AWS Web Application Firewall (WAF) Full Tutorial | Learn AWS Security Now!
Loi Liang Yang2022-03-05
hacker#hacking#cracker#cracking#kali linux#kali#metasploit#ethical hacking#ethical hacker#penetration testing#penetration tester#owasp#aws#waf
68K views|2 years ago
💫 Short Summary
The video provides detailed insights on preventing hacking through AWS Web Application Firewall, covering various threats like SQL injection and cross-site scripting. It emphasizes creating web access control lists, managing rule groups, and setting up defense mechanisms. The importance of continuous evaluation, rule prioritization, and using AWS WAF Manager for scalable protection is highlighted. The video also stresses the significance of rectifying incorrect rules promptly and ensuring compliance for securing applications effectively on AWS.
✨ Highlights
📊 Transcript
✦
Preventing hackers from gaining access to your website using AWS WAF.
00:15Importance of cloud security and defense mechanisms against hacking techniques like SQL injection, cross-site scripting, and cross-site request forgery.
Emphasis on the need for protection against threats with the growing use of cloud services like AWS.
Insights on AWS security architecture, including internet access, application load balancers, and EC2 instances.
✦
Features of AWS Web Application Firewall (WAF) and its integration with ALB and EC2 instances.
04:17WAF allows for scalable protection based on demand without altering routing configurations.
The segment highlights the use of Web Access Control List and CloudFront for regional and global protection.
Demonstrates seamless integration of cloud-native security features for efficient defense against cyber threats.
✦
Creating web access control lists for resources like CloudFront distributions and application load balancers.
06:32Ability to add custom rules and manage rule groups.
Setting web capacity limits for inspection rules and defining conditional statements for protection.
Default action options for requests that don't match any rules: allow or block.
Insights on creating a secure environment by implementing conditional statements and actions.
✦
Handling Bad Payloads in Web Security.
08:58Rules are established to handle bad payloads like SQL injection and cross-site scripting.
Requests that do not match the payloads are allowed by default, while those that match are allowed.
Custom headers can be added to requests and priorities can be set for rule inspection.
Web access control lists are created to monitor incoming requests, identify allowed and blocked ones, triggered rules, and sample requests.
✦
Importance of security controls in protecting applications from threats.
12:26Analyzing header values for malicious payloads and investigating blocked requests to understand attackers' motives.
Adding rules to web access control lists and inspecting request bodies up to 8KB.
Blocking bad bots consuming resources and utilizing AWS managed rule groups for admin protection.
Reference to a recent publication on the top ten security threats by the Open Web Application Security Project.
✦
Top 10 risks on OWASP for Linux operating system.
14:28Explanation of known bad inputs, SQL database, and WordPress applications.
Insights on enabling and managing SQL injection rules.
Details on blocking and detecting query arguments, body checks, and more.
Importance of creating IP sets and web access control lists to manage incoming requests.
✦
Using IPSets in AWS WAF for blocking bad IPs and allowing good IPs access.
18:32Bad IPs can be identified through threat intel feeds and added to the bad IP set.
Good IPs, like partner servers, can be added to the good IP set for communication.
Setting root priorities and creating rules for conditions such as SQL injection.
Utilizing rate-based rules to block excessive requests and potentially prevent DDoS attacks.
✦
Defending against DDoS attacks using rate-based and weight-based rules with Application Load Balancers (ALB) .
21:55Rate-based rules can limit requests and block malicious IP addresses.
Weight-based rules can help in blocking potential threats like SQL injection attacks based on specific headers, query parameters, or user agents.
Adding rules to web access control lists can enhance security measures.
Creating rule groups for managing multiple ACLs efficiently improves overall defense mechanisms.
✦
Creating rules for web access controllers to prevent SQL injection attacks.
23:28Rule groups can be applied to multiple applications and web access control lists for easy management.
Setting up cloudwatch metrics, creating custom responses, and saving rules to the web access control list are part of the process.
Emphasizes routing traffic through the web for protection and tips for configuring security groups for application load balancer.
✦
Accessing EC2 through a virtual server and the importance of using a stateful firewall.
26:23Emphasis on using an Application Load Balancer (ALB) DNS to access resources securely.
Using Burp Suite as a proxy for testing and modifying requests, focusing on web access control and testing rules.
Explaining terminating and non-terminating rules and their impact on subsequent actions based on rule matches.
Demonstration includes changing user agents and testing rules for proper functionality.
✦
Importance of rule evaluation logic in cybersecurity.
29:51Continuous evaluation is necessary even after passing a capture check.
Rule evaluation against human actors and prioritization based on IP addresses.
Highlight on using AWS WAF Manager to propagate rules across different types of resources in multiple accounts.
Efficient and effective security measures can be implemented across various accounts and resources.
✦
Importance of AWS security in protecting applications from hackers.
32:30Emphasized the need to rectify incorrect rules promptly to prevent security breaches.
Valuable insights provided on AWS WAF and securing applications on the cloud.
Significance of compliance and notification for account owners highlighted.
Segment offered a glimpse into effective application security on AWS.
00:00yes you can't stop hacker a lot from
00:01gaining access into your website or web
00:03application service by using aws web
00:06application firewall or short form for
00:08aws waff so whether you're trying to
00:10stop a hacker or whether you are trying
00:12to learn about cloud security this is
00:14going to be the video where we'll deep
00:15dive on the ways hackers utilize
00:18different type of hacking techniques to
00:19gain access into your server and at the
00:21same time we'll learn about the rules
00:22that we can create as part of inspecting
00:25all these different type of threats that
00:26are coming into environment and stopping
00:28them be able to understand and analyze
00:30them and then be able to block out all
00:32these hackers from getting unauthorized
00:34access into your site
00:41[Music]
00:50and you would have learned from this
00:51channel about sql injection cross-site
00:53scripting cross-site requests for audrey
00:54and all these are different type of
00:56risks that your application is going to
00:58face the moment they're open up to the
00:59internet so we'll learn exactly what we
01:01can do to defend against these type of
01:03threats so before we get started smash
01:05the like button turn on notifications so
01:07that you don't get hacked and yes that's
01:09right you got to learn about aws
01:10security right now this is because
01:12everyone is moving to the cloud and with
01:14the cloud you can quickly instantiate
01:15resources in seconds while you could
01:17literally open up a call linux server
01:19onto aws in seconds and after which you
01:22can remotely connect to it and start
01:24running all this ethical hacking
01:25penetration testing within aws so in
01:28terms of architecture this is how it's
01:29going to look like so first of all you
01:31have what we call the internet right so
01:33this is going to be the place all the
01:34location where anyone will be able to
01:36access into your app and the second part
01:38of all you have what we call the
01:39application load balancer so i'm going
01:41to put this here as alb so this is where
01:44we can route different types of requests
01:46to different types of backend resources
01:48that you have and in this case we're
01:50going to have something called an ec2
01:51which is a virtual server for us all
01:53right so here we have a virtual server
01:55so this ultimately allows us the ability
01:57to send traffic from the internet to the
01:59application of the balancer and then
02:01targeted to what's the ec2 instance so
02:03this gives us the ability to have those
02:05traffic access back into the web server
02:08and then after which will be able to
02:09access into the site so what you don't
02:11believe this is going to be architecture
02:12so well let me show you just that so
02:14right in front of us i am on our aws
02:16console so in this case we have the
02:18following all right so you have the
02:20instant summary so here in this case we
02:21have a wordpress ec2 virtual server
02:24that's running on linux and we have of
02:26course like the for example the public
02:28ip address and of course in this case we
02:30also have an application load balancer
02:32and you can easily find this likewise
02:34under the ec2 service and on the left
02:36side you can see the following over here
02:38right so with the load balancer to go
02:39ahead and just click onto it so once you
02:42click onto the load balancer you can see
02:43that we have the following load balancer
02:45right here okay so this is the dns name
02:47right so the dns name will be the target
02:49all right so in this case for the dns
02:51name all right we will be associating
02:53this application load balancer to a aws
02:57web web access controller so that we can
02:59begin the protection of this application
03:01load balancer so what you can see here
03:03right now is that if i jump over
03:05all right we can see the listeners all
03:06right so in this case we have port 80
03:08and of course at the same time we're
03:09monitoring that is you can see all the
03:11responses the requests that are coming
03:13in so all these are directly from my own
03:16access into the site right and of course
03:18at the same time you can go ahead and
03:20click on target groups and in target
03:21groups you can see the following over
03:22here we have a wordpress group you can
03:24select onto it and you can see the
03:26targets so in this case we have the
03:28target of the instance all right so you
03:30can see the instance id over here and
03:31that will bring us back over to the
03:33virtual server that i've shown you
03:34earlier all right and you can see the
03:36health status so in this case we have
03:38the health status of healthy so we are
03:40able to from the application load
03:42balancer connect over into the ec2
03:44virtual server so right in front of us
03:45we have awesome right so from aws web
03:48you can see all of the major features
03:50that's available for us so here we have
03:52web access control list with bot control
03:54we have application integration via
03:56software development kits ip addresses
03:58or ip sets regular expression pattern
04:00set rule groups and marketplace where
04:02you can access into some of these
04:04managed rules for you so you don't have
04:05to build them yourself especially if
04:08time is of essence and you want to
04:09quickly outsource some of the defenses
04:12over into perhaps some of these managed
04:13rules that were explained in a brief
04:15moment okay so now you probably have a
04:16question like what's the difference
04:17between an on-premise web application
04:19firewall as well as the one that's
04:21available on aws web as a cloud-native
04:24web application firewall well here's the
04:26really beautiful part about aws wav all
04:28right there's several things we can
04:29think about when using aws cloud native
04:32web all right so the beauty of this is
04:34that we are able to scale as we grow all
