Skip to main content

AWS - WAF

WAF:

WAF is a global service like CloudFront, Route 53, SES, IAM. 

It’s a Web Application Firewall to protect Web apps/APIs. 

You can allow/block requests based on request properties. 

WAF can be administered using AWS Firewall Manager (across multiple accounts and resources). 

AWS Shield Advanced can be integrated with AWS WAF. 

WAF comes free with Shield Advanced. 

With WAF + CloudFront, the rules will run in Edge locations (security + performance). 

With WAF + regional resources like ALB/APIGW/AppSync/Cognito User Pools, the rules will run in the region (internet-facing/internal resources are protected). 


WAF can block XSS and SQL Injection attacks but can’t withstand DDoS attacks (use WAF’s Web ACL rate-based rules + AWS Shield Advanced for DDoS attacks). 

WAF can mitigate application layer DDoS attacks. 

WAF’s Web ACL has two types of rules – regular and rate-based. 

You can’t do rate limit in the regular rule (but can add conditions). 

WAF’s Web ACL rate-based rules can be used to block request flooding from an originating IP (limit the rate of traffic to your application). 

Those who send HTTP flood attacks will receive 403 Forbidden until the request rate drops below threshold. 

With WAF’s Web ACL, you can create a geo-match condition to block/allow requests originating from specific countries. 

If you want to allow/block requests ONLY based on geography, use CloudFront’s geo-restriction. 

If you want to allow/block requests based on geography + other WAF criteria, use WAF geo-match condition.


Comments

Post a Comment

Popular posts from this blog

AWS Route53 - Private Hosted Zone

Post a Comment
Read more

AWS - Error - An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired

Error:   An error occurred (ExpiredToken) when calling the DescribeStacks operation: The security token included in the request is expired. Reason: It occurred when I ran a MAKE command with a profile having expired token (security credentials) Fix: Generate new security credentials (aws sts assume-role) and run the command again
Post a Comment
Read more

High availability (Multi-AZ) for Amazon RDS

There is something called failover technology in Amazon. AWS RDS's Multi-AZ deployment uses this technology. If you enable Multi-AZ for an RDS DB, say MySQL DB, RDS automatically creates a standby replica in a different AZ. If the primary DB instance is in AZ-1A, then RDS creates a standby replica in AZ-1B (for example). Suppose I add a new row to a table in the primary DB, then the same row is added, almost in the same time, in the standby replica. This is called as synchronous replication . Thus, standby replicas are useful during DB instance failure/ AZ disruption . How? Because, there is no need to create a backup later because the backup has already been created. This gives high availability during planned system maintenance. Normal backup  operation - I/O activities are blocked in the primary database  Automated backup operation (standby replica) - I/O activities are not blocked This standby replica is not similar to read replica (which is used for disaster recovery). S...
Post a Comment
Read more