What is the AWS WAF?

By 20.12.17April 6th, 2020No Comments

What is

the AWS WAF?

[nectar_dropcap color=”#00629b”]T[/nectar_dropcap]

he AWS WAF stands for Amazon Web Services Web Application Firewall. Let’s break this down a little. AWS is, of course, an IaaS/PaaS provided by Amazon, but what’s a Web Application Firewall?

In short, a firewall determines who is allowed to access what on the network level. The firewall would, say, allow certain pre-defined IP address to access port 22 while denying any others. Similarly, at the web application level, the firewall can work to grant or deny permissions to certain areas of the web application based on the IP address or cookies the user has set or even the time of day.


does it work?

[nectar_dropcap color=”#00629b”]I[/nectar_dropcap]

n the case of the AWS WAF, the firewall sits between your users and your CloudFront distribution or Load Balancer, which of course sits in front of your servers. The WAF is composed of various Access Control Lists (ACLs), which define rules for which types of requests should be allowed and which should be denied. When a user attempts to connect to your site, the WAF checks their IP address and request against the ACLs to determine whether or not to allow it. If everything’s OK, the request is forwarded on. There are several instances where an IP address may appear on the blacklist or be attempting to access a restricted area. The AWS Security Automations, which is an easy-deploy CloudFormation template provided by Amazon, implements the following protections:

Bad Bot / Scraper Protection

Bots are generally very good things, automating processes and powering the search engines that we use every day, though they can also be abused for malicious purposes. Distil has a list of vulnerability scanners for example, that while you may personally want to run them as a part of your security audits and penetration tests, you most likely wouldn’t want an attacker to run them against your site. The AWS WAF implementation involves setting up a honeypot URL to detect bad bots and blacklist them. A “honeypot” in the infosec world refers to a fake production environment that appears to be relatively easy to break into, with the purpose of catching hackers before they are able to get to any real resources. The idea is that a honeypot is heavily monitored and surrounded with automated alert systems to detect suspicious behavior and shut it down before it can cause any harm. In the AWS WAF implementation, this is done through the use of a secondary origin for your CloudFront distribution with a Lambda function attached to it. This origin is accessible via a special path, that, when pinged, triggers the Lambda function and instantly adds the remote IP address to the WAF blacklist, effectively denying it further access.

As seen in the screenshot, I first send a request to a site with the WAF enabled and receive the content. (I’ve blurred out the information identifying the website in question).

I then send a request to the honeypot URL, and this time receive the default message provided by the Lambda function to acknowledge I’ve been blocked.

Any subsequent requests I make are instantly blocked and I’m met with a 403 Forbidden error.

This endpoint is of course hidden from your users and any bots that respect the robots.txt directives or “nofollow” rel attribute on links, so they will be unaffected. Accolade Partners has a Magento 1 module that simplifies the implementation of your honeypot URL in your Magento shop, so that you only have to provide minimal configuration to get it up and running. Not only that, but we will also check your robots.txt file for you to make sure you don’t accidentally block any benevolent bots.

SQL Injection / XSS Protection

SQL Injection and Cross-site Scripting (XSS) attacks are consistently among the OWASP Top 10 Web Application Vulnerability lists and they can be quite devastating. In a SQL Injection attack, an attacker attempts to feed raw SQL commands to your application in the hopes that they will be executed on your server. If you’re not properly escaping user input, they may be able to read from, write to, or destroy your data without authorization. In an XSS attack, the attacker attempts to execute scripts from an external server on your website. This can be particularly dangerous as it allows attackers to install malware on your users’ machines or steal their session tokens, granting them unauthorized access to your or your users’ accounts. To defend against these types of attacks, the WAF examines the request URIs and bodies going into the server to find keywords relevant to each. In the case of SQL injection attacks, these may include command words like


, etc.

In the above screenshot, you can see my genuine search request was accepted, while my attempts to call in an external script were denied. (The query paramter that got me blocked was just the URI-encoded value of


). Of course, you can customize these rules if your application accepts HTML tags or SQL commands as input, though these cases should be very strictly monitored.

Log Parser Protection

Detecting suspicious behavior isn’t easy, as it can be quite difficult to separate the legitimate traffic from the malicious traffic. In addition to the honeypot URL discussed above, Amazon also offers log-parsing to detect unusually high numbers of requests from a particular IP address. The AWS implementation works as follows:

  1. All requests to your CloudFront distribution are logged to an S3 bucket of your choosing.
  2. Each time a new log file is created in the S3 bucket, an event is fired off to trigger the log-parser Lambda function.
  3. The log-parser function examines the contents of the logs and tallies up the number of requests per IP address.
  4. If a certain IP address exceeds the number of requests you’ve defined within the time-period you’ve defined, then the IP address is blacklisted for the amount of time that you again define.

CloudFront logging initially takes about 4 hours to begin reliable reporting and new log files are generally created once they reach about 50Mb in (uncompressed) size, so you won’t see IP addresses being immediately blocked, but they will eventually make it there. I wrote a small script to spam the server with a 200 requests per minute limit and a 4-hour ban time and was able to get out 2705 successful requests in about 6 minutes and 45 seconds before I was finally blacklisted:

Reputation Blacklists

Amazon also provides reputation blacklists, which are essentially a list of all known malicious IP addresses, so that you don’t have to worry about them. If any of the IP addresses on the list attempt to access your services, they are immediately denied.

Manual Whitelists / Blacklists

In addition to the automated blacklists, you can also define your own blacklists for IP addresses or ranges you’ve had problems with, or whitelists to ensure that your critical services remain connected.

Why should you care?

Data breaches are expensive, both in financial costs and in their damage to a shop’s reputation. While having a WAF isn’t a “silver bullet” that solves all of your security problems, it is an essential part of a layered security approach, and often the first line of defense. Having a strong firewall can also reduce the load on your servers, since they will only be needed to serve legitimate requests.

Do contact us at if you are in need of security audit or are interested in setting up your shop in Amazon AWS.