Everything ~ Cloud Security
Deploying Web Application Firewall to Restrict Access on AWS

Deploying Web Application Firewall to Restrict Access on AWS

Goodycyb's photo
Goodycyb
·

8 min read

Table of contents

Introduction

AWS Web Application Firewall (WAF) is a security service provided by Amazon Web Services (AWS) that offers protection for web applications and APIs. It defends against a variety of attacks that could potentially compromise the security and performance of these applications. By leveraging advanced techniques and extensive rule sets, WAF helps safeguard your web assets by filtering out malicious traffic and mitigating common web application vulnerabilities. With WAF, you can enhance the security posture of your AWS infrastructure and ensure a robust defense against emerging threats.

Lab Objective

The lab aims to walk you through the utilization of WAF along with its related configuration settings.

Overview of WAF

AWS WAF safeguards AWS-deployed applications against prevalent web attacks like SQL injection and cross-site scripting, guaranteeing their security and uninterrupted operation. Managed rules provided can effectively handle the OWASP Top-10 security risks and common vulnerabilities and exposures (CVEs). Filtering of web requests is possible based on various attributes, including IP address, country of origin, malicious scripts, and malicious SQL code. Custom rules can be created to permit, deny, or track requests based on specific properties.

Note: Before starting this lab, you should have created an AWS Free Tier account using the following. Check out the previous lab on securing an AWS free-tier account.

Disclaimer

Please note that the AWS management console is subject to change over time. While the instructions provided are accurate at the time of writing, there may be updates or modifications to the console's interface or functionality. It is advisable to refer to the official AWS documentation for the most up-to-date and accurate information regarding the AWS management console.

Lab Task

  • To establish a WEB API, navigate to the API Gateway service, which offers the capability to create and oversee APIs. Access the menu bar, choose Services, and locate API Gateway or Search for API from the search box at the top, as shown below

  • To create a REST API, navigate to the REST API Private section in the API Gateway page and click on Build.

  • A dialogue pop-up box titled "Create your first API " appears. Click OK.

Note: If you have already created a REST API using the account, you may not see the popup.

  • In the Create new API section, select the New API radio button. Under the Settings section, provide an API name and description. In this lab, we have used DemoApi as the API name and "This is a REST API" as the Description. Retain the Endpoint Type as “Regional”. Then click on Create API to create the API.

  • On the next page, click on the Actions dropdown button and select Create Method to setup REST API methods

  • Click on the empty dropdown list box at the top and select the GET method from the available list to specify the HTTP method as GET.

  • Click on the Gray tick button to create the GET method.

  • The created method needs to be integrated with an endpoint at the backend. Setting the API integration option to Mock will generate API responses directly from the API Gateway without any backend integration. Select Integration type as Mock and click Save.

  • You will be redirected to the GET- Method Execution page, which displays the details of the request and response methods of the GET method execution.

Click Integration Response to set the response from the server to the client.

  • Expand the arrow button to add an integration response for the API method.

  • Next, expand the Mapping Templates and click on Add mapping template to create an application/json under Content-Type. Type application/json in the textbox and click on the Gray tick button to create the Content -Type. A Generate Template Editor window will appear.

Type the text given below in the editor and click Save.

{ "message:"Welcome to Goodycloud Demo api....!"" }

  • Click Method Execution at the top to go back

  • Next, click on the Actions dropdown and then on Deploy API to deploy the created Web API.

  • To associate the Web API with the API stage, select the Deployment stage as [New Stage] and give it a name. In this lab, we have used "demo- test" as the Stage name, while the Deployment description is optional. Click Deploy.

  • Now, you can see the Invoke URL of your API. Copy the URL then open Notepad or Sticky Note, and paste.

  • Open a new tab on your browser, paste the copied Invoke URL, and press Enter. You will see the JSON message as a response.

Restricting IP addresses from accessing the created Web API

Now you will implement WAF to prevent some IP addresses from accessing the newly created Web API.

  • To access AWS WAF, click on Services, go to All Services, search for AWS WAF, and select AWS Firewall Manager in the AWS console.

  • The AWS WAF page appears. Click IP sets from the left navigation pane to create an IP set that defines a collection or range of IP addresses for creating WAF rules.

  • Next, click on the Create IP Set button.

Note: With your free tier account, you will be charged as per the AWS pricing model if you create a Web ACL and rules for the Web ACL. Make sure that you delete the Web ACL and the rules after performing the lab to avoid further charges.

Note: Make sure you have selected the same region where you created the API.

  • Specify the IP set name for the new IP set. Retain other default settings. In this lab, we have used blacklisted-ips as the IP set name.

