The solution use CDK to automatically deploy a set of AWS WAF rules design to filter common web-based attacks.Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). After the solution deploys, AWS WAF begins inspecting web requests to the user’s existing Amazon CloudFront distributions or Application Load Balancers, and blocks them when applicable.
This solution will provision a S3 bucket as origin for demo purpose.
AWS Managed Rules (A): This set of AWS managed core rules provides protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic.
Manual IP lists (B and C): This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block or allow.
SQL Injection (D) and XSS (E): The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
HTTP flood (F): This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt.
Scanners and Probes (G): This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.
IP Reputation Lists (H): This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.
Bad Bots (I): This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.
# Require to install AWS CDK
$ cd templates/aws-cloudfromt-waf
$ cdk deploy --parameters wafLogBucketName=<Your unique S3 bucket name for WAF log> --parameters appAccessLogBucket=<Your unique S3 bucket name for CloudFront access log>
Use
aws s3api head-bucket --bucket <Your unique S3 bucket name>to check whether this bucket is unique globally
This solution uses the following default values, you can modify them as necessary.
| Parameter | Default | Description |
|---|---|---|
| appAccessLogBucket | access-log-bucket-cloudfront | The name for the Amazon S3 bucket where you want to store Cloud Front access logs for your CloudFront distribution. More about bucket name restriction here: http://amzn.to/1p1YlU5. |
| wafLogBucketName | waf-log-bucket-cloudfront | The name for the Amazon S3 bucket where you want to store WAF access Cloud Front logs. More about bucket name restriction here: http://amzn.to/1p1YlU5. |
| errorThreshold | 50 | The maximum acceptable bad requests per minute per IP. |
| requestThreshold | 100 | The maximum acceptable requests per FIVE-minute period per IP address. |
| WAFBlockPeriod | 240 | The period (in minutes) to block applicable IP addresses. |
| WAFScope | CLOUDFRONT | Specifies whether this is for an AWS CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AWS AppSync GraphQL API. Valid Values are CLOUDFRONT and REGIONAL. For CLOUDFRONT, you must create your WAFv2 resources in the US East (N. Virginia) Region, us-east-1. |