2020 0317-SID Slide-Deck

Protecting Your Web Application Using
AWS Managed Rules for AWS WAF
Kevin Lee, Sr. Product Manager
March 30, 2020
© 2020, Amazon Web Services, Inc. or its Affiliates.

Learning Objectives
• Learn about AWS Managed Rules for AWS WAF
• Understand the difference between AWS WAF Classic and the new
AWS WAF
• Get deeper insight into the new WAFv2 API and how rule writing
works using JSON
• Get tips on how you can plan your migration from AWS WAF Classic
to the new AWS WAF

Quick Service Overview

What is AWS WAF?
Highly configurable and scalable cloud-native web application firewall –

giving you the first line of defense to incoming threats.
AWS WAF

How AWS WAF Works

Key Terminology
AWS WAF
Amazon API
Gateway
Web ACL (Web Access Control List)
· · · Rule Statements · · ·
Request Amazon
CloudFront
Sampled
Logging Metrics
Request
IP Set Rule Group Regex Set

Application
Load Balancer
Amazon Kinesis Amazon

© 2020, Amazon Web Services, Inc. or its Affiliates. CloudWatch
Firehose
What’s New in AWS WAF?

AWS Managed Rules for AWS WAF
Set of pre-configured rules that you can

deploy on your application
• Covers common attack vectors and
threats
• Curated and maintained by threat
research team
• Influenced by OWASP Top 10 Web
Application Security Risks
Available to all customers at no extra

charge

AWS Managed Rules: Available Rule Groups
Baseline Use-case IP Reputation

Specific List

AWS Managed Rules: Customer Testimonial
https://www.twitch.tv/videos/529888575
New API (“wafv2”)
Single API for managing global and regional

resources
• CloudFormation support for all rule types “waf-regional” “waf”
• Brand new console experience
• Recreate resources again to use with new API
Simplified service limits

• Removed various limits and increased some limits “wafv2”
• e.g., rules per web ACL, regex pattern set, regex
length, etc.

Document-based Rule Writing in JSON
Rules are tied down to your security

policy (web ACL) Web ACLs
• Rules can be copied, pasted, and

deleted without restriction
• Provide top-down level overview Rule Statements
Shareable Elements
IP Set Rule Group Regex Set

Enhancements to Rule Expression Schema
Introduction of Web ACL Capacity Unit (WCU)

• Dimension that is used to calculate and control the operating resources
that are used to process your rules within a web ACL
• By default, max WCU allowed per web ACL is 1,500
Match Statement WCU Consumed

Geographic match 1
IP set match (containing up to 10,000 IPs) 1
Size constraint match 1
String match (starts and end with) / String match (contains) 2 / 10
Regex set match (containing up to 10 patterns) 25
SQLi detection / XSS detection 20 / 40
Managed Rules Varies

Enhancements to Rule Expression Schema
Support for statement nesting and OR logical operation

• Create rules with nested logical operations
• e.g., [A AND (B OR C)], [(A OR B) AND (C OR D)], and etc.
Full CIDR range support

• Through /1 to /32 for IPv4 and 1/ to /128 for IPv6
Chainable text transformations

• Useful for sanitizing field before inspection

What Remains the Same
Existing features and terminology

• e.g., rate-based rule behavior, performance, and etc.
• AWS Marketplace managed rules are still supported
Existing APIs will continue to be supported

• Service has been re-labeled to AWS WAF Classic

Demo
Deploying AWS Managed Rules to your web
application

What We Covered So Far
AWS Managed Rules is the quickest and easiest way to get started
• Variety of rules to choose depending on your use case
• Rules are curated and managed for you
• Access to third-party rules through AWS Marketplace
The new WAFv2 API offers more flexibility

• e.g., less limits, rule schema enhancements, new console, and etc.
However, what if you have a more intricate security policy?

Rule Writing Deep Dive

Writing Your Own Rules for AWS WAF
Console Code
(Rule Builder) (JSON/YAML)

Example: Web ACL (Creation)
>> cat hello-world.json
{
"Name": "hello-world",
"DefaultAction": {
"Allow": {}
},
"Description": "My first web ACL on AWS WAF",
"Rules": [
{ ... }
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "hello-world"
}
}

{ Action taken if none of the
"DefaultAction": { rules matched
},
"Allow": {}
(set to Block for positive
"Description": "My first web ACL on AWS WAF", security model)
"Rules": [
{ ... }
],
}
}

{
"DefaultAction": {
"Allow": {}
},
"Rules": [ List of all rule statements
{ ... }
], (will explore this later)
}
}

{
"DefaultAction": {
"Allow": {}
},
"Rules": [
{ ... }
],
"SampledRequestsEnabled": true, Visibility configuration
"CloudWatchMetricsEnabled": true, options at web ACL level
}
}

{
"DefaultAction": {
"Allow": {}
},
"Rules": [
{ ... }
],
You must set region to
"SampledRequestsEnabled": true, us-east-1 for configuring
"MetricName": "hello-world" web ACL in CloudFront!
}
}
>> aws wafv2 create-web-acl --scope=CLOUDFRONT --region=us-east-1 --cli-input-json file://hello-world.json

