless deployment of one of the following options, tailored to your specific use case:
-
Option 1: Regional Web ACL for individual AWS accounts
-
Option 2: AWS Firewall Manager policy for deploying Web ACL across multiple AWS Organization accounts
Our solution also provides the following optional features:
-
IPv4 block list
-
CloudWatch Metrics (Enabled by default)
-
Request Sampling (Enabled by default)
-
Rate Limiting by IP (Required)
-
Web Request Body Size Constraint in Bytes (Block Web Requests that their Body Size is larger than this number)
-
Exclude One Rule From AWSManagedRulesCommonRuleSet We enabled (Default is
SizeRestrictions_BODYsince the default body size limit is 8 KB, which is too small) -
Regex Set to Block Web Requests that Don't Match Them (Only compare the Host in the request header, e.g. your Regex could be
.*\.example\.com) -
AWS account IDs in your organization that the Firewall Manager applies the policy to (Used when option 2 is selected)
-
Resource ARN to be associated with the Web ACL (Used when option 1 is selected)
Prerequisites for Option 2:
- Enabling Firewall Manager. (See References below)
- Sign in to your AWS Firewall Manager admin account in your Organization and choose Option 2.
Deploying the template:
- Click Launch Stack to deploy the solution in your AWS account. This button takes you to the CloudFormation console's Create stack page with the pre-populated template.
- Complete the steps on the console and provide the necessary values for each parameter in the template to deploy the solution.
- The default behavior for Option 1 will deploy a regional
- Web ACL on your current account, and you may associate this web ACL with any of the regional resources listed below in a separate step.
Amazon API Gateway REST API
Application Load Balancer
- The default behavior for Option2 will deploy the Web ACL across your accounts within your AWS organization and protect the type of Application LoadBalancer You may extend the protection types by editing this policy later on the console based on your use case.
References: