Arun Kumar
Posted on June 10, 2021
Overview
WAF support for ALB is now available in many regions.
Clients want to provide a pattern of using ALB → (Lambda | EC2) to be secured via WAF (and HTTPS).
Clients want to minimise the maintenance footprint of adding WAF for many applications.
Architecture
Pricing Details
WAF Pricing
a. WAF
- $5 per web ACL per month
- $1 per rule per web ACL per month (assume one rule = “core-waf-automations — SQL Injection Rule”)
- $0.60 per million web requests
b. F5
- Charge per month in each available region (pro-rated by the hour) $20 / unit
- Charge per million requests in each available region $1.2 / unit
Estimates
a. WAF Pricing
- 12 web acls (6x2 acls)
- 10 rules per WebACL = 120 rules total = $120
- 100 million requests = $60
- $2,160 Annual cost
b. Market place pricing — 4x F5 managed rulesets
- $480 for $80 per account per region per month x 6
- $480 for 100 million requests x 4 rulesets (total requests across all accounts / regions)
- $11,520 Annual cost
c. Total pricing estimate
- $13,680 annual total
Solutions
a. Author is AWS themselves
b. Without dedicated security team — “web application firewall strategy” can be a hassle (even with one)
c. AWS WAF ACL — central inspection and decision point for incoming requests (for all apps that use it)
This solution has a bunch of preconfigured rules for use with ALB, CloudFront
I’m assuming we can easily integrate with marketplace rules, like the F5 ones.
d. Log analysis — more than just “waf rules to apply” — there’s mechanisms for updating rules:
Both WAF logs and App logs can be parsed by Athena/Lamdba to inform on HTTP Flood, Scanners & Probes
Scheduled cloudwatch event rule triggers lambda to maintain IP Reputation Lists
Bot lists also updated via a lambda.
Types of Rules
a. White/black listing (manual lists)
- No automation setup around these lists — is the expectation you manage via AWS Console?
b. SQL Injection, XSS (patterns in URI, querystring, request body)
c. HTTP Flood (web-layer DDoS, brute force logins)
- ConfigureRateBasedRule (Custom::ConfigureRateBasedRule — HttpFloodProtectionRateBasedRuleActivated)
d. Scanners & Probes (abnormal amount errors from an origin)
e. IP Reputation Lists (3rd party lists hourly updated)
- spamhaus.org
- torproject.org
- emergingthreats.net
f. Bad Bot (honeypot to attract bots)
- ApiGateway, Lambda
Posted on June 10, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.