>> aws wafv2 create-web-acl --scope=REGIONAL --region=us-east-1 --cli-input-json file://hello-world.json

Example: Web ACL (Post Creation)
>> aws wafv2 get-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --id=f2fe2787-9fc6-4a26-b944
{
"WebACL": {
"Id": "f2fe2787-9fc6-4a26-b944",
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/hello-world/f2fe2787-9fc6-4a26-b944",
"DefaultAction": {
"Allow": {}
},
"Rules": [
{ ... }
],
},
"Capacity": 700
},
"LockToken": "b806c708-edc1"
}

Example: Web ACL (Post Creation)
>> aws wafv2 get-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --id=f2fe2787-9fc6-4a26-b944
{
"WebACL": {
"Id": "f2fe2787-9fc6-4a26-b944",
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/hello-world/f2fe2787-9fc6-4a26-b944",
"DefaultAction": {
"Allow": {}
},
"Rules": [
{ ... }
],
"MetricName": "hello-world" Call get-web-acl
},
"Capacity": 700
first to get a token
},
"LockToken": "b806c708-edc1"
}
>> aws wafv2 update-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --lock-token=b806c708-edc1

--id=f2fe2787-9fc6-4a26-b944 --cli-input-json file://hello-world.json
Example: Simple String Match Rule
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"MetricName": "Fruit"
},
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "watermelon",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
{
"Name": "Fruit", Sequence in which the rule will execute in
"Priority": 1,
"Action": { (lower value represents higher priority)
"Block": {}
},
},
"Statement": {
"FieldToMatch": {
"Body": {}
},
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
{
"Name": "Fruit",
"Priority": 1,
"Action": { Action taken by the rule if it matches
"Block": {}
}, (can be “Allow” or “Count”)
},
"Statement": {
"FieldToMatch": {
"Body": {}
},
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"SampledRequestsEnabled": true, Visibility configuration options
"MetricName": "Fruit" at individual rule level
},
"Statement": {
"FieldToMatch": {
"Body": {}
},
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
},
"Statement": { Rule signature, instructing
"FieldToMatch": { where and what to inspect
},
"Body": {}
(format varies depending on
statement type)
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
"MetricName": "Fruit" Available fields:
},
"Statement": {
• SingleHeader
"ByteMatchStatement": { • SingleQueryArgument
"FieldToMatch": { Single FieldToMatch • AllQueryArguments
• UriPath
},
"Body": {}
per rule statement • QueryString
"PositionalConstraint": "CONTAINS", • Body
"SearchString": "watermelon", • Method
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
{
"Name": "Fruit",
"Priority": 1,
"Action": {
"Block": {}
},
},
"Statement": {
"FieldToMatch": {
"Body": {}
},
"PositionalConstraint": "CONTAINS", Available transformation:
"SearchString": "watermelon", • NONE
"TextTransformations": [ List desired • COMPRESS_WHITE_SPACE
{
"Type": "NONE", transformations in • HTML_ENTITY_DECODE
• LOWERCASE
}
"Priority": 0
order • CMD_LINE
] • URL_DECODE
}
}
}
Available Rule Statements
Attack Traffic Pattern Logical

Prevention Filtering Matching Operation
• SqliMatch • RateBased • RegexPattern • AndStatement
Statement Statement SetReference
• OrStatement
• IPSetReference Statement
• XssMatch • NotStatement
Statement Statement • ByteMatch
Statement
• Managed • GeoMatch
RuleGroup Statement • SizeConstraint
Statement Statement
Please check out the AWS WAFv2 API Reference for full detail

Example: Nesting Rules Using Logical Operators
{
"Name": “nesting-example",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": { ... },
"Statement": {
"AndStatement": {
"Statements": [
{
"XssMatchStatement": { ... }
},
{
"OrStatement": {
"Statements": [
{
"NotStatement": {
"Statement": {
"ByteMatchStatement": { ... }
}
}
},
{
“GeoMatchStatement": { ... }
}
]
}
}
]
}
}
}

{
"Name": “nesting-example",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": { ... },
"Statement": {
"AndStatement": {
"Statements": [
{
},
{
"OrStatement": { Let’s zoom into
"Statements": [
{
"NotStatement": {
this portion
"Statement": {
}
}
},
{
“GeoMatchStatement": { ... }
}
]
}
}
]
}
}
}

{A AND [NOT(B) OR C]}

"Statement": {
"AndStatement": {
"Statements": [
{
},
Block request that is detected as
{
"OrStatement": {
XSS attack, and does not contain
"Statements": [ certain string or is from certain
{
"NotStatement": { country.
"Statement": {
}
}
},
{
"GeoMatchStatement": { ... }
}
]
}
}
]
}
}

"Statement": {
"AndStatement": {
"Statements": [
{
},
{
"OrStatement": {
{
"Statement": {
}
}
},
{
}
]
}
}
]
}
}

"Statement": {
"AndStatement": {
"Statements": [
{
},
{
"OrStatement": {
{
"Statement": {
}
}
},
{
}
]
}
}
]
}
}

"Statement": {
"AndStatement": {
"Statements": [
{
},
{
"OrStatement": {
{
"Statement": {
}
}
},
{
}
]
}
}
]
}
}

