Professional Documents
Culture Documents
• Understand the difference between AWS WAF Classic and the new
AWS WAF
• Get deeper insight into the new WAFv2 API and how rule writing
works using JSON
• Get tips on how you can plan your migration from AWS WAF Classic
to the new AWS WAF
AWS WAF
AWS WAF
Amazon API
Gateway
· · · Rule Statements · · ·
Request Amazon
CloudFront
Sampled
Logging Metrics
Request
https://www.twitch.tv/videos/529888575
© 2020, Amazon Web Services, Inc. or its Affiliates.
New API (“wafv2”)
Shareable Elements
AWS Managed Rules is the quickest and easiest way to get started
• Variety of rules to choose depending on your use case
• Rules are curated and managed for you
• Access to third-party rules through AWS Marketplace
Console Code
(Rule Builder) (JSON/YAML)
Please check out the AWS WAFv2 API Reference for full detail
},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators
},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators
},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators
},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators
},
"XssMatchStatement": { ... }
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Example: Nesting Rules Using Logical Operators
"Statement": {
"AndStatement": {
"Statements": [
{
"XssMatchStatement": { ... } // WCU = 40
},
{
"OrStatement": {
"Statements": [
{
"NotStatement": { Logical operators do
"Statement": {
"ByteMatchStatement": { ... } // WCU = 10
not consume any WCU
}
}
}, Total WCU = 51
{
"GeoMatchStatement": { ... } // WCU = 1
}
]
}
}
]
}
}
© 2020, Amazon Web Services, Inc. or its Affiliates.
Some Caveats to Rule Writing
Use CloudWatch metric and sampled requests for quick sanity check
• Provides summary of what WAF has seen over specific period of time
• Limited header information