iCompaas Support

Description:

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security or consume excessive resources. AWS WAF allows you to monitor HTTP and HTTPS requests that are forwarded to Amazon Cloudfront, Application Load Balancer, and API Gateway. AWS WAF can configure conditions such as what IPs are allowed to make these requests or what query string parameters need to be passed for the request to be allowed, Then the Application Load Balancer or Cloudfront will either allow this content to be received or give it an HTTP 403 status code which is permission denied.

Rationale:

Ensure all your AWS Cloudfront web distributions are integrated with the web application firewall (AWS WAF) service to protect attacks on your applications on the internet that can affect the security of your web applications or place unnecessary load and resource usage.

Impact:

With AWS Cloudfront WAF enabled you will be able to block any malicious requests made to your Cloudfront based on criteria defined in the WAF Web Access Control List (ACL) associated with the CDN distribution.

Default Value:

By default, Cloudfront CDN and WAF are not Associated, If you want to create, First you have to create CDN distribution in Cloudfront, and Web ACL (Access Control List) in WAF and attach ACL with Cloudfront CDN

Pre-requisites

• Must have CloudFront Distribution

• Create a AWS WAF ACL.

Test Plan:

1. Log in to the AWS management console.

2. Navigate to the CloudFront dashboard at https://console.aws.amazon.com/cloudfront.

3. On the Distributions page, select the CDN distribution that you want to examine.

4. Click  on the General button 

5.  On the Distribution Settings page, verify the AWS WAF Web ACL configuration status. If AWS WAF Web ACL is set to None: 

6. The selected CDN distribution is not currently associated with an Access Control List (ACL), therefore          is not integrated with the AWS WAF service for protection against malicious viewers. 

7. Repeat step no. 3-6 for each Cloudfront CDN distribution available in your AWS account.

CLI Commands

1.  To get to know about the Distribution

aws cloudfront get-distribution
  --id E2ZZAENK18GEUD
  --query 'Distribution.DistributionConfig.WebACLId'

Remediation:

1.  Login to the AWS Management Console.

2.  Navigate to the Web Application Firewall dashboard at https://console.aws.amazon.com/wafv2/homev2

3. In the left navigation panel, Under the AWS WAF section, choose Web ACLs.

4. Click Create web ACL button from the WAF dashboard top menu to initiate the Access Control List built process. 

5. On the Name ACL page, in the Web ACL name and CloudWatch metric name fields, provide names   for the new WAF web         ACL and the required AWS CloudWatch metric. Click Next to continue the ACL setup process. 

6. On the Create Conditions page, choose one of the predefined conditions that you want to use to           allow or block requests         that are forwarded to your CloudFront web distributions.

  Click the Create  condition button available within the chosen condition category to configure the     condition access control filters based on your requirements. Once the necessary filters are defined, click Create to instantiate the new condition, Repeat the step to create as many conditions as needed. Click Next to continue the setup.

7. On the Create rules page, under Add rules to a web ACL, click Create a rule to define the ACL rule         that will reference             one or more conditions, which must be satisfied to activate the rule. In the Create     rule dialogue box, provide names for the         rule and the required CloudWatch metric then add the           necessary conditions. Click Create to instantiate the new rule. 

8. In if a request matches all of the conditions in a rule, take the corresponding action section, and             select the appropriate         action to take for each rule if a request matches the rule conditions.

Thee If a request doesn’t match any of the rules, go to the default action section, choose the default action that the ACL must take if a request doesn’t match any of the rules defined, and click Next to continue.

 On the Choose AWS resource page, select from the Resource dropdown list the Cloudfront web distributions that you want to associate with this new WAF ACL.

9. Click the Review and Create button to open the Review and create the page.   

10. Review the web ACL setting then click Confirm and create to generate the ACL once created the             new ACL will be             listed on the Web ACLs WAF page. On the AWS Cloudfront Distributions page, the       associated distribution status will             change from In Process to Deployed once the configuration                change is deployed through the entire CDN network (it         should take less than 15 minutes).

11. Navigate to the CloudFront page https://us-east-1.console.aws.amazon.com/cloudfront

12. click on Cloudfront Distribution

13. Select the Distribution you want to make changes 

14. Click on the General 

15. Click on the Edit button in the setting  

16. Click on Choose web ACL  

17. Click on Save changes

 CLI Commands

1.  Run the create-web-ACL command to create the AWS WAF web Access Control List that will be attached later to the Cloudfront distribution used as a CDN solution for your web application: 

aws waf create-web-acl
--name <name>
--metric-name <metric-name> 
--default-action Type=BLOCK
--change-token 3ub5d8bb-73c6....

aws cloudfront update-distribution
  --id <value>
  --distribution-config file://distconfig-waf-integration.json
  --if-match <value>

aws waf delete-web-acl
--web-acl-id <value>
--change-token <value>