Web App Firewalls
A web application firewall (WAF) protects your internet-facing applications from common web exploits that could affect their availability, compromise their security, or consume excessive resources. It works by filtering and monitoring HTTP traffic based on a set of rules.
You can use a WAF to:
- Block malicious traffic using managed rule groups that are curated by security experts.
- Create your own custom rules to address specific threats.
- Implement rate-based rules to prevent your resources from being overloaded by excessive requests.
You can use a WAF with the following Stacktape resources:
Usage
With a web service (ALB)
resources:myFirewall:type: web-app-firewallproperties:scope: regionalwebService:type: web-serviceproperties:loadBalancing:type: application-load-balanceruseFirewall: myFirewallpackaging:type: stacktape-image-buildpackproperties:entryfilePath: ./src/index.tsresources:cpu: 0.25memory: 512
An example of a firewall configuration used with a web service.
With a web service (API GW + CDN)
resources:myFirewall:type: web-app-firewallproperties:scope: regionalwebService:type: web-serviceproperties:cdn:enabled: trueuseFirewall: myFirewallpackaging:type: stacktape-image-buildpackproperties:entryfilePath: ./src/index.tsresources:cpu: 0.25memory: 512
An example of a firewall configuration used with a web service.
With an application load balancer
resources:myFirewall:type: web-app-firewallproperties:scope: regionalapplicationLoadBalancer:type: application-load-balancerproperties:useFirewall: myFirewall
An example of a firewall configuration used with an application load balancer.
With a user pool
resources:myFirewall:type: web-app-firewallproperties:scope: regionaluserPool:type: user-auth-poolproperties:userVerificationType: email-codepasswordPolicy:minimumLength: 8useFirewall: myFirewall
An example of a firewall configuration used with a user pool.
With a Lambda (Lambda URL +CDN)
resources:myFirewall:type: web-app-firewallproperties:scope: regionallambda:type: functionproperties:packaging:type: stacktape-lambda-buildpackproperties:entryfilePath: ./src/index.tsurl:enabled: truecdn:enabled: trueuseFirewall: myFirewall
An example of a firewall configuration used with a Lambda URL.
Scope
The scope determines whether the WAF is used with regional resources or with a CDN.
- Use
cdnif you are using the firewall with a CDN-enabled resource (e.g., HTTP API Gateway, Bucket, Application Load Balancer, or Web Service). - Use
regionalif you are using the firewall directly with a regional resource (e.g., Application Load Balancer, User Pool, or Web Service).
The scope cannot be changed after the firewall is created. If you need to change it, you must delete the old firewall and create a new one.
Rules
All requests to resources protected by the WAF are evaluated against a set of rules.
A rule can be a reference to a managed-rule-group, a user-defined custom-rule-group, or a rate-based-rule.
managed-rule-group: A pre-configured rule group created by AWS or other vendors for specific use cases. For more details, see the AWS documentation.custom-rule-group: A custom rule group that you have created.rate-based-rule: Tracks the rate of requests for each originating IP address and triggers an action when the rate exceeds a specified limit within a five-minute period.
If you do not specify any rules, Stacktape will use the AWSManagedRulesCommonRuleSet and AWSManagedRulesKnownBadInputsRuleSet managed rule groups to protect your application.
Default rules
If you don't specify any rules, Stacktape applies a default set of managed rules from AWS that protect against common attacks, including those listed in the OWASP Top 10. These rules protect against vulnerabilities like SQL injection and cross-site scripting (XSS).
Specifically, it uses the following rule groups:
- Common rule set (AWSManagedRulesCommonRuleSet): Protects against a wide range of common vulnerabilities.
- Known bad inputs (AWSManagedRulesKnownBadInputsRuleSet): Blocks request patterns that are known to be malicious.
You can find more information about these rule groups in the AWS documentation.
Managed rule groups
Managed rule groups are sets of rules maintained by AWS or third-party vendors. They are regularly updated to protect against the latest threats.
While rule groups managed by AWS are typically free, some third-party vendors may charge for their rule groups.
resources:regionalFirewall:type: web-app-firewallproperties:scope: regionalrules:- type: managed-rule-groupproperties:name: AWSManagedRulesCommonRuleSetvendorName: AWSpriority: 0
An example of a reference to a managed rule group.
Custom rule groups
You can create your own custom rule groups to use across multiple applications. To use an existing custom rule group, you just need to provide its ARN.
resources:regionalFirewall:type: web-app-firewallproperties:scope: regionalrules:- type: custom-rule-groupproperties:name: CustomRuleGrouparn: <<ARN of existing rule group>>priority: 0
An example of a reference to a custom rule group.
Rate-based rules
Rate-based rules track the number of requests from each originating IP address and trigger an action if the rate exceeds a specified limit within a five-minute period. This is useful for temporarily blocking IP addresses that are sending excessive requests.
You can aggregate requests based on the client's IP address or a forwarded IP address from a proxy or load balancer.
IP: Aggregates request counts based on the IP addresses of the requests.FORWARDED_IP: Aggregates request counts based on the IP addresses in a specified header.
If you choose FORWARDED_IP, you can also specify the headerName and fallbackBehavior in the forwardedIPConfig property.
By default, these are X-Forwarded-For and NO_MATCH, respectively.
For more details on rate-based rules, see the AWS documentation.
resources:regionalFirewall:type: web-app-firewallproperties:scope: regionalrules:- type: rate-based-ruleproperties:name: RateRulelimit: 100aggregateBasedOn: IPpriority: 0
An example of a rate-based rule.
Monitoring
You can monitor your firewall and its rules using Amazon CloudWatch and the AWS WAF console. By default, metrics and sampled requests are enabled for the firewall as a whole but disabled for individual rules. You can change this behavior using the metricsEnabled and sampledRequestsEnabled properties.
Stacktape will automatically create links to the AWS WAF console and the CloudWatch metrics dashboard in the Stacktape Console.
For more details, see the AWS documentation on metrics and sampled requests.
Pricing
You are charged for:
- Firewall (WebACL): $5.00 per month.
- Rules: $1.00 per rule per month.
- Requests: $0.60 per million requests.
Additional costs may apply for paid managed rule groups from third-party vendors.
For example, a firewall with the default rules will cost $7.00 per month ($5.00 for the firewall and $2.00 for the two default rule groups), plus $0.60 for every million requests.
To learn more, see the AWS WAF pricing page.
Referenceable parameters
The following parameters can be easily referenced using $ResourceParam directive directive.
To learn more about referencing parameters, refer to referencing parameters.
Arn of the
web-app-firewall.- Usage:
$ResourceParam('<<resource-name>>', 'arn')
Scope of the
web-app-firewall(regionalorcdn).- Usage:
$ResourceParam('<<resource-name>>', 'scope')