Note: Ensure the created Web API and the IP set have the same region

  • Once Done, Scroll down and click on Create IP Set.

  • A “You successfully created the IP set blacklisted-ips” message will be displayed, indicating the IP set has been created. You will see the created IP set details in the list of IP sets.

  • For this lab, we have used the IP address of the machine where the lab is being executed.

Getting Your Machine (PC) IP Address

In this lab, include the IPv4 address of your machine.
To get the IP address of your machine. Do the following:

For Windows, navigate to the CMD (command prompt) and type the command “ipconfig”. Scroll down to Wireless LAN Adapter (WI-FI) and copy the IPv4 Address.

For this lab, the IP of the machine is 192.168.43.9.

Alternatively, you can use your machine's Public IP address as one of the blacklisted IPs to restrict your machine from accessing the Web API. Navigate to https://whatismyipaddress.com/ on your browser.

OR

Navigate to your Google Search Engine and type “My IP Address.”

NOTE: Your Public IP address tends to change with time. that is why in this lab we are using the NAT IP address from the WIFI (CMD or terminal)

For Linux or Mac, Navigate to your terminal and type: ifconfig and locate inet address (IPv4) from the result

  • Click on blacklisted-ips, the IP set you created. Then Click Add IP address.

  • In the Add IP addresses to blacklisted-ips popup window that appears, paste the copied public IPv4 address of your machine and add /32 after it. Then, click Add.

  • The IP address is added successfully, as shown in the following screenshot.

NB: NAT and Public IP address were added but NAT IPv4 will work alone

Creating a Web ACL to block requests to the created Web API

  • On the WAF and Shield Console, click Web ACLs from the left navigation pane. Then Click the Create Web ACL button

  • Give a name to the ACL. In this lab, we have used DemoWeb-ACL as the ACL name. Now, select Regional resources as the Resource type to associate the ACL with the API Gateway. Next, click on Add AWS resources to associate the ACL with the DemoApi-demo-test API.

  • An Add AWS Resources pop-up appears, and you can see the created API. Now, select the radio button "Amazon API Gateway REST API" then select DemoApi-demo-test and click Add.

  • Select the checkbox for DemoApi-demo-test under Associated AWS resources-optional and click Next to continue.

Add rule groups to block web requests

  • To add rule groups to block web requests, which will be used by the Web ACL, click on the Add Rules dropdown in the Add rules and rule groups window and select Add my own rules and role groups

  • Next, select Rule type as IP set and give a name to the rule. In this lab, we have used Rule_ID-1 as the Name.

  • Select the blacklisted-ips that you created under the IP set from the dropdown and choose Block as the Action option. Then, click on Add rule, select the IP set you created, from the dropdown, and choose Block as the Action option. Then, click on Add rule.

  • You notice that Rule-ID1 has been added to the list. To enable Rule-ID1 for the ACL, select the checkbox next to it. Then, scroll down and click Next.

  • Next, select Rule-ID1 in the Set rule priority window and click Next.

  • The Configure Metrics window enables you to configure the tagging and logging settings for the Web ACL. Retain the default settings and Click Next to continue.

  • Finally, scroll down and click the Create Web ACL button in the preview window.

  • The web ACL will be created after a minute or so. Once it is created, you will see a You successfully created the web ACL: DemoWeb-ACL message, as seen in the screenshot.

  • Open a new browser tab and paste the Invoke URL you copied into Notepad or Sticky Note. Then, press Enter. Now, you will see a Forbidden message because access is blocked for your machine.

NB: You might not get the “Forbidden message” once. Navigate to IP sets and Add the IP address of your Public IP or NAT IP, Try them separately by putting the NAT IP address first and refreshing the Page. Repeat the same process for your Public IP

This way, a cloud security engineer can use AWS WAF to protect the web applications.

Deleting Created Resources

Please make sure to delete, shut down, or terminate all resources created and utilized in this lab to avoid incurring any charges.

  • Now, delete the instances created in this lab. Navigate to the API Gateway console and select the checkbox for the API created in this lab. Select the Actions dropdown and click on Delete. In the pop-up window, enter Delete and click on the Delete button.

  • Navigate to Web ACLs under AWS Firewall Manager and select the check for the instance created in this lab (here, DemoWeb-ACL). Click on the Delete button. In the pop-up window, enter delete and click on the Delete button

  • Navigate to the IP sets under the AWS Firewall Manager console and select the checkbox for the instance created in this lab (here, blacklisted-ips). Click on the Delete button. In the pop-up window, enter Delete and click on the Delete button.

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!

aws-wafaws securityaws security hubAWS firewall