WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
WAF is a web application firewall that lets us monitor the HTTP and HTTPS requests that are forwarded to CloudFront, Application Load Balancer or API Gateway.
WAF also lets us control access to our content. Based on conditions that we specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront, Application Load Balancer or API Gateway responds to requests either with the requested content or with an HTTP 403 status code (Forbidden).
For more details, see What Is AWS WAF and AWS Shield?
Pics credit : SlideShare
We can start from preconfigured WAF:
Configuring a web application firewall strategy can be challenging and burdensome to large and small organizations alike, especially for those who do not have dedicated security teams. To simplify this process, AWS offers a solution that uses AWS CloudFormation to automatically deploy a set of AWS WAF rules designed to filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL), as depicted in the image to the right. Once the solution is deployed, AWS WAF will begin inspecting web requests to the user's existing Amazon CloudFront distributions, and block them when applicable.
We can use the following link for CloudFormation template (https://s3.amazonaws.com/solutions-reference/aws-waf-security-automations/latest/aws-waf-security-automations.template) which we can get it from Automated Deployment.
We can just paste it on the "Select Template" page and choose "Next":
On the "Specify Details" page, assign a name to AWS WAF configuration in the Stack name field. This will also be the name of the web ACL that the template creates. Then, type in "CloudFront Access Log Bucket Name" which is one of the two required field to fill.
On the "Review page", review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources. Then, choose "Create" to deploy the stack.
Here we have our stack:
To see details for the stack resources, choose the "Outputs" tab:
To proceed, we're supposed to use Amazon CloudFront to deliver content for our web application. So, if we don't already have a CloudFront distribution, we will need to configure one to distribute both static and dynamic content of our web application. Refer to the Amazon CloudFront Developer Guide to complete the following steps.
- Let's start from the CloudFront console at https://console.aws.amazon.com/cloudfront/.
- Choose "Create Distribution".
- On the first page of the "Create Distribution Wizard", in the "Web" section, choose "Get Started".
- Specify settings for the distribution. (see Values that You Specify When You Create or Update a Web Distribution).
- Save changes.
- After CloudFront creates our distribution, the value of the "Status" column for our distribution will change from "InProgress" to "Deployed".
If we chose to enable the distribution, it will then be ready to process requests. - The domain name that CloudFront assigns to our distribution appears in the list of distributions. (It also appears on the "General" tab for a selected distribution.)
- When our distribution is deployed, confirm that we can access our content using our new CloudFront URL or CNAME.
- Open the Amazon CloudFront console and choose the distribution that we want to update.
- Choose "Distribution Settings", and on the "General" tab, choose "Edit".
- For AWS WAF Web ACL, choose the web ACL the solution created (the same name we assigned to the stack during initial configuration).
- For "Logging", choose "On".
- For "Bucket for Logs", click in the field and choose the Amazon S3 bucket we want use to store CloudFront web access logs. The drop-down list enumerates the buckets associated with the current AWS account.
We also want to have the site protected by WAF. We should let our CloudFront distribution know the WAF, so select the WAF we've just created for "AWS WAF Web ACL":
- Choose "Yes, edit" to save the changes.
AWS (Amazon Web Services)
- AWS : EKS (Elastic Container Service for Kubernetes)
- AWS : Creating a snapshot (cloning an image)
- AWS : Attaching Amazon EBS volume to an instance
- AWS : Adding swap space to an attached volume via mkswap and swapon
- AWS : Creating an EC2 instance and attaching Amazon EBS volume to the instance using Python boto module with User data
- AWS : Creating an instance to a new region by copying an AMI
- AWS : S3 (Simple Storage Service) 1
- AWS : S3 (Simple Storage Service) 2 - Creating and Deleting a Bucket
- AWS : S3 (Simple Storage Service) 3 - Bucket Versioning
- AWS : S3 (Simple Storage Service) 4 - Uploading a large file
