Step 1. Launch the stack - Security Automations for AWS WAF

Step 1. Launch the stack

This automated AWS CloudFormation template deploys the solution on the AWS Cloud.

  1. Sign in to the AWS Management Console and select Launch Solution to launch the waf-automation-on-aws.template CloudFormation template.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the console navigation bar. If you choose CloudFront as your endpoint, you must deploy the solution in the US East (N. Virginia) (us-east-1) Region.

    Note

    Depending on the input parameters values you define, this solution requires different resources. These resources are currently available in specific AWS Regions only. Therefore, you must launch this solution in an AWS Region where these services are available. For more information, refer to Supported AWS Regions.

  3. On the Specify template page, verify that you selected the correct template and choose Next.

  4. On the Specify stack details page, assign a name to your AWS WAF configuration in the Stack name field. This is also the name of the web ACL that the template creates.

  5. Under Parameters, review the parameters for the template and modify them as necessary. To opt out of a particular feature, choose none or no as applicable. This solution uses the following default values.

    Parameter Default Description
    Stack name <requires input> The stack name can’t contain spaces. This name must be unique within your AWS account and is the name of the web ACL that the template creates.
    Resource Type
    Endpoint CloudFront

    Choose the type of resource being used.

    Note

    If you choose CloudFront as your endpoint, you must launch the solution to create WAF resources in the US East (N. Virginia) Region (us-east-1).

    AWS Managed IP Reputation Rule Groups
    Activate Amazon IP reputation List Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Amazon IP reputation List Managed Rule Group to the web ACL.

    This rule group is based on Amazon internal threat intelligence. This is useful if you want to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application.

    The required WCU is 25. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate Anonymous IP List Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Anonymous IP List Managed Rule Group to the web ACL.

    This rule group blocks requests from services that permit the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.

    The required WCU is 50. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    AWS Managed Baseline Rule Groups
    Activate Core Rule Set Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Core Rule Set Managed Rule Group to the web ACL.

    This rule group provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities. Consider using this rule group for any AWS WAF use case.

    The required WCU is 700. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate Admin Protection Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Admin Protection Managed Rule Group to the web ACL.

    This rule group blocks external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

    The required WCU is 100. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate Known Bad Inputs Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Known Bad Inputs Managed Rule Group to the web ACL.

    This rule group blocks external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

    The required WCU is 100. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    AWS Managed Use-case Specific Rule Group
    Activate SQL Database Managed Rule Group Protection no

    Choose yes to turn on the component designed to add SQL Database Managed Rule Group to the web ACL.

    This rule group blocks request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database. Using the SQL injection custom rule is optional if you already have AWS managed SQL rule group activated.

    The required WCU is 200. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate Linux Operating System Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Linux Operating System Managed Rule Group to the web ACL.

    This rule group blocks request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. Evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system rule group.

    The required WCU is 200. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate POSIX Operating System Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Core Rule Set Managed Rule Group Protection to the web ACL.

    This rule group blocks request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including LFI attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. Evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system.

    The required WCU is 100. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate Windows Operating System Managed Rule Group Protection no

    Choose yes to turn on the component designed to add Windows Operating System Managed Rule Group to the web ACL.

    This rule group blocks request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that permit an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.

    The required WCU is 200. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate PHP Application Managed Rule Group Protection no

    Choose yes to turn on the component designed to add PHP Application Managed Rule Group to the web ACL.

    This rule group blocks request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions. This can help prevent exploitation of vulnerabilities that permit an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.

    The required WCU is 100. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Activate WordPress Application Managed Rule Group Protection no

    Choose yes to turn on the component designed to add WordPress Application Managed Rule Group to the web ACL.

    This rule group blocks request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. Evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups.

    The required WCU is 100. Your account should have sufficient WCU capacity to avoid web ACL stack deployment failure due to exceeding the capacity limit.

    For more information, see AWS Managed Rules rule groups list.

    Custom Rule – Scanner & Probes
    Activate Scanner & Probe Protection yes - AWS Lambda log parser Choose the component used to block scanners and probes. Refer to Log parser options for more information about the tradeoffs related to the mitigation options.
    Application Access Log Bucket Name <requires input>

    If you chose yes for the Activate Scanner & Probe Protection parameter, enter the name of the Amazon S3 bucket (new or existing) where you want to store access logs for your CloudFront distribution(s) or ALB(s). If you’re using an existing Amazon S3 bucket, it must be located in the same AWS Region where you are deploying the CloudFormation template. You should use a different bucket for each solution deployment.

    To deactivate this protection, ignore this parameter.

    Note

    Turn on web access logging for your CloudFront web distribution(s) or ALB(s) to send log files to this Amazon S3 bucket. Save logs in the same prefix defined in the stack (default prefix AWSLogs/). See the Application Access Log Bucket Prefix parameter for more information.

