AWS Web Application Firewall - WAF Test

AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. A rule identifies the requests that you want to allow, block, or count. You can add one or more rules to a WebACL, and associate each rule with an action (allow/block/count) - for example, block requests from specified IP addresses or block requests from specified referrers. You also need to specify a default action for a WebACL. You can then associate the WebACL with an Amazon CloudFront distribution or an Application Load Balancer (ALB) - services that AWS customers commonly use to deliver content for their websites and applications. These services receive requests for your web sites and forwards those requests to AWS WAF for inspection against the rules configured in the WebACL. If you add more than one rule to a WebACL, a request needs to match only one of the specifications to be allowed, blocked, or counted. Once a request meets one of the conditions defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define.

Periodically, administrators must track the requests allowed and/or blocked to understand whether/not your web aplications/sites are well-protected against malicious attacks. In the process, administrators can isolate ineffective or incorrectly configured rules/WebACLs and the security threats they pose. Administrators can then proceed to fine-tune these rules/WebACLs, so that their mission-critical applications are more secure. This is where, the AWS WAF Test helps!

By default, this test automatically discovers the rules configured in the AWS Web Application Firewall. For each rule, the test reports the count of requests that fulfill at least one of the specifications of that rule and that have been allowed and/or blocked as per that rule. This will enable administrators to figure out how many requests are allowed and/or blocked by each rule, and in the process, identify those rules that may have been configured incorrectly (eg., rules that were defined to block certain requests, but are allowing them), and/or poorly (eg., rules that are blocking less requests than they should). Such rules are candidates for deletion or fine-tuning.

You can optionally configure this test to report metrics for each WebACL. By comparing the measures reported by this test across WebACLs, administrators can rapidly identify WebACLs that may have to be reconfigured.

Target of the test: Amazon EC2 Cloud

Agent deploying the test : A remote agent

Outputs of the test : One set of results for each rule / WebACL, depending upon the option chosen from the WAF Filter Name parameter

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

AWS Access Key, AWS Secret Key, Confirm AWS Access Key, Confirm AWS Secret Key

To monitor an Amazon EC2 instance, the eG agent has to be configured with the access key and secret key of a user with a valid AWS account. For this purpose, we recommend that you create a special user on the AWS cloud, obtain the access and secret keys of this user, and configure this test with these keys. The procedure for this has been detailed in the Obtaining an Access key and Secret key topic. Make sure you reconfirm the access and secret keys you provide here by retyping it in the corresponding Confirm text boxes.

Proxy Host and Proxy Port

In some environments, all communication with the AWS EC2 cloud and its regions could be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none , indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy User Name, Proxy Password, and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy User Name and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box. By default, these parameters are set to none, indicating that the proxy sever does not require authentication by default.

Proxy Domain and Proxy Workstation

If a Windows NTLM proxy is to be configured for use, then additionally, you will have to configure the Windows domain name and the Windows workstation name required for the same against the Proxy Domain and Proxy Workstation parameters. If the environment does not support a Windows NTLM proxy, set these parameters to none.

Exclude Region

Here, you can provide a comma-separated list of region names or patterns of region names that you do not want to monitor. For instance, to exclude regions with names that contain 'east' and 'west' from monitoring, your specification should be: *east*,*west*

WAF Filter Name

By default, this parameter is set to Rule. In this case therefore, the test will report metrics for each rule that is configured. To override this default setting, you can pick the WebACL option from this drop-down. In this case, this test will report metrics per WebACL.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Allowed web requests

By default, this measure represents the number of web requests that this rule allowed.

If you set the WAF Filter Name parameter to WebACL, then this measure represents the total number of web requests that all rules in this WebACL allowed.

Number

If a request fulfills at least one specification of a rule/WebACL and is allowed as per that specification, then such a request is counted as an 'Allowed web request'.

If a rule/WebACL allows more requests than it should, then you can take that rule/WebACL up for closer scrutiny and make changes to that rule/WebACL (if required).

Blocked web requests

By default, this measure represents the number of web requests that this rule blocked.

If you set the WAF Filter Name parameter to WebACL, then this measure represents the total number of web requests that all rules in this WebACL blocked.

Number

If a request fulfills at least one specification of a rule/WebACL and is blocked as per that specification, then such a request is counted as a 'Blocked web request'.

If a rule/WebACL blocks less/more requests than it should, then you can take that rule/WebACL up for closer scrutiny and make changes to that rule/WebACL (if required).

Counted web requests

By default, this measure represents the number of web requests that fulfill all specifications of this rule.

If you set the WAF Filter Name parameter to WebACL, then this measure represents the total number of web requests that fulfill all specifications of all the rules in this WebACL.

Number