Web App Firewalls
A web application firewall (WAF) protects your internet-facing applications from common web exploits that could affect their availability, compromise their security, or consume excessive resources. It works by filtering and monitoring HTTP traffic based on a set of rules.
You can use a WAF to:
- Block malicious traffic using managed rule groups that are curated by security experts.
- Create your own custom rules to address specific threats.
- Implement rate-based rules to prevent your resources from being overloaded by excessive requests.
You can use a WAF with the following Stacktape resources:
Basic usage
resources:myFirewall:type: web-app-firewallproperties:scope: regionalwebService:type: web-serviceproperties:packaging:type: stacktape-image-buildpackproperties:entryfilePath: index.tsresources:cpu: 0.25memory: 512loadBalancing:type: application-load-balanceruseFirewall: myFirewall
An example of a firewall configuration used with a web service.
Scope
The scope determines whether the WAF is used with regional resources or with a CDN.
- Use
cdn
if you wish to use firewall with CDN - CDN can be enabled on resources such as HTTP API Gateway, Bucket, Application load balancer or Web Service. - Use
regional
if you wish to use firewall directly with one of the following resources: Application load balancer, User Pool or Web Service
The scope cannot be changed after the firewall is created. If you need to change it, you must delete the old firewall and create a new one.
Rules
All requests to resources protected by the WAF are evaluated against a set of rules.
Rule can be a reference to managed-rule-group or user defined custom-rule-group or rate-based-rule.
- managed-rule-group
- references rule group pre-created by AWS or other vendors for specific use cases.
- referenced by
name
andvendorName
, - For more information refer to AWS Docs
- custom-rule-group
- references custom rule group created by you.
- referenced by rule group's
arn
- rate-based-rule
- tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span
- you can use this to put a temporary block on requests from an IP address that is sending excessive requests.
- For more information refer to AWS Docs
Default rules
If you don't specify any rules, Stacktape applies a default set of managed rules from AWS that protect against common attacks, including those listed in the OWASP Top 10. These rules protect against vulnerabilities like SQL injection and cross-site scripting (XSS).
Specifically, it uses the following rule groups:
- Common rule set (AWSManagedRulesCommonRuleSet): Protects against a wide range of common vulnerabilities.
- Known bad inputs (AWSManagedRulesKnownBadInputsRuleSet): Blocks request patterns that are known to be malicious.
You can find more information about these rule groups in the AWS documentation.
Managed rule groups
Managed rule groups are sets of rules maintained by AWS or third-party vendors. They are regularly updated to protect against the latest threats.
While rule groups managed by AWS are typically free, some third-party vendors may charge for their rule groups.
resources:regionalFirewall:type: web-app-firewallproperties:scope: regionalrules:- type: managed-rule-groupproperties:name: AWSManagedRulesCommonRuleSetvendorName: AWSpriority: 0
An example of a reference to a managed rule group.
Custom rule groups
You can create your own custom rule groups to use across multiple applications. To use an existing custom rule group, you just need to provide its ARN.
resources:regionalFirewall:type: web-app-firewallproperties:scope: regionalrules:- type: custom-rule-groupproperties:name: CustomRuleGrouparn: <<ARN of existing rule group>>priority: 0
An example of a reference to a custom rule group.
Rate-based rules
Rate-based rules track the number of requests from each originating IP address and trigger an action if the rate exceeds a specified limit within a five-minute period. This is useful for temporarily blocking IP addresses that are sending excessive requests.
You can aggregate requests based on the client's IP address or a forwarded IP address from a proxy or load balancer.
IP
- Aggregate the request counts based on the IP addresses of the requests.FORWARDED_IP
- Aggregate the request counts based on the IP addresses in the specified header- If you choose this option, you can also specify the
headerName
andfallbackBehavior
in theforwardedIPConfig
property. - If you don't specify these properties the default values are
X-Forwarded-For
andNO_MATCH
respectively. For more information about rate-based rules refer to AWS Docs
- If you choose this option, you can also specify the
resources:regionalFirewall:type: web-app-firewallproperties:scope: regionalrules:- type: rate-based-ruleproperties:name: RateRulelimit: 100aggregateBasedOn: IPpriority: 0
An example of a rate-based rule.
Monitoring
You can monitor your firewall and its rules using Amazon CloudWatch and the AWS WAF console. By default, metrics and sampled requests are enabled for the firewall as a whole but disabled for individual rules. You can change this behavior using the metricsEnabled
and sampledRequestsEnabled
properties.
Stacktape will automatically create links to the AWS WAF console and the CloudWatch metrics dashboard in the Stacktape Console.
For more details, see the AWS documentation on metrics and sampled requests.
Pricing
You are charged for:
- Firewall (WebACL): $5.00 per month.
- Rules: $1.00 per rule per month.
- Requests: $0.60 per million requests.
Additional costs may apply for paid managed rule groups from third-party vendors.
For example, a firewall with the default rules will cost $7.00 per month ($5.00 for the firewall and $2.00 for the two default rule groups), plus $0.60 for every million requests.
To learn more, see the AWS WAF pricing page.
Referenceable parameters
The following parameters can be easily referenced using $ResourceParam directive directive.
To learn more about referencing parameters, refer to referencing parameters.
Arn of the
web-app-firewall
.- Usage:
$ResourceParam('<<resource-name>>', 'arn')
Scope of the
web-app-firewall
(regional
orcdn
).- Usage:
$ResourceParam('<<resource-name>>', 'scope')