    Application Access Log Bucket Prefix AWSLogs/

    If you chose yes for the Activate Scanner & Probe Protection parameter, you can enter an optional user defined prefix for the application access logs bucket above.

    If you chose CloudFront for the Endpoint parameter, you can enter any prefix such as yourprefix/.

    If you chose ALB for the Endpoint parameter, you must append AWSLogs/ to your prefix such as yourprefix/AWSLogs/.

    Use AWSLogs/ (default) if there isn't a user-defined prefix.

    To deactivate this protection, ignore this parameter.

    Is bucket access logging turned on? no

    Choose yes if you entered an existing Amazon S3 bucket name for the Application Access Log Bucket Name parameter and the server access logging for the bucket is already turned on.

    If you choose no, the solution turns on server access logging for your bucket.

    If you chose no for the Activate Scanner & Probe Protection parameter, ignore this parameter.

    Error Threshold 50

    If you chose yes for the Activate Scanner & Probe Protection parameter, enter the maximum acceptable bad requests per minute, per IP address.

    If you chose no for the Activate Scanner & Probe Protection parameter, ignore this parameter.

    Keep Data in Original S3 Location no

    If you chose yes - Amazon Athena log parser for the Activate Scanner & Probe Protection parameter, the solution applies partitioning to application access log files and Athena queries. By default, the solution moves log files from their original location to a partitioned folder structure in Amazon S3.

    Choose yes if you also want to keep a copy of the logs in their original location. This will duplicate your log storage.

    If you didn’t choose yes - Amazon Athena log parser for the Activate Scanner & Probe Protection parameter, ignore this parameter.

    Custom Rule – HTTP Flood
    Activate HTTP Flood Protection yes - AWS WAF rate-based rule Select the component used to block HTTP flood attacks. Refer to Log parser options for more information about the tradeoffs related to the mitigation options.
    Default Request Threshold 100

    If you chose yes for the Activate HTTP Flood Protection parameter, enter the maximum acceptable requests per five minutes, per IP address.

    If you chose yes - AWS WAF rate-based rule for the Activate HTTP Flood Protection parameter, the minimum acceptable value is 100.

    If you chose yes - AWS Lambda log parser or yes – Amazon Athena log parser for the Activate HTTP Flood Protection parameter, it can be any value.

    To deactivate this protection, ignore this parameter.

    Request Threshold by Country <optional input>

    If you chose yes – Amazon Athena log parser for the Activate HTTP Flood Protection parameter, you can enter a threshold by country following this JSON format {"TR":50,"ER":150}. The solution uses these thresholds for the requests originated from the specified countries. The solution uses the Default Request Threshold parameter for the remaining requests.

    Note

    If you define this parameter, the country will automatically be included in Athena query group, along with IP and other optional group-by fields that you can select with the Group By Requests in HTTP Flood Athena Query parameter.

    If you chose to deactivate this protection, ignore this parameter.

    Group By Requests in HTTP Flood Athena Query None

    If you chose yes – Amazon Athena log parser for the Activate HTTP Flood Protection parameter, you can choose a group-by field to count requests per IP and the selected group-by field. For example, if you choose URI, the solution counts the requests per IP and URI.

    If you chose to deactivate this protection, ignore this parameter.

    WAF Block Period 240

    If you chose yes - AWS Lambda log parser or yes – Amazon Athena log parser for the Activate Scanner & Probe Protection or Activate HTTP Flood Protection parameters, enter the period (in minutes) to block applicable IP addresses.

    To deactivate log parsing, ignore this parameter.

    Athena Query Run Time Schedule (Minute) 5

    If you chose yes – Amazon Athena log parser for the Activate Scanner & Probe Protection or Activate HTTP Flood Protection parameters, you can enter a time interval (in minutes) over which the Athena query runs. By default, the Athena query runs every 5 minutes.

    If you chose to deactivate these protections, ignore this parameter.

    Custom Rule – Bad Bot
    Activate Bad Bot Protection yes Choose yes to turn on the component designed to block bad bots and content scrapers.
    ARN of an IAM role that has write access to CloudWatch logs in your account <optional input>

    Provide an optional ARN of an IAM role that has write access to CloudWatch logs in your account. For example: ARN: arn:aws:iam::account_id:role/myrolename. See Setting up CloudWatch logging for a REST API in API Gateway for instructions on how to create the role.

    If you leave this parameter blank (default), the solution creates a new role for you.

    Default Request Threshold 100

    If you chose yes for the Activate HTTP Flood Protection parameter, enter the maximum acceptable requests per five minutes, per IP address.

    If you chose yes - AWS WAF rate-based rule for the Activate HTTP Flood Protection parameter, the minimum acceptable value is 100.

