Tuần 6 - Ngày 4: AWS WAF và Shield
Mục tiêu học tập
- Hiểu WAF: filter HTTP requests tại Layer 7
- Phân biệt Shield Standard vs Shield Advanced
- Nắm Managed Rule Groups và Custom Rules
- Áp dụng rate limiting và geo blocking
1. AWS WAF (Web Application Firewall)
Định nghĩa
WAF = Layer 7 firewall protect web apps khỏi common exploits (SQL injection, XSS, etc.).
Deploy targets
- CloudFront distribution (global)
- ALB (regional)
- API Gateway (regional)
- AppSync (regional)
- App Runner
- Cognito User Pool
- Verified Access
Key concepts
- Web ACL (Access Control List): container of rules
- Rules: define conditions to evaluate
- Rule Groups: collection of rules
- Actions: ALLOW, BLOCK, COUNT (monitor), CAPTCHA, Challenge
2. WAF Rules
2 types
IP-based / regex-based simple rules
- Block by IP, country, header, query string, body
Rate-based rules
- Block when single IP exceeds rate threshold (e.g., 1000 req/5 min)
- Use case: rate limiting, brute-force protection
Match conditions
- IP set: list of IPs/CIDRs
- Geographic match: country code
- String match: header, body, URI contains
- Regex match: pattern matching
- Size constraint: body length
- SQL injection match: detect SQLi patterns
- XSS match: detect XSS patterns
Example rule
Rule: BlockLargePayloads
Condition: Body size > 8 KB
Action: BLOCK
Rule: RateLimitByIP
Condition: Requests from single IP > 1000 in 5 min
Action: BLOCK (TTL 1 hour)
3. AWS Managed Rule Groups
Free tier (AWS Managed Rules)
- AWSManagedRulesCommonRuleSet: OWASP Top 10
- AWSManagedRulesKnownBadInputsRuleSet: known bad patterns
- AWSManagedRulesSQLiRuleSet: SQL injection
- AWSManagedRulesLinuxRuleSet: Linux-specific (LFI, etc.)
- AWSManagedRulesUnixRuleSet
- AWSManagedRulesWindowsRuleSet
- AWSManagedRulesAdminProtectionRuleSet: protect admin paths
- AWSManagedRulesAmazonIpReputationList: bad IPs list
Paid (AWS Marketplace)
- Third-party rules (Fortinet, F5, Imperva, Trend Micro)
- $/month subscription
4. WAF Workflow
Rule evaluation
- Rules evaluated in order of priority
- First matching action wins
- Default action (no rules match): ALLOW or BLOCK (configurable)
5. Common WAF Use Cases
Block SQL injection
Rule: SQLiProtection
Type: Managed Rule Group AWSManagedRulesSQLiRuleSet
Action: BLOCK
Geo blocking
Rule: BlockChinaRussia
Condition: Country IN [CN, RU]
Action: BLOCK
Rate limit per IP
Rule: RateLimit
Condition: 1000 req / 5 min from single IP
Action: BLOCK
Allow only specific IPs (admin endpoint)
Rule: AdminAccess
Condition: URI = /admin AND IP NOT IN allowlist
Action: BLOCK
Block bots
- AWS Managed Rule: Bot Control (paid)
- Distinguish good bots (Googlebot) from bad bots (scrapers)
6. WAF Pricing
- $5/month per Web ACL
- $1/month per rule
- $0.60/million requests
- Bot Control: +$10/M requests (advanced)
Cost optimization
- Combine rules into rule groups
- Use AWS Managed Rule Groups (free included rules)
7. AWS Shield
Shield Standard
- Free, automatic for all AWS customers
- Protects against most common DDoS attacks (L3, L4):
- SYN/UDP floods
- Reflection attacks (NTP, DNS amplification)
- Always-on for CloudFront, Route 53
- Suitable for basic protection
Shield Advanced
- Paid: $3,000/month + data transfer fees
- Protects:
- CloudFront, Route 53, Global Accelerator, ALB, NLB, EIP (EC2)
- Features:
- Enhanced DDoS protection (Layer 3, 4, 7)
- 24/7 DDoS Response Team (DRT) access
- Cost protection: refund for scaling charges during attack
- Real-time attack visibility (CloudWatch metrics)
- WAF included (no separate cost)
- Application Layer (L7) protection with WAF auto-rule
- Health check-based detection
When to use Shield Advanced
- Mission-critical apps
- History of DDoS attacks
- Regulatory requires DDoS protection
- Want financial protection from scaling costs
8. AWS Firewall Manager
Định nghĩa
Firewall Manager = centrally manage WAF, Shield, Security Groups, Network Firewall across multiple accounts (Organizations).
