Primer AWS WAF - Managing OWASP top 10 rules
Implementing AWS Config for WAF: A Detailed Guide to Enforce OWASP Top 10 Protections
Introduction
In today’s threat landscape, web applications face constant attacks targeting common vulnerabilities. The Open Web Application Security Project (OWASP) Top 10 outlines the most critical web application security risks. AWS Web Application Firewall (WAF) provides robust protection against these threats, but ensuring continuous compliance with security best practices requires proper monitoring and enforcement.
This comprehensive guide will walk you through implementing AWS Config to monitor and enforce AWS WAF rules that protect against OWASP Top 10 vulnerabilities, using AWS Managed Rule Groups as referenced in the AWS WAF Developer Guide.
Why AWS Config for WAF?
AWS Config provides several key benefits for managing WAF security:
- Continuous Monitoring: Track configuration changes to your WAF rules in real-time
- Compliance Assessment: Evaluate WAF configurations against security best practices
- Automated Remediation: Trigger actions when non-compliant changes are detected
- Historical Tracking: Maintain a complete history of WAF configuration changes
Prerequisites
Before implementing this solution, ensure you have:
- An AWS account with appropriate permissions
- AWS WAF deployed in your preferred regions (CloudFront or Regional)
- AWS Config service enabled in your account
- Basic understanding of OWASP Top 10 vulnerabilities
Step 1: Enable AWS Config
First, we need to set up AWS Config to monitor our WAF resources:
- Open the AWS Config console
- Navigate to “Settings” and ensure recording is turned on
- Specify an S3 bucket for configuration history storage
- Create an SNS topic for notifications (recommended)
- Select “Record all resources supported in this region” or specifically select WAF resources
# AWS CLI command to enable AWS Config
aws configservice subscribe --s3-bucket your-config-bucket \
--sns-topic arn:aws:sns:region:account-id:your-topic \
--iam-role arn:aws:iam::account-id:role/your-config-role
Step 2: Deploy AWS Managed Rules for OWASP Top 10
As referenced in the AWS documentation, AWS provides managed rule groups that align with OWASP Top 10 protections:
- AWSManagedRulesCommonRuleSet: Protects against common web exploits (maps to multiple OWASP categories)
- AWSManagedRulesSQLiRuleSet: Specifically targets SQL injection (OWASP A1)
- AWSManagedRulesLinuxRuleSet: Protects against Linux-specific attacks
- AWSManagedRulesPHPRuleSet: Protects against PHP-specific attacks
- AWSManagedRulesWordPressRuleSet: For WordPress protections
Implementation Steps:
- Navigate to AWS WAF in the console
- Create a new Web ACL or select an existing one
- Under “Add rules”, select “Add managed rule groups”
- Add the relevant rule groups with appropriate actions (Block, Count, etc.)
# Example AWS CLI command to associate managed rules with a Web ACL
aws wafv2 associate-web-acl \
--web-acl-arn arn:aws:wafv2:region:account-id:global/webacl/your-web-acl/your-acl-id \
--resource-arn arn:aws:cloudfront::account-id:distribution/your-distribution-id
Step 3: Create AWS Config Rules for WAF Compliance
Now we’ll create custom AWS Config rules to ensure our WAF implementation remains compliant with OWASP protections.
Rule 1: Verify OWASP Core Rule Set is Enabled
This rule checks that the AWSManagedRulesCommonRuleSet is enabled in all WAF Web ACLs.
