Listen to this Post
The reality of hosting apps on the internet today is that you will start getting hammered by unexpected IP addresses right away. There are many approaches to handle this, but one easy solution on AWS is using their Web Application Firewall (WAF).
The default managed rules for this service cover many common use cases, including:
– Blocking hosts from specific countries
– Denying known malicious IP addresses
– Blocking VPN endpoints
– Detecting Cross-Site Scripting (XSS) and SQL injection attacks
The costs are reasonable, especially for low-to-moderate traffic sites.
You Should Know:
To maximize AWS WAF’s effectiveness, follow these steps and commands:
1. Enable AWS WAF Logging
AWS WAF logs provide insights into blocked requests. Use Terraform to automate log filtering:
resource "aws_wafv2_web_acl_logging_configuration" "example" {
resource_arn = aws_wafv2_web_acl.example.arn
log_destination_configs = [aws_cloudwatch_log_group.example.arn]
}
2. Analyze WAF Logs in CloudWatch
Use AWS CLI to fetch logs:
aws logs filter-log-events --log-group-name "WAF_Logs" --filter-pattern '{ $.action = "BLOCK" }'
3. Block High-Risk Countries
Use AWS Managed Rules to block traffic from suspicious regions:
resource "aws_wafv2_web_acl" "example" {
name = "GeoBlock-Rules"
scope = "REGIONAL"
description = "Blocks traffic from high-risk countries."
rule {
name = "GeoBlock"
priority = 1
action {
block {}
}
statement {
geo_match_statement {
country_codes = ["CN", "RU", "KP"]
}
}
visibility_config {
cloudwatch_metrics_enabled = true
metric_name = "GeoBlock"
sampled_requests_enabled = true
}
}
}
4. Detect SQL Injection & XSS
AWS WAF includes pre-configured rules for OWASP Top 10 threats. Enable them via CLI:
aws wafv2 list-available-managed-rule-groups --scope REGIONAL
5. Automate WAF Updates with Lambda
Use a Python Lambda function to update WAF rules dynamically:
import boto3
def update_waf_ip_set(ip_set_id, new_ips):
client = boto3.client('wafv2')
response = client.update_ip_set(
Name='MaliciousIPs',
Scope='REGIONAL',
Id=ip_set_id,
Addresses=new_ips,
LockToken='...'
)
return response
What Undercode Say:
AWS WAF is a powerful tool to mitigate common web threats, but logging and automation are key. Use Terraform for IaC, CloudWatch for monitoring, and Lambda for dynamic rule updates. Always analyze blocked traffic to refine security policies.
Expected Output:
- Reduced malicious traffic
- Automated threat blocking
- Compliance with OWASP security standards
Reference:
Building a Cost-Effective AWS WAF Logging Pipeline with Terraform, CloudWatch, and S3
References:
Reported By: Darryl Ruggles – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
