Stacktape
Stacktape

Web App Firewalls



A web application firewall (WAF) protects your internet-facing applications from common web exploits that could affect their availability, compromise their security, or consume excessive resources. It works by filtering and monitoring HTTP traffic based on a set of rules.

You can use a WAF to:

  • Block malicious traffic using managed rule groups that are curated by security experts.
  • Create your own custom rules to address specific threats.
  • Implement rate-based rules to prevent your resources from being overloaded by excessive requests.

You can use a WAF with the following Stacktape resources:

Basic usage

resources:
  myFirewall:
    type: web-app-firewall
    properties:
      scope: regional
  webService:
    type: web-service
    properties:
      packaging:
        type: stacktape-image-buildpack
        properties:
          entryfilePath: index.ts
      resources:
        cpu: 0.25
        memory: 512
      loadBalancing:
        type: application-load-balancer
      useFirewall: myFirewall

An example of a firewall configuration used with a web service.

Scope

The scope determines whether the WAF is used with regional resources or with a CDN.

  • Use cdn if you wish to use firewall with CDN - CDN can be enabled on resources such as HTTP API Gateway, Bucket, Application load balancer or Web Service.
  • Use regional if you wish to use firewall directly with one of the following resources: Application load balancer, User Pool or Web Service

The scope cannot be changed after the firewall is created. If you need to change it, you must delete the old firewall and create a new one.

Rules

All requests to resources protected by the WAF are evaluated against a set of rules.

Rule can be a reference to managed-rule-group or user defined custom-rule-group or rate-based-rule.

  • managed-rule-group
    • references rule group pre-created by AWS or other vendors for specific use cases.
    • referenced by name and vendorName,
    • For more information refer to AWS Docs
  • custom-rule-group
    • references custom rule group created by you.
    • referenced by rule group's arn
  • rate-based-rule
    • tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span
    • you can use this to put a temporary block on requests from an IP address that is sending excessive requests.
    • For more information refer to AWS Docs

Default rules

If you don't specify any rules, Stacktape applies a default set of managed rules from AWS that protect against common attacks, including those listed in the OWASP Top 10. These rules protect against vulnerabilities like SQL injection and cross-site scripting (XSS).

Specifically, it uses the following rule groups:

  • Common rule set (AWSManagedRulesCommonRuleSet): Protects against a wide range of common vulnerabilities.
  • Known bad inputs (AWSManagedRulesKnownBadInputsRuleSet): Blocks request patterns that are known to be malicious.

You can find more information about these rule groups in the AWS documentation.

Managed rule groups

Managed rule groups are sets of rules maintained by AWS or third-party vendors. They are regularly updated to protect against the latest threats.

While rule groups managed by AWS are typically free, some third-party vendors may charge for their rule groups.

resources:
  regionalFirewall:
    type: web-app-firewall
    properties:
      scope: regional
      rules:
        - type: managed-rule-group
          properties:
            name: AWSManagedRulesCommonRuleSet
            vendorName: AWS
            priority: 0

An example of a reference to a managed rule group.

ManagedRuleGroup  API reference
Parent:ManagedRuleGroup
vendorName
Required
priority
Required
name
Required
excludedRules
overrideAction
disableMetrics
sampledRequestsEnabled

Custom rule groups

You can create your own custom rule groups to use across multiple applications. To use an existing custom rule group, you just need to provide its ARN.

resources:
  regionalFirewall:
    type: web-app-firewall
    properties:
      scope: regional
      rules:
        - type: custom-rule-group
          properties:
            name: CustomRuleGroup
            arn: <<ARN of existing rule group>>
            priority: 0

An example of a reference to a custom rule group.

CustomRuleGroup  API reference
Parent:CustomRuleGroup
arn
Required
priority
Required
name
Required
overrideAction
disableMetrics
sampledRequestsEnabled

Rate-based rules

Rate-based rules track the number of requests from each originating IP address and trigger an action if the rate exceeds a specified limit within a five-minute period. This is useful for temporarily blocking IP addresses that are sending excessive requests.

You can aggregate requests based on the client's IP address or a forwarded IP address from a proxy or load balancer.

  • IP - Aggregate the request counts based on the IP addresses of the requests.
  • FORWARDED_IP - Aggregate the request counts based on the IP addresses in the specified header
    • If you choose this option, you can also specify the headerName and fallbackBehavior in the forwardedIPConfig property.
    • If you don't specify these properties the default values are X-Forwarded-For and NO_MATCH respectively. For more information about rate-based rules refer to AWS Docs
resources:
  regionalFirewall:
    type: web-app-firewall
    properties:
      scope: regional
      rules:
        - type: rate-based-rule
          properties:
            name: RateRule
            limit: 100
            aggregateBasedOn: IP
            priority: 0

An example of a rate-based rule.

RateBasedStatement  API reference
Parent:RateBasedStatement
limit
Required
priority
Required
name
Required
aggregateBasedOn
forwardedIPConfig
action
Default: 'Block'
disableMetrics
sampledRequestsEnabled

Monitoring

You can monitor your firewall and its rules using Amazon CloudWatch and the AWS WAF console. By default, metrics and sampled requests are enabled for the firewall as a whole but disabled for individual rules. You can change this behavior using the metricsEnabled and sampledRequestsEnabled properties.

Stacktape will automatically create links to the AWS WAF console and the CloudWatch metrics dashboard in the Stacktape Console.

For more details, see the AWS documentation on metrics and sampled requests.

Pricing

You are charged for:

  • Firewall (WebACL): $5.00 per month.
  • Rules: $1.00 per rule per month.
  • Requests: $0.60 per million requests.

Additional costs may apply for paid managed rule groups from third-party vendors.

For example, a firewall with the default rules will cost $7.00 per month ($5.00 for the firewall and $2.00 for the two default rule groups), plus $0.60 for every million requests.

To learn more, see the AWS WAF pricing page.

Referenceable parameters

The following parameters can be easily referenced using $ResourceParam directive directive.

To learn more about referencing parameters, refer to referencing parameters.

arn

  • Arn of the web-app-firewall.

  • Usage: $ResourceParam('<<resource-name>>', 'arn')
scope

  • Scope of the web-app-firewall (regional or cdn).

  • Usage: $ResourceParam('<<resource-name>>', 'scope')

API reference

WebAppFirewall  API reference
scope
Required
defaultAction
Default: 'Allow'
rules
customResponseBodies
captchaImmunityTime
Default: 300
challengeImmunityTime
Default: 300
tokenDomains
disableMetrics
sampledRequestsEnabled
ForwardedIPConfig  API reference
Parent:RateBasedStatement
fallbackBehavior
Required
headerName
Required

Contents