The Secret Life of AWS: The Perimeter (AWS WAF & AWS Shield)

-

The Secret Life of AWS: The Perimeter (AWS WAF & AWS Shield)

How to filter malicious traffic at the global edge.

#AWS #WAF #Shield #Security





Part 52 of The Secret Life of AWS

Timothy was reviewing the CloudWatch dashboards for his newly deployed global architecture. The CloudFront distribution was successfully serving users in milliseconds, but he noticed an alarming anomaly.

"We have a massive spike in traffic hitting the Checkout API," Timothy explained to Margaret, pulling up the X-Ray traces. "But these are not normal user requests. Someone is sending thousands of requests per minute from a handful of IP addresses. And look at the request payloads—they are injecting raw SQL commands into the URL parameters."

Margaret leaned in to examine the logs. "You are experiencing an application-layer attack. CloudFront is doing exactly what it was designed to do: it is delivering traffic to your API Gateway as fast as possible. However, CloudFront does not inspect the intent of the traffic. It does not know the difference between a legitimate customer and a malicious bot script."

"How do we stop them before they reach the backend database?" Timothy asked.

"We need to filter the traffic at the perimeter, before it ever enters our core infrastructure," Margaret replied. "We are going to deploy a Web Application Firewall using AWS WAF."

The Web Access Control List (Web ACL)

Margaret opened the AWS Console and navigated to AWS WAF.

"AWS WAF operates at Layer 7 of the OSI model, which is the application layer," she explained. "It inspects the actual HTTP and HTTPS requests—the headers, the URI, and the body of the payload. We are going to create a Web Access Control List (Web ACL) and attach it directly to our CloudFront distribution."

She clicked create and named the Web ACL global-perimeter-defense.

"A Web ACL is essentially a container for security rules," Margaret said. "When a request hits a CloudFront Edge Location, WAF evaluates the request against our rules in sequential order. If the request violates a rule, WAF blocks it instantly at the edge, returning a 403 Forbidden error to the attacker. The malicious request never touches your API Gateway or your Lambda compute resources. Because WAF charges based on the rules and inspected requests, blocking attacks early costs far less than the compute resources you would waste processing malicious traffic."

Managed Rules, Bot Control, and Geo-Blocking

Timothy looked at the empty rule set. "Do I need to write custom regular expressions to catch every possible SQL injection syntax?"

"You can write custom rules, but AWS provides Managed Rule Groups maintained by their security research team," Margaret answered.

She opened the rule configuration and selected the Core rule set, the SQL database rule set, and the Amazon IP reputation list.

"By enabling these, WAF will automatically inspect incoming requests for known vulnerabilities like SQL Injection (SQLi) and Cross-Site Scripting (XSS), while instantly blocking traffic from IPs known to be associated with abuse. We can also enable Bot Control, a specialized rule group that distinguishes between human users, legitimate search engine crawlers, and malicious content scrapers."

"What if our e-commerce store only ships to North America?" Timothy asked, looking at the origin IPs of the attack.

"Then we add a Geographic Match Rule," Margaret smiled. "We can instruct WAF to automatically drop all traffic originating outside of the United States and Canada, drastically reducing our attack surface."

Rate-Based Rules

"That stops the database attacks and the known bad actors," Timothy noted. "But what about the sheer volume of traffic? Those IPs are still sending thousands of requests per minute, trying to overwhelm the API."

"For that, we configure a Rate-Based Rule," Margaret said.

She added a new custom rule to the Web ACL. She configured it to track the originating IP address and set a limit of 100 requests per five-minute period.

"This rule explicitly tracks the rate of incoming requests," she explained. "If a single IP address exceeds 100 requests in a five-minute window, WAF automatically blocks all subsequent traffic from that IP. Once the attack stops and the IP's request rate falls back below the threshold, WAF lifts the block automatically."

Volumetric Attacks and AWS Shield

Timothy watched the CloudWatch metrics. Within minutes of attaching the Web ACL to CloudFront, the malicious traffic flatlined. The managed rules were blocking the SQL injections, and the rate-based rule had blacklisted the flooding IPs.

"What happens if they launch a massive Distributed Denial of Service (DDoS) attack?" Timothy asked. "What if they send terabytes of junk network traffic to overwhelm the CloudFront Edge Locations entirely?"

