5 Steps to Integrate AWS WAF with Network Security

Protect your applications from cyber threats with AWS WAF. Here's how you can integrate it into your network security in just 5 steps:

1. Review Your Network Setup: Identify critical resources (e.g., CloudFront, Load Balancers) and map traffic patterns to pinpoint vulnerabilities.
2. Configure AWS WAF: Deploy AWS WAF with CloudFront or Application Load Balancers (ALB) and set up Web ACLs to control access.
3. Create Rule Sets: Use AWS-managed rules for common threats (e.g., SQL injection, XSS) and add custom rules for specific needs.
4. Add AWS Security Services: Strengthen protection with AWS Shield for DDoS attacks and AWS Network Firewall for Layer 3/4 security.
5. Monitor and Optimise: Use CloudWatch to track metrics, refine rules, and manage costs effectively.

Why AWS WAF?

At just £5 per month per Web ACL and £1 per rule, AWS WAF offers affordable, enterprise-level security for SMBs. It protects against SQL injection, XSS, and DDoS attacks while integrating seamlessly with AWS services. With cybercrime damages projected to reach £8.4 trillion annually by 2025, securing your applications has never been more critical.

This guide walks you through a layered approach to security, ensuring your web applications stay protected and costs remain manageable.

Hands-on: Deploy AWS WAF on ALB and setup WAF Rules

Step 1: Review Your Network Setup

Start by examining your network architecture to pinpoint critical protection points and understand how traffic flows. This step ensures that AWS WAF's layer 7 protections align seamlessly with your broader network security measures. It's the foundation for a well-planned and efficient AWS WAF deployment.

Identify Critical Resources to Protect

AWS WAF is designed to safeguard essential endpoints like CloudFront distributions, Load Balancers, API Gateways, and other web-facing services.

Begin by creating an inventory of your web-facing applications, ranking them based on their importance. Consider factors like the sensitivity of the data they handle, the financial impact of potential breaches, and any regulatory compliance requirements. For example, an e-commerce platform processing customer payment data should take precedence over a company blog.

• CloudFront distributions: These are often top-priority since they act as the entry point for global traffic. With over 450 edge locations worldwide, CloudFront terminates TLS and TCP connections, filtering out non-compliant requests before they reach your applications.
• Application Load Balancers: These play a crucial role by distributing traffic across multiple application instances. AWS WAF can apply rules based on IP addresses, query strings, or custom criteria, making load balancers an effective chokepoint for blocking malicious traffic.
• API Gateway REST APIs: These are particularly important if you're running microservices or mobile apps. They often handle authentication and sensitive data exchanges, making them prime targets for attacks like SQL injection or cross-site scripting.

If your organisation uses AWS Shield Advanced, remember it extends DDoS protection to various resources, including Amazon EC2 instances, Elastic Load Balancers, CloudFront distributions, and more. Coordinate your AWS WAF setup with Shield Advanced to establish a layered security approach.

Map Network Traffic Patterns

Understanding your network's traffic flow is essential for determining the best placement and configuration of AWS WAF. Network Traffic Analysis (NTA) helps you monitor and interpret network data, ensuring your setup supports performance, availability, and security.

Start by establishing baseline traffic patterns, such as typical volumes, peak usage times, user locations, and common request types. This baseline helps you spot anomalies that could signal attacks or misconfigurations.

When collecting traffic data, you have two main options:

• Agent-based systems: These provide detailed packet-level monitoring but can affect network performance.
• Agentless systems: Using SNMP or APIs, these offer sufficient visibility for most needs without the performance overhead.

AWS WAF operates at Layer 7, focusing on HTTP requests, while AWS Network Firewall secures traffic at the network layer (L3/L4) within VPCs. For HTTP traffic, place AWS WAF as close to the edge as possible, ideally at the CloudFront level.

Contextual visibility is equally important. Analyse user authentication requests, application usage trends, and threat intelligence feeds to understand traffic spikes or unusual behaviour. This insight can help you identify and address potential vulnerabilities.

Lastly, consider public and private subnet compatibility. AWS WAF should integrate smoothly with both types, ensuring security for internet-facing resources while maintaining internal communication without disruption.

Step 2: Configure AWS WAF for Integration

After mapping out your network architecture, the next step is deploying AWS WAF to strengthen your layer 7 security. This stage is all about ensuring your web application firewall works seamlessly with services like Amazon CloudFront and Application Load Balancers (ALB). Getting this setup right lays the groundwork for creating effective rule sets in your Web ACLs.

Deploy AWS WAF with CloudFront or ALB

To protect your infrastructure, you can deploy AWS WAF alongside CloudFront for your CDN or with an ALB for your back-end applications. The choice depends on your traffic patterns and security needs, though many businesses find using both together offers the best coverage.

When integrated with CloudFront, AWS WAF operates at the edge of AWS's global network. This setup allows the firewall to inspect web requests against the rules in your Web ACLs before traffic even hits your origin servers. It also provides access to original client IP addresses, enabling more precise IP whitelisting and geographical restrictions.