    If you chose yes - AWS Lambda log parser or yes – Amazon Athena log parser for the Activate HTTP Flood Protection parameter, it can be any value.

    To deactivate this protection, ignore this parameter.

    Custom Rule – Third Party IP Reputation Lists
    Activate Reputation List Protection yes Choose yes to block requests from IP addresses on third-party reputation lists (supported lists include Spamhaus, Emerging Threats, and Tor exit node).
    Legacy Custom Rules
    Activate SQL Injection Protection yes

    Choose yes to turn on the component designed to block common SQL injection attacks. Consider activating it if you aren’t using an AWS managed core rule set or AWS managed SQL database rule group.

    You can choose one of the options (yes (continue), yes - MATCH, or yes - NO_MATCH) that you want AWS WAF to handle oversized request exceeding 8 KB (8192 bytes). By default, yes inspects the request component contents that are within the size limitations according to the rule inspection criteria. For more information, refer to Handling oversize web request components.

    Choose no to deactivate this feature.

    Note

    The CloudFormation stack adds the selected oversize handling option to the default SQL injection protection rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.

    Sensitivity Level for SQL Injection Protection LOW

    Choose the sensitivity level that you want AWS WAF to use to inspect for SQL injection attacks.

    HIGH detects more attacks, but might generate more false positives.

    LOW is generally a better choice for resources that already have other protections against SQL injection attacks or that have a low tolerance for false positives.

    For more information, refer to AWS WAF adds sensitivity levels for SQL injection rule statements and SensitivityLevel property in the AWS CloudFormation User Guide.

    If you choose to deactivate SQL injection protection, ignore this parameter.

    Note

    The CloudFormation stack adds the selected sensitivity level to the default SQL injection protection rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.

    Activate Cross-site Scripting Protection yes

    Choose yes to turn on the component designed to block common XSS attacks. Consider activating it if you aren’t using an AWS managed core rule set. You can also select one of the options (yes (continue), yes - MATCH, or yes - NO_MATCH) that you want AWS WAF to handle oversized request exceeding 8 KB (8192 bytes). By default, yes uses the Continue option, which inspects the request component contents that are within the size limitations according to the rule inspection criteria. For more information, refer to Oversize handling for request components.

    Choose no to deactivate this feature.

    Note

    The CloudFormation stack adds the selected oversize handling option to the default cross-site scripting rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.

    Allowed and Denied IP Retention Settings
    Retention Period (Minutes) for Allowed IP Set -1

    If you want to activate IP retention for the Allowed IP set, enter a number (15 or greater) as the retention period (minutes). IP addresses reaching the retention period expire, and the solution removes them from the IP set. The solution supports a minimum 15-minute retention period. If you enter a number between 0 and 15, the solution treats it as 15.

    Leave it as -1 (default) to turn off IP retention.

    Retention Period (Minutes) for Denied IP Set -1

    If you want to activate IP retention for the Denied IP set, enter a number (15 or greater) as the retention period (minutes). IP addresses reaching the retention period expire, and the solution removes them from the IP set. The solution supports a minimum 15-minute retention period. If you enter a number between 0 and 15, the solution treats it as 15.

    Leave it as -1 (default) to turn off IP retention.

    Email for receiving notification upon Allowed or Denied IP Sets expiration <optional input>

    If you activated the IP retention period parameters (see two previous parameters) and want to receive an email notification when IP addresses expire, enter a valid email address.

    If you didn’t activate IP retention or want to turn off email notifications, leave it blank (default).

    Advanced Settings
    Retention Period (Days) for Log Groups 365

    If you want to activate retention for the CloudWatch Log Groups, enter a number (1 or greater) as the retention period (days). You can choose a retention period between one day (1) and ten years (3650). By default logs will expire after one year.

    Set it to -1 to keep the logs indefinitely.

  6. Choose Next.

  7. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set additional options. Choose Next.

  8. On the Review and create page, review and confirm the settings. Select the boxes acknowledging that the template will create IAM resources and any additional capabilities required.

  9. Choose Submit to deploy the stack.

    View the status of the stack in the AWS CloudFormation console in the Status column. You should receive a status of CREATE_COMPLETE in approximately 15 minutes.

    Note

    In addition to the Log Parser, IP Lists Parser, and Access Handler AWS Lambda functions, this solution includes the helper and custom-resource Lambda functions, which run only during initial configuration or when resources are updated or deleted.

    When using this solution, you will see all functions in the AWS Lambda console, but only the three primary solution functions are regularly active. Don’t delete the other two functions; they are necessary to manage associated resources.

    To see details about the stack resources, choose the Outputs tab. This includes the BadBotHoneypotEndpoint value, which is the API Gateway honeypot endpoint. Remember this value because you will use it in Embed the Honeypot link in your web application.