"That is a Layer 3 and Layer 4 infrastructure attack," Margaret clarified. "And you are already protected. By default, every AWS customer benefits from AWS Shield Standard at no extra cost. It automatically detects and mitigates large-scale volumetric DDoS attacks at the AWS network edge. Shield handles the raw network floods, while WAF handles the intelligent, application-level threats."

Timothy updated his architecture diagram, drawing a solid security perimeter around his CloudFront distribution. The application was global, fast, and now securely filtered.

Key Concepts Introduced:

AWS WAF (Web Application Firewall) is a security service that operates at Layer 7 (the application layer) to protect web applications and APIs against common web exploits and malicious bots. By integrating WAF directly with Amazon CloudFront, malicious traffic is blocked at the global edge before it reaches backend compute resources, significantly reducing infrastructure costs and preventing database compromises.

The core component of WAF is the Web Access Control List (Web ACL), which acts as a container for security rules. Administrators can deploy Managed Rule Groups—curated and updated by AWS security experts—to automatically block threats like SQL Injection (SQLi), Cross-Site Scripting (XSS), and requests from known malicious IP addresses. Organizations can further refine their perimeter using Bot Control to manage scrapers and automated scripts, and Geographic Match Rules to drop traffic originating from unsupported countries.

To defend against application-layer floods and brute-force attacks, AWS WAF utilizes Rate-Based Rules. These rules dynamically track the request rate of individual IP addresses and temporarily block any IP that exceeds a defined threshold within a specific time window. For larger, infrastructure-level DDoS attacks (Layer 3 and Layer 4 network floods), AWS provides AWS Shield Standard, a free, automated threat mitigation service that defends the AWS global network perimeter by default for all customers.

Aaron Rose is a software engineer and technology writer at tech-reader.blog. For explainer videos and podcasts, check out Tech-Reader YouTube channel.

Comments

Post a Comment

Popular posts from this blog

Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite

-
Image
Insight: The Great Minimal OS Showdown—DietPi vs Raspberry Pi OS Lite When you're building a headless server, IoT device, or lightweight project box, the last thing you want is bloatware eating your precious resources. Enter the world of minimal operating systems—where every megabyte matters and efficiency reigns supreme. Two contenders dominate this space: DietPi and Raspberry Pi OS Lite. Both promise lean, mean computing machines that boot straight to the command line. But scratch beneath the surface, and you'll find they take fundamentally different approaches to the "less is more" philosophy. The Minimalist's Dilemma Picture this: You've got a Raspberry Pi 3B+ sitting on your desk, destined to become a home media server. Do you go with the familiar comfort of Raspberry Pi OS Lite, or venture into DietPi's optimized territory? The choice isn't just about personal preference—it's about understanding what "minimal" means to each operatin...
Read more

The New ChatGPT Reason Feature: What It Is and Why You Should Use It

-
Image
The New ChatGPT Reason Feature: What It Is and Why You Should Use It Offers More Than Just a Simple Answer ChatGPT continues to evolve, constantly introducing new features that make user interactions more tailored and insightful. One of the latest additions is the Reason option, which you can access through the slash menu. At its core, this feature gives you more control over the depth of responses, specifically when you’re looking for more than just a simple answer. In this article, we’ll explore what the Reason feature is, where it originated, why it matters, and how you can make the most of it. What Is the Reason Feature? The Reason option prompts ChatGPT to provide a detailed, structured explanation that dives into the reasoning behind an answer. It focuses on giving a logical breakdown of how the conclusion was reached, rather than just providing a surface-level response. Essentially, it’s a way of saying, "I want to understand not just the answer, but the reasoning behind it...
Read more

Raspberry Pi Connect vs. RealVNC: A Comprehensive Comparison

-
Image
Raspberry Pi Connect vs. RealVNC:  A  Comprehensive Comparison The Raspberry Pi has revolutionized the way we interact with computers, providing a low-cost, highly adaptable platform for countless applications. One critical aspect of using a Raspberry Pi, especially for remote management and control, is the ability to access it from another device. Historically, RealVNC has been the go-to solution for this purpose. However, the recent introduction of Raspberry Pi Connect offers an integrated alternative. This article will compare Raspberry Pi Connect and RealVNC, exploring their features, requirements, and practical applications. Introduction to Raspberry Pi Connect Raspberry Pi Connect is a new VNC service directly integrated into Raspberry Pi OS 12. Designed for simplicity and ease of use, Connect aims to provide a seamless remote desktop experience for Raspberry Pi users. Currently in beta, Raspberry Pi Connect is free to use and requires a Raspberry Pi 4, 400, or 5 running...
Read more