04:36right so here again we have the internet
04:38the internet where hackers were good
04:40guys and bad guys can both access into
04:42your resources and of course right in
04:44the middle it could be your application
04:45load balancer so in this case i'm
04:47putting alb and of course ultimately on
04:48the right side we have ec2 instances so
04:50you can you can have multiple of this
04:52all right so you could have multiple
04:53servers running so that you can then be
04:55able to scale your workload as all this
04:58traffic comes in and as more demand
04:59comes in you'll be able to then surf all
05:01right multiple of this request over into
05:04several of these ec2 instances all this
05:06other traffic they're coming in okay and
05:08the beauty of this now is that you can
05:09have edibles waf over here all right so
05:11you have wav and you can now directly
05:12associate it into the alb without having
05:15to change any of the routing
05:17configuration having to change anything
05:18on your application and because all this
05:20are integrated directly in the cloud so
05:23that you can save a lot of time and you
05:25can scale the protection depending on
05:27the demand that is coming in to
05:28different parts of your site so the
05:30first thing you want to use is of course
05:31on web access control list so once you
05:33clicked onto it do note that web is a
05:35regional service so you have to go to
05:37weather region of your application load
05:39balancer or perhaps in this case you
05:41could have a content delivery or
05:43distribution network called cloudfront
05:45and in that case you want to select on
05:46the global cloud front in order to have
05:48those web access control lists be able
05:51to be associated with the specific
05:53resources so that you can begin the
05:54protection of them so right in front of
05:56us i've created a wordpress access
05:58controller so in this case you already
05:59know what's behind in terms of the ect
06:02virtual server that i run and is running
06:04of course on wordpress as a content
06:06management system and you can have
06:07multiple web access controllers to be
06:09associated with the different type of
06:10resources that you have and specifically
06:13a lot of the times you have to have a
06:16web access control list that is targeted
06:18towards a specific application however
06:20there could be cases where you have
06:21applications that are fairly similar and
06:23that they are also in this case are
06:25using say wordpress as a content
06:27management system then yes you could
06:28possibly have web access controllers
06:30associated with multiple of these
06:32different resources so in this case i'm
06:34going to show you how you can easily
06:35create a web access control list by
06:37clicking on create web acl and right
06:39here you can give it a name so in this
06:41case i can enter say for example prop
06:43web acl all right so this could be one
06:46of the name for it and the good part is
06:48you get clockwatch metric name for it
06:50okay so in this case it means that
06:51anytime certain specific rules get
06:53triggered all right you can get a
06:55notification by having say specific
06:57alarms being tied to sort of metrics
06:59that you have created
07:00and then here in this case all right
07:02what is the type of resource that we
07:04want to associate with this web access
07:06control list so we have several options
07:07for us in fact four options available
07:09one is cloudfront distributions number
07:12two our regional resources like
07:13application load balancer application
07:16programming interface gateway as well as
07:17aws appsync and of course the region
07:19you're operating on and the resources
07:21that you want to add to be associated
07:23okay so go ahead and click under next
07:26and once you're done over here you can
07:27see the following all these rules that
07:29you want to create to be part of the web
07:31access controllers and you can edit and
07:33update them later on even after the web
07:35acl has been created okay so there are
07:38two main type of rules that we can look
07:39at one are what we call manage rule
07:42groups all right so this are roots where
07:43you can subscribe to and then after
07:45which all those protection will come
07:46into place and you will be able to
07:49defend your applications using those
07:51rules that are managed for you so you
07:53don't have to worry about the text
07:54transformation the type of signatures
07:56you're looking for in order protect it
07:58the second part of all is add my own
08:00rules and rule groups so this is the
08:02part where you can create your own
08:04conditional statements your inspection
08:05rules and then be able to define what
08:07actions you want to take as well in
08:09order to be able to have those
08:11protection being placed against those
08:13resources the other part you want to
08:14look at is in terms of the root capacity
08:16right the root capacity state that if
08:18you're multiple condition statements you
08:20cannot exceed 1500 web capacity unit the
08:23reason is because it does require
08:25compute in order to go to the inspection
08:27rule so that's why for each of the web
08:29access controllers you're under
08:311500 web capacity unit and then finally
08:34in terms of the rest of it where you
08:36have the default web acl action for
08:37request and don't match any rules so in
08:39this case we have a default action of
08:41allow and there's another option
08:43available for us all right so here we
08:45have one is allow and number two which
08:47is on block so what's the difference
08:48between specifying a default action as
08:50allow and default action as a block so
08:53when should you allow so if you're using
08:54allow as the default action then what
08:57you want to do then is to think about
08:58all right what are the bad payloads that
09:00can be coming and say for example your
09:02sql injection where hackers are trying
09:04to gain access into your backend
09:06resources as well as say for example
09:08your cross-site scripting all right
09:10where hackers are trying to inject their