Đặc điểm
- Apply policies to all accounts / OUs in organization
- Auto-protect new resources created
- Compliance reporting
- Cost: $/policy/region/month
Use case
- Multi-account AWS Organization
- Enforce baseline security across all accounts
- Compliance (PCI, HIPAA across org)
9. AWS Network Firewall
Định nghĩa
Network Firewall = managed network firewall ở VPC level (L3-7), stateful inspection.
Đặc điểm
- Filter ingress/egress traffic at subnet/VPC level
- Supports Suricata-compatible rules (open source IDS/IPS)
- Stateful inspection
- Deep packet inspection
- Integration với Firewall Manager
Pricing
- ~$0.395/hour per firewall endpoint
- $0.065/GB data processed
Use case
- Centralized traffic inspection cho VPC
- Block egress to malicious domains
- Compliance requires network-level firewall
10. Security Service Layers
11. WAF Best Practices
- Start with COUNT mode to evaluate rules without blocking
- Use AWS Managed Rule Groups for baseline
- Add rate-based rules for brute-force protection
- Geo-block unnecessary countries
- Monitor with CloudWatch metrics (BlockedRequests, AllowedRequests)
- Centrally manage via Firewall Manager if multi-account
- Enable logging to Kinesis Firehose → S3 for analysis
12. Common Patterns
Pattern 1: E-commerce site
- CloudFront + WAF (managed rules + rate limit)
- Shield Standard (free)
- ALB → EC2
Pattern 2: API protection
- CloudFront + API Gateway + WAF
- Rate limit per API key
- IP allowlist for partners
Pattern 3: High-value target (gov, financial)
- CloudFront + WAF + Shield Advanced
- DRT on-call
- 24/7 monitoring
Câu hỏi ôn tập
-
WAF deploy được trên những targets nào?
Xem đáp án
WAF (Web Application Firewall) deploy được trên: CloudFront, ALB (Application Load Balancer), API Gateway, AppSync GraphQL API, Cognito User Pool. Không deploy được trên NLB (Layer 4) hay CLB. WAF hoạt động ở Layer 7 — inspect HTTP/HTTPS requests. WAF cho CloudFront là global; WAF cho ALB/API GW là regional.
-
Shield Standard có miễn phí không? Bảo vệ ở L mấy?
Xem đáp án
Miễn phí và tự động cho tất cả AWS customers. Bảo vệ ở Layer 3 và Layer 4 (network + transport) — volumetric attacks (UDP floods, SYN floods, reflection attacks). Bảo vệ tất cả Edge Locations (CloudFront, Route 53, Global Accelerator). Không bảo vệ Layer 7 (HTTP floods, application-level DDoS) — cần WAF và Shield Advanced cho đó.
-
Shield Advanced cost bao nhiêu/month?
Xem đáp án
$3,000/month per organization (không phải per account). Bao gồm: 24/7 DDoS Response Team (DRT) support, financial reimbursement cho DDoS-caused AWS cost spikes, automatic application layer attack detection + response (WAF rules auto-created), và protection cho EC2, ELB, CloudFront, Route 53, Global Accelerator. Hợp lý cho enterprises với business-critical applications.
-
Rate-based rule trong WAF dùng để làm gì?
Xem đáp án
Rate-based rule block hoặc challenge requests từ một IP khi vượt ngưỡng request rate trong 5 phút. Ví dụ: block IP gửi > 1000 requests/5 phút. Dùng để ngăn brute-force attacks, credential stuffing, scraping, Layer 7 DDoS. Có thể group theo IP, forwarded IP, hoặc bất kỳ aggregation key. Rule tự động unblock IP khi rate giảm xuống dưới threshold.
-
AWS Firewall Manager khác WAF console ở điểm gì?
Xem đáp án
Firewall Manager là centralized management cho multiple accounts trong AWS Organizations — deploy và enforce WAF rules, Shield Advanced protections, Security Groups, Network Firewall policies across tất cả accounts từ một chỗ. WAF console chỉ manage WAF trong một account. Firewall Manager phù hợp cho enterprise với nhiều accounts cần consistent security policies — tự động apply rules cho new accounts/resources.
Bài tập thực hành
- Tạo Web ACL với managed rule AWSManagedRulesCommonRuleSet, attach vào ALB
- Add custom rule: rate limit 100 req/5min per IP
- Add geo block: deny country code XX
- Test với simulated SQL injection request (should be blocked)
- Setup CloudWatch alarm khi BlockedRequests spike
- (Optional) Test với Firewall Manager (cần Organization)
Tài liệu tham khảo chính thức
Tiếp theo: GuardDuty, Inspector, Macie