- AWS : S3 (Simple Storage Service) 5 - Uploading folders/files recursively
- AWS : S3 (Simple Storage Service) 6 - Bucket Policy for File/Folder View/Download
- AWS : S3 (Simple Storage Service) 7 - How to Copy or Move Objects from one region to another
- AWS : S3 (Simple Storage Service) 8 - Archiving S3 Data to Glacier
- AWS : Creating a CloudFront distribution with an Amazon S3 origin
- AWS : Creating VPC with CloudFormation
- AWS : WAF (Web Application Firewall) with preconfigured CloudFormation template and Web ACL for CloudFront distribution
- AWS : CloudWatch & Logs with Lambda Function / S3
- AWS : Lambda Serverless Computing with EC2, CloudWatch Alarm, SNS
- AWS : Lambda and SNS - cross account
- AWS : CLI (Command Line Interface)
- AWS : CLI (ECS with ALB & autoscaling)
- AWS : ECS with cloudformation and json task definition
- AWS Application Load Balancer (ALB) and ECS with Flask app
- AWS : Load Balancing with HAProxy (High Availability Proxy)
- AWS : VirtualBox on EC2
- AWS : NTP setup on EC2
- AWS: jq with AWS
- AWS & OpenSSL : Creating / Installing a Server SSL Certificate
- AWS : OpenVPN Access Server 2 Install
- AWS : VPC (Virtual Private Cloud) 1 - netmask, subnets, default gateway, and CIDR
- AWS : VPC (Virtual Private Cloud) 2 - VPC Wizard
- AWS : VPC (Virtual Private Cloud) 3 - VPC Wizard with NAT
- DevOps / Sys Admin Q & A (VI) - AWS VPC setup (public/private subnets with NAT)
- AWS - OpenVPN Protocols : PPTP, L2TP/IPsec, and OpenVPN
- AWS : Autoscaling group (ASG)
- AWS : Setting up Autoscaling Alarms and Notifications via CLI and Cloudformation
- AWS : Adding a SSH User Account on Linux Instance
- AWS : Windows Servers - Remote Desktop Connections using RDP
- AWS : Scheduled stopping and starting an instance - python & cron
- AWS : Detecting stopped instance and sending an alert email using Mandrill smtp
- AWS : Elastic Beanstalk with NodeJS
- AWS : Elastic Beanstalk Inplace/Rolling Blue/Green Deploy
- AWS : Identity and Access Management (IAM) Roles for Amazon EC2
- AWS : Identity and Access Management (IAM) Policies, sts AssumeRole, and delegate access across AWS accounts
- AWS : Identity and Access Management (IAM) sts assume role via aws cli2
- AWS : Creating IAM Roles and associating them with EC2 Instances in CloudFormation
- AWS Identity and Access Management (IAM) Roles, SSO(Single Sign On), SAML(Security Assertion Markup Language), IdP(identity provider), STS(Security Token Service), and ADFS(Active Directory Federation Services)
- AWS : Amazon Route 53
- AWS : Amazon Route 53 - DNS (Domain Name Server) setup
- AWS : Amazon Route 53 - subdomain setup and virtual host on Nginx
- AWS Amazon Route 53 : Private Hosted Zone
- AWS : SNS (Simple Notification Service) example with ELB and CloudWatch
- AWS : Lambda with AWS CloudTrail
- AWS : SQS (Simple Queue Service) with NodeJS and AWS SDK
- AWS : Redshift data warehouse
- AWS : CloudFormation
- AWS : CloudFormation Bootstrap UserData/Metadata
- AWS : CloudFormation - Creating an ASG with rolling update
- AWS : Cloudformation Cross-stack reference
- AWS : OpsWorks
- AWS : Network Load Balancer (NLB) with Autoscaling group (ASG)
- AWS CodeDeploy : Deploy an Application from GitHub
- AWS EC2 Container Service (ECS)
- AWS EC2 Container Service (ECS) II
- AWS Hello World Lambda Function
- AWS Lambda Function Q & A
- AWS Node.js Lambda Function & API Gateway
- AWS API Gateway endpoint invoking Lambda function
- AWS API Gateway invoking Lambda function with Terraform
- AWS API Gateway invoking Lambda function with Terraform - Lambda Container
- Amazon Kinesis Streams
- AWS: Kinesis Data Firehose with Lambda and ElasticSearch
- Amazon DynamoDB
- Amazon DynamoDB with Lambda and CloudWatch
- Loading DynamoDB stream to AWS Elasticsearch service with Lambda
- Amazon ML (Machine Learning)
- Simple Systems Manager (SSM)
- AWS : RDS Connecting to a DB Instance Running the SQL Server Database Engine
- AWS : RDS Importing and Exporting SQL Server Data
- AWS : RDS PostgreSQL & pgAdmin III
- AWS : RDS PostgreSQL 2 - Creating/Deleting a Table
- AWS : MySQL Replication : Master-slave
- AWS : MySQL backup & restore
- AWS RDS : Cross-Region Read Replicas for MySQL and Snapshots for PostgreSQL
- AWS : Restoring Postgres on EC2 instance from S3 backup
- AWS : Q & A
- AWS : Security
- AWS : Security groups vs. network ACLs
- AWS : Scaling-Up
- AWS : Networking
- AWS : Single Sign-on (SSO) with Okta
- AWS : JIT (Just-in-Time) with Okta
Ph.D. / Golden Gate Ave, San Francisco / Seoul National Univ / Carnegie Mellon / UC Berkeley / DevOps / Deep Learning / Visualization
My YouTube channel