09:11own script into your site right so in
09:13that case if we don't find a match then
09:16we allow all right meaning that the
09:17request will now be allowed to gain
09:20access into the backend resources for
09:22the other example all right if in this
09:24case where you have an expected payload
09:26to come in say for example you have a
09:27product id from 1 to 99 and if it
09:30matches then yes all right the rule will
09:32then allow this specific request to go
09:34to however if it does not then it's
09:36going to default to block blocking those
09:38requests because someone decided to send
09:40say 101 is a product id 102 as a product
09:43id which is outside of your range so in
09:45this case we are going to inspect for
09:47bad malicious payload is coming in so
09:50and then after which if it doesn't match
09:51then yes we are going to allow the
09:53default action to allow right and
09:55likewise we have the custom request
09:57option available all right so in this
09:58case what it's going to do is it's going
10:00to add x am zac n w a f
10:03all right so this allows us to add
10:05additional headers as part of a request
10:07so now with that let's go ahead and
10:08click on the next and then of course in
10:10this case we can set root priorities
10:11which one is going to be inspected first
10:13second third and so on so depending on
10:15the priority of it you can set those
10:17rules so let's go ahead and click next
10:18on this so what we are doing here is
10:20quickly creating all right several of
10:22these types of web access control lists
10:24and in this case we can also have sample
10:25requests coming in so we can click on
10:27next and then of course you can review
10:29and then create the web acl so pretty
10:30easy in terms of creating web access
10:32control lists
10:33so what i have done here is you can see
10:35the following you successfully created
10:36web across web acl and what we're going
10:39to do now is go ahead and take a look at
10:40say wordpress acl all right so let's go
10:42ahead and click on it and once you
10:44clicked on it over here you can see the
10:46following tabs all right so we have
10:47overview rules bot control associated
10:49with resources custom response logging
10:51metrics as well as cloudwatch login
10:53sites so if you're sending your logs
10:55over to cloudwatch then you can actually
10:57enable cloudwatch login sites to be
10:59available and accessible directly from
11:01the web access control list so right
11:02here you can see the following we have
11:04requests per five minute period and we
11:05can see the following all right all
11:07these are the requests they're coming
11:08into your server all right and you can
11:09see which one of them are allowed which
11:11one of them are actually getting blocked
11:13which of these rules have been triggered
11:15and as you scroll down further you can
11:16also have sample requests that are
11:18coming in to see what are some of the
11:19different accesses that are going in to
11:21the site of course in this case you can
11:23see that there is someone coming from a
11:25source ip from singapore yes i'm located
11:27out of singapore and you're able to see
11:29that ip address over here so you can go
11:31ahead and click under the uri path so
11:33clicked on it and you'll see the
11:34following sample requests all right so
11:36this are not all the requests are coming
11:38okay so we can see for example get host
11:41user agent we can see all these
11:43different header values so you can do
11:44your analysis looking out for specific
11:46type of bad payloads that may be hitting
11:49into your application load balancer in
11:51this case okay and likewise we could
11:53possibly look at some of the blocked
11:54requests that are hitting our resources
11:57so that we can investigate all right
11:58what are these threat actors trying to
12:00do with our resources and right here
12:02right as i screw up further this is
12:04going to be the main part of things so
12:06under the ruse so all these are the
12:07routes that you can easily add into your
12:08web access control list all right so all
12:10you got to do in this case you can say
12:12for example click under add rules and
12:14you have two options available either
12:16manage rule groups or your own rules and
12:18rule groups that you want to craft so
12:19your conditional statements your checks
12:21so let's go ahead and click under add
12:23manage rule groups okay so here in this
12:26case we have several options available
12:28for us and since this is also
12:30highlighted i just want to address this
12:32a little earlier all right so this part
12:34meant that we can inspect the body of
12:36the request so as the request is coming
12:38in we can inspect up to eight kilobyte
12:40of the body request okay so if you're
12:42expecting a slightly bigger payload
12:43maybe it is in a json format all right
12:46you are able to look into those request
12:48body okay and
12:50what you cannot see though is under the
12:52logging part of it because request body
12:53can be fairly huge so you have multiple
12:55requests millions of requests per day
12:57chances are the request body is going to
13:00add up significantly over time to your
13:01logs okay so inspection yes logging for
13:05awswaft the answer is no moving forward
13:07you can see here we have aws manage rule
13:10groups so there are two components or
13:11two segments to it all right one are
13:13what we call the pay rule groups all
13:15right so this is where you can take a
13:17look at someone trying to do an account
13:19takeover inside your site so you can
13:20easily click onto this to enable it into
13:23the web access control list the second
13:25part you can look at bot control so
13:27there are two types of bots the bad boss
13:28as well as the good bots so in this case
13:30we can quickly block away those bad bots
13:32who can be consuming excessively on your
13:34resources and then not giving legitimate
13:36users the ability to access your
13:38resources so you can quickly block out
13:40those bad bots that could be trying to