- Navigate to AWS Config > Rules
- Click “Add rule”
- Search for “waf” and select “wafv2-webacl-resource-policy” as the base rule
- Configure with the following parameters:
{
"webaclName": "*",
"managedRuleGroupConfigs": [
{
"name": "AWSManagedRulesCommonRuleSet",
"vendorName": "AWS",
"enabled": true
}
]
}
Rule 2: Verify SQL Injection Protection is Enabled
Ensure the SQL injection rule set is active:
{
"webaclName": "*",
"managedRuleGroupConfigs": [
{
"name": "AWSManagedRulesSQLiRuleSet",
"vendorName": "AWS",
"enabled": true
}
]
}
Rule 3: Verify WAF is Attached to All Resources
Create a rule to ensure all applicable resources have WAF protection:
# This requires a custom Lambda function to evaluate
aws configservice put-config-rule \
--config-rule '{
"ConfigRuleName": "waf-attached-to-resources",
"Description": "Checks that all applicable resources have WAF protection",
"Scope": {
"ComplianceResourceTypes": ["AWS::CloudFront::Distribution", "AWS::ElasticLoadBalancingV2::LoadBalancer"]
},
"Source": {
"Owner": "CUSTOM_LAMBDA",
"SourceIdentifier": "arn:aws:lambda:region:account-id:function:your-lambda-function",
"SourceDetails": [
{
"EventSource": "aws.config",
"MessageType": "ConfigurationItemChangeNotification"
}
]
},
"InputParameters": "{}"
}'
Step 4: Set Up Automated Remediation
When AWS Config detects non-compliant WAF configurations, we can automate remediation:
- Create an SNS topic to receive compliance notifications
- Configure AWS Lambda functions to remediate common issues
- Set up EventBridge rules to trigger remediation
Example Remediation for Missing OWASP Rule Set:
import boto3
def lambda_handler(event, context):
wafv2 = boto3.client('wafv2')
# Get non-compliant Web ACL details from Config event
webacl_arn = event['detail']['resourceId']
region = event['detail']['awsRegion']
# Get current Web ACL configuration
webacl = wafv2.get_web_acl(
Name=webacl_arn.split('/')[-1],
Scope='REGIONAL', # or 'CLOUDFRONT'
Id=webacl_arn.split('/')[-2]
)
# Add missing OWASP rule set
new_rules = webacl['WebACL']['Rules']
new_rules.append({
'Name': 'AWS-AWSManagedRulesCommonRuleSet',
'Priority': 0,
'Statement': {
'ManagedRuleGroupStatement': {
'VendorName': 'AWS',
'Name': 'AWSManagedRulesCommonRuleSet'
}
},
'OverrideAction': {'None': {}},
'VisibilityConfig': {
'SampledRequestsEnabled': True,
'CloudWatchMetricsEnabled': True,
'MetricName': 'AWS-AWSManagedRulesCommonRuleSet'
}
})
# Update Web ACL
wafv2.update_web_acl(
Name=webacl['WebACL']['Name'],
Scope='REGIONAL',
Id=webacl['WebACL']['Id'],
DefaultAction=webacl['WebACL']['DefaultAction'],
Rules=new_rules,
VisibilityConfig=webacl['WebACL']['VisibilityConfig']
)
return {
'statusCode': 200,
'body': 'Successfully remediated Web ACL'
}
Step 5: Configure Notifications and Reporting
Set up alerts and reporting for WAF compliance status:
- Create an Amazon EventBridge rule for AWS Config compliance changes
- Set up SNS notifications for critical compliance failures
- Configure AWS Security Hub for centralized security findings
- Create Amazon QuickSight dashboards for compliance visualization
# Create EventBridge rule for WAF compliance events
aws events put-rule \
--name "waf-compliance-events" \
--event-pattern '{
"source": ["aws.config"],
"detail-type": ["Config Rules Compliance Change"],
"detail": {
"configRuleName": [
"waf-owasp-core-ruleset-enabled",
"waf-sqli-protection-enabled"
]
}
}'
Best Practices for Ongoing Management
- Regular Rule Review: Periodically review WAF rules and adjust sensitivity as needed
- Log Analysis: Enable WAF logging to CloudWatch or S3 for attack pattern analysis
- Testing: Regularly test your WAF rules with controlled attack simulations
- Update Strategy: Plan for regular updates to managed rule groups as new threats emerge
- Custom Rules: Supplement managed rules with custom rules for application-specific protections
Advanced Configuration Options
Geo-Blocking Implementation
Add geographic restrictions to complement OWASP protections:
{
"Name": "GeoBlockNonAllowedCountries",
"Priority": 1,
"Statement": {
"NotStatement": {
"Statement": {
"GeoMatchStatement": {
"CountryCodes": ["US", "CA", "GB", "DE"]
}
}
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "GeoBlock"
}
}
Rate-Based Rules
Protect against brute force attacks (OWASP A2):
{
"Name": "RateLimitLoginAttempts",
"Priority": 2,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "/login",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS"
}
}
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateLimitLogin"
}
}
Troubleshooting Common Issues
- False Positives: Adjust rule sensitivity or create allow lists for legitimate traffic
- Performance Impact: Monitor latency and adjust rule priorities as needed
- Rule Conflicts: Ensure proper rule priority ordering to prevent unintended interactions
- Logging Issues: Verify WAF logs are properly configured and delivered
Conclusion
Implementing AWS Config to monitor and enforce AWS WAF configurations for OWASP Top 10 protections provides a robust security posture for your web applications. By following this guide and referencing the AWS WAF Developer Guide, you can establish continuous compliance monitoring, automated remediation, and comprehensive visibility into your web application security controls.
Remember that security is an ongoing process. Regularly review your WAF configurations, analyze traffic patterns, and adjust your rules to maintain optimal protection against evolving threats while minimizing impact on legitimate traffic.