AWS WAF and Shield

1 min read Web Security Fundamentals

AWS WAF and Shield

AWS WAF provides application-layer protection for web servers, integrating with CloudFront, Application Load Balancer, and API Gateway. Unlike Security Groups that operate at the network layer, AWS WAF inspects HTTP/HTTPS request content to block application attacks.

Implementing AWS WAF with managed rules:

import boto3

waf_client = boto3.client('wafv2', region_name='us-east-1')

# Create Web ACL
web_acl = waf_client.create_web_acl(
    Name='web-server-protection',
    Scope='REGIONAL',  # or 'CLOUDFRONT' for CloudFront distributions
    DefaultAction={'Allow': {}},
    Description='WAF protection for web servers',
    Rules=[
        {
            'Name': 'RateLimitRule',
            'Priority': 1,
            'Statement': {
                'RateBasedStatement': {
                    'Limit': 2000,
                    'AggregateKeyType': 'IP'
                }
            },
            'Action': {'Block': {}},
            'VisibilityConfig': {
                'SampledRequestsEnabled': True,
                'CloudWatchMetricsEnabled': True,
                'MetricName': 'RateLimitRule'
            }
        },
        {
            'Name': 'AWSManagedRulesCommonRuleSet',
            'Priority': 2,
            'OverrideAction': {'None': {}},
            'Statement': {
                'ManagedRuleGroupStatement': {
                    'VendorName': 'AWS',
                    'Name': 'AWSManagedRulesCommonRuleSet'
                }
            },
            'VisibilityConfig': {
                'SampledRequestsEnabled': True,
                'CloudWatchMetricsEnabled': True,
                'MetricName': 'CommonRuleSetMetric'
            }
        }
    ],
    VisibilityConfig={
        'SampledRequestsEnabled': True,
        'CloudWatchMetricsEnabled': True,
        'MetricName': 'web-server-waf'
    }
)

# Associate with Application Load Balancer
waf_client.associate_web_acl(
    WebACLArn=web_acl['Summary']['ARN'],
    ResourceArn='arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/my-load-balancer/1234567890123456'
)

AWS Shield provides DDoS protection, with Shield Standard automatically protecting against common attacks and Shield Advanced offering enhanced protection with 24/7 support:

# Enable Shield Advanced for critical resources
shield_client = boto3.client('shield')

shield_client.associate_drt_role(
    roleArn='arn:aws:iam::account-id:role/DRTRole'
)

shield_client.create_protection(
    Name='WebServerProtection',
    ResourceArn='arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/my-load-balancer/1234567890123456'
)