13:42download your site they could be trying
13:44to crawl into your site finding
13:45different types of directories and so on
13:47next up are what we call the free rule
13:49groups all right so in this case we can
13:51have admin protection right so if you
13:53know there are certain admin pages for
13:54your site we have reputation lists from
13:56amazon we have anonymous ip lists so
13:58people who are coming in from vpn proxy
14:00tour notes and all of this we can very
14:02quickly be able to block them out all
14:04right core ruleset is where you're
14:06trying to associate the protection
14:08against those that are described in open
14:10web application security project
14:12publication so in terms of the top ten
14:14all right so there's a new publication
14:16about three or four months back and
14:17that's something really interesting to
14:18take a look at especially if you are a
14:20application developer or you are part of
14:22infrastructure team the security team
14:23and you want to protect your
14:24applications you want to have those
14:27security controls that are mapped back
14:28to the top 10 risks on ow asp
14:31known bad inputs linux operating system
14:34all right sql database and wordpress
14:36application if you're running wordpress
14:37on the backend so let's go ahead and
14:39enable say for example in this case we
14:40can sql database all right so once you
14:43enable it you can click under edit and
14:45from edit you can see the capacity right
14:47that will be consumed and you have
14:49versioning enabled all right so so you
14:50have versions available for it and you
14:52can easily select all right a
14:53subscription to a simple notification
14:55service so that from here you'll be able
14:57to get notified so whenever new version
14:59is available you can get a notification
15:01for it and let's just scroll down
15:02further all right this are the rules
15:04that are going to be checked as a result
15:06of turning on sql injection manage rules
15:09so in this case right we can have query
15:10arguments check body check cookie uri
15:13path and there's one part of it called
15:15the rule action so what exactly is the
15:17rule action trying to do so what it is
15:20going to do is to block anytime it
15:22detects any of this all right within the
15:24request and of course at the same time
15:26you can also have scope down statement
15:28so scope down statement enable and give
15:30us the ability all right to specify
15:32where exactly you could be capturing
15:34those sql requests coming in and you
15:37want to block and stop those type of sql
15:39injection that coming in into your site
15:41all right and finally you can easily do
15:43a override of the entire rule group by
15:45selecting over here to count okay so
15:48once you are done with this
15:49you can very quickly enter save rule and
15:51once you have selected on the safe route
15:53it is now being added all right into the
15:55web access controller so you can see
15:56right here changes saved successfully
15:59and you scroll down further or you can
16:00click add rules and once you're done
16:02with this as we move back over into the
16:04web access control list you can see
16:06right here okay we have the capacity and
16:08we have the checks and i can select
16:10under say in this case aws dash aws
16:13manage rules sqli ruleset i can move it
16:15up and i can click save on this all
16:17right so once we are done with this we
16:19can see the rule actions for it alright
16:21so very quickly we're now deploying a
16:23sql injection rule set to block sql
16:26injection from coming in so moving to
16:28the second part which is something a
16:29little more complex is under your my own
16:32rules and rule group so go ahead and
16:34click on it
16:35and once you clicked on it over here you
16:37have three options available right the
16:39first option is called ipset right so
16:41ipset gives us the ability to specify ip
16:44addresses that you want to block or
16:45allow okay so in this case if you create
16:48an ip set all right you will see the ip
16:49set listed on the bottom okay so here on
16:52the left side you can go ahead and click
16:53under ip sets and it can go over into
16:56say aws web so in this case i can go
16:58ahead and click on the create ip set and
17:00once i click on the create ip set we can
17:01specify a name so i can enter say
17:03approved ip address okay and once you're
17:07done with that you have the region you
17:08have the ipv4 version okay so in this
17:10case if i was to jump back to aws web
17:12all right of course if i go over into
17:14the web access control list involves
17:16look at all the requests that are coming
17:17in it's coming from a specific ip
17:19address and that ip address is my home
17:21network so this is the ip address that i
17:23want to allow access into or write the
17:26resource so in this case i can go ahead
17:28under wordpress acl i can look at the
17:31sample request and i can easily copy the
17:34ip address over here so i can go ahead
17:36and copy this we go back to the ip set
17:38we are creating under slash 32 all right
17:40to target his ip address so we can have
17:42cider range for this all right classes
17:44into domain range click under create
17:46ipset and that's it we're done alright
17:49we just created an ip set and we're
17:51going to use this as part of only
17:53allowing this ip address to be able to
17:56interact with our resources so going
17:58back all right into the aws web at the
18:00bottom all right so then we can
18:02determine whether we want to allow all
18:04right the action to be allow a blog
18:06account so there are two options
18:07available again in terms of ip set and
18:09one is usually generally the bad ip
18:12sorry so you subscribe to certain thread
18:14intel and your thread intel feeds are
18:16telling you all these bad ips and of
18:18course they are continuously being
18:19refreshed and you can inject them over
18:22into the bad ip set over in aws weft so
18:25that you can begin blocking down all
18:27these bad ips before they even have an
18:29opportunity to interact with any of your
