Testing New Rules

Introduction

Before deploying a new rule, it’s vital to test it. This is to ensure you don’t accidentally block valid requests.

So far you have used Block and Allow when specifying what action to take on a request. There is a third action, Count. Count allows you to measure the number of requests that would meet the rule conditions.

Count is a non-terminating action. When a request matches a rule with the Count action, the web ACL will continue processing the remaining rules.

Managed rules and rule groups can also be tested in a similar way using Count.

Viewing rule counts

When a rule with action Count is matched, the event is emitted as CloudWatch metrics. To view the count for a rule, navigate to the CloudWatch metrics console. Select AWS/WAFv2, then Region, Rule, WebACL to view you metrics.

By default, Average is used when displaying WAF metrics. It’s useful to change this to Sum in some scenarios.

Challenge

You have developed a new rule for your WAF. Before you can deploy it, you must first test it. This is to reduce the risk of unintentionally introducing rules that block genuine requests

The rule below blocks requests with the query parameter username.

Read more about testing Web ACLs

  1. Update the rule Action of the rule below to Count, so that it can be tested.
{
  "Name": "count-von-count",
  "Priority": 0,
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "count-von-count"
  },
  "Statement": {
    "SizeConstraintStatement": {
      "FieldToMatch": {
        "SingleQueryArgument": {
          "Name": "username"
        }
      },
      "ComparisonOperator": "GT",
      "Size": "0",
      "TextTransformations": [
        {
          "Type": "NONE",
          "Priority": 0
        }
      ]
    }
  }
}
  1. Deploy the rule to your web ACL, using either to the console or the CLI.

Test Case

Execute the following command in your terminal.

curl "$JUICESHOP_URL?username=admin"

This request won’t be blocked. Instead, it should be counted. Check CloudWatch metrics to see if it has worked!

Hint

Select to see a hint

Conclusion

Before you deploy a new rule to your web ACL, it is vital to test it. Test new rules using the Count action. Monitor rule match counts using CloudWatch metrics.