A web ACL (Web Access Control List) is the core resource in an AWS WAF deployment. It contains rules that are evaluated for each request that it receives. A web ACL is associated to your web application via either an Amazon CloudFront distribution, AWS API Gateway API or an AWS Application Load Balancer.
This workshop uses the latest version of AWS WAF. Make sure you do not use WAF Classic.
The quickest way to get started with WAF is to deploy an AWS Managed Rule Group for AWS WAF to your WebACL.
Managed Rule Groups are a set of rules, created and maintained by AWS or third-parties on the AWS Marketplace. These rules provide protections against common types of attacks, or are intended for particular application types.
Each managed rule group protects against a set of common attacks, such as SQL or Command Line attacks.
AWS provide a selection of managed rule groups.
Three examples are the Amazon IP Reputation list, Known Bad Inputs and Core rule set.
There are other rule groups available to use
You are the sole developer for the start up Juice Shop. Your website is a simple web application backed by a SQL Database. For some reason, a group of Milkshake bandits have started attacking your site!
Luckily, you recently attended a workshop on AWS WAF. You decide to implement your own WAF to protect your site.
Create a web ACL in the WAF console.
Navigate to the AWS WAF Console
Select create web ACL
Set the Region to the Global (CloudFront).
Set the name to
Set the description as
web ACL for the aws-waf-workshop
Leave the Resource type as CloudFront Distribution
In the Associated AWS resources section, select Add AWS resources.
Select the CloudFront distribution
If the CloudFront distribution does not appear when associating it to the web ACL, double check that:
You don’t have much time, so you decide to deploy two AWS Managed Rule groups to your WebACL. This will protect your website from the common attacks the milkshake bandits are using.
Add two managed rule groups to your WebACL.
Test your new rules with the commands below.
Make sure the
JUICESHOP_URL variable to contains the URL for your Juice Shop deployment.
export JUICESHOP_URL=<Your Juice Shop URL>
# This imitates a Cross Site Scripting attack # This request should be blocked. curl -X POST $JUICESHOP_URL -F "user='<script><alert>Hello></alert></script>'"
# This imitates a SQL Injection attack # This request should be blocked. curl -X POST $JUICESHOP_URL -F "user='AND 1=1;"
If a request is blocked, you will receive a HTML response stating the request was forbidden. Here’s an snippet of what to expect
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>ERROR: The request could not be satisfied</title> </head> <body> <h1>403 ERROR</h1> <!-- Omitted --> </body> </html>
If you receive a response like below, then the request wasn’t blocked by WAF.
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title>OWASP Juice Shop</title> // Omitted for brevity </head> </html>
In this case, something has gone wrong. Double check the following:
Is your web ACL associated with the CloudFront distribution?
Does your web ACL contain two active rules, the Core Rule Set and Sql database?
Navigate to the Rules tab of your web ACL
Select Add Rules > Add Managed Rule Groups
Select Core Rule Set and SQL Database from the AWS managed rule groups
Well done on deploying your first rules to your Web ACL. You’ve stopped the attacks for now. Hopefully that is the end of it.
This section introduced AWS Managed Rules for WAF. Managed Rule Groups allow you to quickly protect your application from a variety of common attacks and are available from AWS and AWS Marketplace sellers.