18:31resources and of course the next use
18:32case is in terms of good ips or a good
18:34ips meaning that they could be your
18:36partner servers or and you want them to
18:38be able to communicate with your
18:40resources then you want to put them
18:42under say the good ip set so this are
18:44the two general use cases when it comes
18:46to using ipsen as part of awswaff so in
18:49this case can very quickly enter the
18:50full line good ip all right so what i
18:52can do now is i can choose the ip set a
18:54proof ip all right so in this case i'm
18:56going to put an allow for this okay so
18:58once i'm done with that i can click add
19:00rule all right and this rule will very
19:01quickly be added into the web access
19:03control list and then after which we can
19:05set the root priority for it so in this
19:07case perhaps
19:08i want to say that anytime i have a good
19:11ip match immediately i will allow the
19:13request to go through all right so this
19:15is something that we can do very quickly
19:17with aws web to say that good ips you
19:20can immediately go into accessing those
19:22resources without having to go through
19:24any further checks so go ahead and click
19:26save on this all right so now we have
19:27set the root priority so we can jump
19:29back into the rules of wordpress access
19:31control list and in this case i can
19:33click under again all right add my own
19:35rules and rule groups the second part is
19:37called the rule builder the root builder
19:39is where you're writing down your
19:40condition statements your checks against
19:42different types of request payloads are
19:44coming in so in this case so for example
19:46i can enter the name so we could be
19:48looking out for sql injection coming in
19:49to say user agent so i can enter sqli
19:52user agent it's a regular route so we
19:54have two rule options one is regular
19:55route which are all your condition
19:56statements to check different headers
19:58looking up for different types of match
19:59conditions and all that the second one
20:02is what we call the rate-based rule the
20:03rate-based rule allow us to determine
20:06what is considered as excessive requests
20:08going into your servers or services so
20:11in that case right your rate base rule
20:13allows you the ability to begin blocking
20:15those ip addresses which are having or
20:17hitting the threshold of the number of
20:19requests over into your server so this
20:21could be a part of a distributed denial
20:24service attack where you're trying to
20:25flood your entire server and your
20:27services so what exactly is a
20:29distributed denial service attack so in
20:31this case you have the hacker on the top
20:33left corner right over here right so you
20:34can see the hacker and what they do is
20:36that they would then send a lot of
20:38traffic over through to the internet
20:40hitting into the application load
20:42balancer and then after which this could
20:44consume legitimate resources coming in
20:46from your ec2 resources or your virtual
20:48service as a result of that all right an
20:50actual normal user is no longer able to
20:52access into your traffic and this
20:55consumes all of your resources so in
20:57order to defend against this type of
20:58tags what we can do now is to have the
21:00following graph association with alb and
21:03in this case this is what we call the
21:04rate based rule all right and with the
21:06weight-based rule what we can do is to
21:08specify say a hundred all right requests
21:11all right per minute all right which is
21:13typical for a normal user so in this
21:15case if the request exceeds over 100
21:17requests per minute then we can begin
21:19blocking out all these bad ip addresses
21:22and be able to say stop the hacker on
21:24the track before they even reach over
21:26into your resources and of course you
21:28can see the second option in terms of ip
21:30address to use for rate limiting so in
21:31this case so in front of say the
21:33application load balancer the one that's
21:34interacting with your resources is a
21:36proxy server and before the proxy server
21:38there could be multiple devices before
21:40it so as a result of that you are
21:42probably trying to look out in the
21:44header if there are certain specific ip
21:46addresses possibly bad eyepiece then you
21:48want to block them up if they are
21:50contained within all right the header
21:53now moving back to the regular rule over
21:55here we can see all these options all
21:57the condition statements that we can use
21:58right so in this case we can match the
22:00following statement so i can easily do
22:02an inspection so i can specify a country
22:04right where this specific request is
22:06originating from i can specify certain
22:08headers certain query parameters all
22:10query parameters are coming in uri path
22:12and all of that so in this case say for
22:14example i specify header all right
22:16another header in the header view i can
22:18enter is a user agent and perhaps in
22:20this case it contains all right a sql
22:23injection and i can specify here
22:25contains sql injection attack because on
22:27the back end you are collecting all
22:29right all this user agent information
22:31into a backend database for doing your
22:33data analytics know your customer all
22:35right so in this case we can see if the
22:37user agent contains sql injection we
22:39want to block those out the way so you
22:41can see right here we have the ability
22:43to do blocking all right from the action
22:45over here so once you're done with that
22:47go ahead and click under add rule so
22:48this would add it over into the list of
22:51rules within the web access control list
22:53okay so once you're done with that you
22:55can easily specify sqli user agent and
22:58we can easily move this up over here
22:59into the block and once we have this i
23:02can click on to save so this will save
23:03the route over into a web access control
23:05list
23:06and the final part of all is under rule
23:07groups so a lot of times you may have
23:09multiple web access control lists and