"Statement": {
"AndStatement": {
"Statements": [
{
},
{
"OrStatement": {
{
"Statement": {
}
}
},
{
}
]
}
}
]
}
}
"Statement": {
"AndStatement": {
"Statements": [
{
"XssMatchStatement": { ... } // WCU = 40
},
{
"OrStatement": {
"Statements": [
{
"NotStatement": { Logical operators do
"Statement": {
"ByteMatchStatement": { ... } // WCU = 10
not consume any WCU
}
}
}, Total WCU = 51
{
"GeoMatchStatement": { ... } // WCU = 1
}
]
}
}
]
}
}
Some Caveats to Rule Writing
Leverage console’s built-in JSON editor for schema validation

• Copy and paste the code into the editor to check
For string match, the inspection is done in Base64

• API: encode string in Base64
• CloudFormation: use SearchString or SearchStringBase64
• CLI, SDK, Console: string will be Base64 encoded automatically
For regex match, the inspection is done in UTF-8

• Perl Compatible Regular Expressions (PCRE) with some restrictions

Demo
Writing your own rules using JSON editor

Tips on Troubleshooting Rules
Test rules by putting into Count mode first

• Use tools such as Postman or Curl to generate test requests
Use CloudWatch metric and sampled requests for quick sanity check
• Provides summary of what WAF has seen over specific period of time
• Limited header information
Use logging if you require full detail

• First create Kinesis Firehose with name starting with “aws-waf-logs-”
• Can also use ElasticSearch and Kibana for dashboard

Migrating from Classic
to New AWS WAF

Some Caveats Before Migrating
Start out with AWS Managed Rules in Count mode

• Use logging and metrics to establish baseline
Plan out your rules

• Content from OWASP whitepaper (July 2017) is still valid but may
overlap
• Create rule group for reusability across multiple web ACL

Some Caveats Before Migrating
If you are using AWS WAF

Security Automations:
• Do not attempt to
migrate manually, as
internal components will
be referenced to old
rules and web ACL
• Version 3.0 will support
the new “wafv2” API

Sneak Peek: Migration API
1. Fetch 2. Generate 3. Deploy

Q&A

Parting Words
AWS WAF provides first-line of defense to your web application

• Highly scalable rule engine, now with AWS Managed Rules
• Many customers are using AWS WAF to protect their production
workload today
Look out for the following helpful materials in near future:

• Whitepaper: Guidance for Implementing AWS WAF
• Blog: Migrating your firewall rules from Classic to the new AWS WAF
• Github: https://github.com/aws-samples/wafv2-json-yaml-samples/
• Solution: AWS WAF Security Automations v3.0

Thank You!
We welcome your feedback. Please share your
thoughts on social media.

2020 0317-SID Slide-Deck

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2020 0317-SID Slide-Deck

Uploaded by

Copyright:

Available Formats

Protecting Your Web Application Using

AWS Managed Rules for AWS WAF

Kevin Lee, Sr. Product Manager

March 30, 2020

© 2020, Amazon Web Services, Inc. or its Affiliates.

• Learn about AWS Managed Rules for AWS WAF

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

Highly configurable and scalable cloud-native web application firewall –

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

Web ACL (Web Access Control List)

IP Set Rule Group Regex Set

Amazon Kinesis Amazon

© 2020, Amazon Web Services, Inc. or its Affiliates.

Set of pre-configured rules that you can

Available to all customers at no extra

© 2020, Amazon Web Services, Inc. or its Affiliates.

Baseline Use-case IP Reputation

© 2020, Amazon Web Services, Inc. or its Affiliates.

Single API for managing global and regional

Simplified service limits

© 2020, Amazon Web Services, Inc. or its Affiliates.

Rules are tied down to your security

• Rules can be copied, pasted, and

IP Set Rule Group Regex Set

© 2020, Amazon Web Services, Inc. or its Affiliates.

Introduction of Web ACL Capacity Unit (WCU)

Match Statement WCU Consumed

© 2020, Amazon Web Services, Inc. or its Affiliates.

Support for statement nesting and OR logical operation

Full CIDR range support

Chainable text transformations

© 2020, Amazon Web Services, Inc. or its Affiliates.

Existing features and terminology

Existing APIs will continue to be supported

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

The new WAFv2 API offers more flexibility

However, what if you have a more intricate security policy?

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

>> aws wafv2 create-web-acl --scope=CLOUDFRONT --region=us-east-1 --cli-input-json file://hello-world.json

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

>> aws wafv2 update-web-acl --scope=CLOUDFRONT --region=us-east-1 --name=hello-world --lock-token=b806c708-edc1

Attack Traffic Pattern Logical

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

© 2020, Amazon Web Services, Inc. or its Affiliates.

{A AND [NOT(B) OR C]}

{A AND [NOT(B) OR C]}

{A AND [NOT(B) OR C]}

{A AND [NOT(B) OR C]}

{A AND [NOT(B) OR C]}

Leverage console’s built-in JSON editor for schema validation

For string match, the inspection is done in Base64

For regex match, the inspection is done in UTF-8