23:11from a multiple web access control list
23:13you want to create booths that can be
23:14reusable for multiple of this web acl
23:17all right so in this case right you have
23:18to go over to the left side and you have
23:21to select under rule groups to create
23:22all these rules and once you create all
23:24these rules it will then be made
23:26accessible to different of this web
23:28access controller say for example you're
23:29creating the sqli injection check for
23:31user agent and it's going to be used in
23:33multiple of your applications in
23:35multiple web access control lists so
23:37instead of having to recreate them into
23:39every of these web acl you can easily
23:40create them under the rule groups right
23:42so you can say for example sqli user
23:45agent under your ru groups okay and then
23:47it will also create a cloudwatch metric
23:49name for us click onto next and then
23:51after which you can easily add the rule
23:53exactly the route that we have created
23:54earlier then after which this is going
23:56to be made reusable all right that you
23:58can then be associated with many of
24:00these web access controllers use them as
24:02part of ruse additionally jumping back
24:05to the sqli user agent that we've
24:06created as part of the web access
24:08control list what i can do is i can edit
24:10on this and right at the bottom you can
24:12see the following we have a custom
24:13response all right so we can enable a
24:15custom response to give a feedback all
24:18right to the requester about what is the
24:20response that we want to give as a
24:22result of block so in this case we can
24:24say give a full tree as the response
24:26code and then after which we can specify
24:29a response body so we can create a
24:30response body and in this case i can say
24:32block sql i alright so in this case i
24:35can enter say a plain text stop trying
24:38to hack hacker loy okay so once i have
24:42this i can click on the save okay and
24:44then i can click save rule right so this
24:46will help us save the rule over into the
24:49web access control list so then of
24:51course we can again see the root
24:52priority and all of that so now we have
24:55done with the setup of the rules all
24:57right what we want to do is to look at
24:59the associated aws resources so in this
25:02case i have the following all right
25:03application load balancer so this is the
25:06resource type of alb
25:07and we have already associated with the
25:10ref rules now before we jump into the
25:12penetration testing example of how we
25:14can test out all these different type of
25:16waffles what you want to watch out for
25:18over here is i have an ec2 instance and
25:20of course i have a public ipv4 address
25:22as well as public ipv4 dns so if i go
25:25ahead and open up this address and if i
25:27copy this i open up the address by going
25:29into http for this and i hit enter on
25:32that it will bring us over directly into
25:35the server it means that we did not go
25:37to the web rules at all we did not go to
25:39the application load balancer so we're
25:40going accessing directly into the
25:43virtual server and that's not a good
25:45practice because you want all of this to
25:47be routed through the web in terms of
25:48protection
25:49so what you want to do as a pro tip here
25:51is you want to go back over to the
25:53instance and you want to click on the
25:55security and you want to select under
25:57the security groups all right so go
25:58ahead and clicked on it so once you
26:00clicked on it you want to click under
26:01the edit inbound rules select on it and
26:03you can see right here we have http and
26:05then of course we are allowing all right
26:07internet accessible all right so what
26:09you want to do is to delete this
26:11jump back over to the ad rule right
26:13specify http and then in this case right
26:16on the source you want to specify and
26:19target the security group for the
26:21application load balancer so i'm
26:23selecting it over here all right else if
26:25you see over here right this is the ec2
26:27address so we're accessing it directly
26:30into the virtual server which is not
26:32what we want because it bypasses the
26:34wear through so once i'm done with this
26:36i click under save rules and then of
26:38course the stateful firewall it will
26:40kick into effect all right and then of
26:42course if i jump over into the ec2 dns i
26:45do a refresh it's no longer working now
26:48all right so users have to go to our alb
26:51dns in order to be able to access into
26:55the resource and now if i jump over into
26:57the application load balance so you can
26:59see right here we have a dns name right
27:01here okay so this is the dns to access
27:04into all right so what we can do now is
27:06i can go ahead all right and copy over
27:09into this dns i jump over into another
27:12tab all right so i've already paste it
27:13over here so i paste and i hit enter
27:15again this is the place for us to access
27:18into the resource all right so it goes
27:20through application load balancer which
27:21is associated with aws web to kickstart
27:24all of this inspection rules condition
27:26statements and all these checks against
27:27application risks and all this malicious
27:29payloads are coming in to our server so
27:32i'm jumping over into my car linux
27:33ethical hacking and penetration testing
27:35box so right here we are on the alb dns
27:39name so from here what we can do is we
27:41can enter anything that we want in terms
27:42of the search view i can enter asd i can
27:44click search and what i can do from the
27:46top right corner i can select burp suite
27:48as our proxy once you select a burp
27:50suite as a proxy you can go ahead and
27:51open it up using terminal and then you
27:53can enter burpz right now so this is
27:54starting up burp suite for us so this
27:56will be the place for us to run right
27:58all of these different types of payloads
28:01on targeting over into the server all
28:04right so in this case if you jump over
28:05into proxy type of burp suite or ensure
28:07the intercept is on and from here we can
28:09go ahead and enter another result say
28:11entering asd i click search on this and
28:13we can see we are intercepting all right
28:15the request so that we can change up the
28:17request and i can do a right click i can
28:19send over into say in this case repeater
28:22and this is the place where we can
28:23modify the request so we jump back over
28:26to aws web under the web access control
28:28list you can see right here we have a
28:29sql i user agent block status 403 with a
28:34custom response so this is the place
28:36we're going to target to test out
28:38whether this rule is working all right
28:39whether we're able to inspect on it so
28:41if i jump back over to call linux with
28:44this what we can do now is to change up
28:46the user agent all right so i can put
28:47say for example single chord all right
28:50or
28:51one equal one semicolon dash dash and
28:54let's go ahead and do a send and see
28:55what happens
28:57do you see this right here stop trying
28:59to hack hackerloy you'll notice that
29:02with several options when it comes to
29:04the action to be taken as a result of
29:06either matching or not matching the rule
29:07so what you can see here is we have the
29:09allow and block so in terms of allowing
29:11block this is what we call as the
29:13terminating rule all right so this
29:15terminating rules means that the moment
29:17the action is taken it stops at the rule
29:19right there without going to the
29:20subsequent rules and then for count
29:23count is something we call
29:24non-terminating so it would do a match
29:26condition check and it would put it to
29:28count so that you can do analysis later
29:30on and for the other hand the final part
29:32is capture capture can be both
29:33non-terminating right at the same time
29:35it can also be a terminating rule all
29:37right so you have the option available
29:39for capture on that and just because you
29:41managed to pass the capture check it
29:43doesn't mean that no more routes are
29:44going to be evaluated if you pass the
29:46captcha further rules are going to be
29:48evaluated against the human actor so in
29:51terms of the rule evaluation logic you
29:52can see as the full the sql injection is
29:54first check on the user agent and if it
29:56matches it immediately does a block and
29:58of course corresponding with a custom
30:00response over here which is status value
30:02block sql i so we saw this in the
30:03demonstration if it doesn't match then
30:05what happens it goes in a good ip so if
30:07it belongs to the good ip doesn't allow
30:09immediately and then when with the allow
30:11the request is forwarded over into the
30:13resource without going into the further
30:16checks all right so this is how it looks
30:18like so in this case i have a login
30:20checker over here which is targeted for
30:22any of these requests going into the
30:25login page of wordpress okay but it's
30:27not going to hit into this rule because
30:29the good ip has already been placed as
30:32an earlier priority let's go ahead and
30:33take a look at how this rule would look
30:35like in an actual request so once again
30:37i am back into car linux going into alb
30:40dns name so all i got to do now is enter
30:42slash followed by wp dash login.php i
30:45hit enter on this and you can see right
30:47here we're folded directly over into the
30:50username and password for login view so
30:52what i can do now to demonstrate it
30:54earlier is to go back over into awswaff
30:57and what i'm going to do now is go ahead
30:59and click under say login checker all
31:00right i can click under edit and say i
31:03look through all the rules i can add in
31:04whatever you want to and then what i do
31:06now i click on the save rule and i go
31:08into the priority and in the priority
31:10i'm going to move this up or i'm going
31:12to move this up right before the sqli
31:15user agent check so i select on the
31:17login checker i move it up
31:19up i click save and then with this all
31:22right the rule is going to propagate
31:23down into the associated resource so
31:26that we can begin the protection of it
31:27now going back to color linux all i'm
31:29going to do now is enter
31:31wp dash login dot php hit enter on this
31:34and you can see all right a capture
31:36challenge is being prompted to us let's
31:39confirm you're human because of the
31:41logic that we have now changed in terms
31:43of the priority of the rules to be
31:44evaluated and now you probably have
31:46another question and the question is
31:47about scaling now here's the problem
31:49statement you have probably say three
31:51accounts and in the three accounts you
31:53have multiple different type of
31:55resources like application load balancer
31:57api gateway cloudfront distribution and
31:59the list goes on
32:00and then the question is how can you
32:02propagate certain rules and all of these
32:04different rules down to several of these
32:06different types of resources to begin
32:09the protection of them with aws web what
32:11you can do then is to use aws firewall
32:13manager to help you push down all these
32:16different web access control lists and
32:18all of the rules down into the different
32:20accounts so that you can begin the
32:21protection of all these accounts and
32:23you'll be very quickly to be able to
32:25protect all of these accounts at scale
32:26and once you do that you have two
32:28options available one is to directly
32:30remediate them all right or two is to
32:32say that hey this resource is not
32:34compliant and i want to notify the
32:36account owner that hey you are having an
32:38incorrect rule and you need to be able
32:40to rectify that quickly so that you can
32:42protect your applications from say
32:44hacker loy so with that you have learned
32:46something about call security on aws
32:48waff and i hope it's been valuable and
32:49insightful for you of course we can go
32:51significantly deeper than whatever i'm
32:52showing you right here but this gives
32:54you an idea about how you can secure
32:55your applications on the cloud on aws
32:58with aws web
🎥 Related Videos