For ALB integration, AWS WAF filters incoming requests before they reach your back-end applications. If you're using both CloudFront and ALB, it’s recommended to limit ALB access to only accept traffic from CloudFront. You can achieve this by using a managed IP prefix list and validating custom headers.

Notably, in November 2024, AWS introduced a feature to streamline this process. When setting up an ALB, you can now select an option to "Apply application layer acceleration and security protections - in front of the load balancer." This automatically creates a CloudFront distribution and Web ACL, and configures a security group to ensure the HTTP listener only accepts traffic from CloudFront.

If you're connecting CloudFront to ALB, remember to configure CloudFront to forward the aws-waf-token cookie and set AWS WAF to recognise the CloudFront domain as a trusted token source.

Set Up Web ACLs

Once AWS WAF is deployed with CloudFront or ALB, the next step is to configure your Web ACLs. These provide detailed control over HTTP(S) requests, ensuring your layer 7 security is robust and complements your broader network protection strategy.

Web Access Control Lists (ACLs) allow you to control access to resources like CloudFront distributions, API Gateways, and ALBs. Start with a default "Allow" action and gradually add rules to block malicious traffic. While a default "Block" action is possible, it requires explicitly allowing every legitimate request, which can be overly complex for smaller organisations.

Your Web ACL can evaluate requests based on multiple criteria, including:

• IP address or country of origin
• String or regex matches in headers or body content
• Request size
• Patterns indicative of malicious activity

For CloudFront Web ACLs, AWS WAF can inspect request bodies up to 64 KB, while regional Web ACLs are limited to 8 KB for both request bodies and headers/cookies.

To optimise performance, order your rules from broad to specific. For instance, block traffic from certain countries or known malicious IP ranges first, before applying more detailed application-layer rules. Using rate-based rules can also help automatically block excessive requests.

Before applying changes to production, always test your Web ACLs in a staging environment. Deploy them in "count mode" initially, which logs matching requests without blocking them. This lets you identify and resolve false positives before switching to "block mode".

You can also enhance rule logic with labels and scope-down statements. Labels allow rules to share results, enabling complex conditional logic, while scope-down statements narrow the set of requests evaluated by managed rule groups, improving efficiency and reducing costs.

For applications that handle large file uploads or complex forms, configure exceptions for specific URIs and HTTP methods to avoid inadvertently blocking legitimate functionality.

Regular monitoring is essential. Use CloudWatch dashboards to review traffic patterns weekly and establish normal baselines. Periodically evaluate your Web ACLs to ensure they remain effective against evolving threats.

Step 3: Create and Manage Rule Sets

With your Web ACL in place, the next step is to design and manage rule sets that effectively block malicious traffic while ensuring legitimate users can access your application. This involves combining AWS-managed rule groups with custom rules to create a defence strategy tailored to your application's unique needs.

Use AWS-Managed Rule Groups

AWS-managed rule groups offer an out-of-the-box solution to protect your application from common web threats. These pre-configured rule sets are updated regularly to address the latest vulnerabilities, making them particularly helpful for small and medium-sized businesses that may not have dedicated security teams.

"AWS Managed Rules are designed to protect you from common web threats. When used in accordance with the documentation, AWS Managed Rules rule groups add another layer of security for your applications." - AWS Documentation

The OWASP Top 10 rule group is a popular choice, as it targets the most critical web application security risks. Other useful options include the Core Rule Set, which defends against common attack patterns, and Known Bad Inputs, designed to filter out requests containing malicious payloads.

When implementing these rule groups, start with count mode instead of block mode. This allows you to monitor which requests would have been blocked without disrupting legitimate traffic. Observe the results for at least a week to establish a baseline before switching to block mode.

Keep in mind that AWS frequently updates these rule groups with new versions. To avoid unexpected disruptions, test new versions in a non-production environment before applying them to your live application. This ensures legitimate traffic won't be mistakenly blocked due to unforeseen changes.

While AWS-managed rule groups provide a strong starting point, they are not a complete solution. To fully protect your application, you’ll need to create custom rules tailored to your specific requirements.

Build Custom Rule Sets

Custom rules allow you to address unique attack patterns, enforce specific business logic, and handle scenarios that managed rules may not cover.

• Rate-based rules: These are effective for mitigating denial-of-service attacks. They monitor requests from up to 10,000 source IPs and block those exceeding a defined threshold within a five-minute window. For example, you could block any IP sending more than 2,000 requests in five minutes.
• Geographic blocking: If your business only serves specific regions, you can create rules to restrict access from countries outside your service area. This simple measure can significantly cut down on malicious traffic.
• Insecure deserialisation detection: Create rules to catch deserialisation attacks by scanning for base64-encoded objects or strings linked to deserialisation vulnerabilities. Focus on areas like request bodies and headers where such payloads are likely to appear.

Custom rules also help refine your defences by addressing false positives. For instance, you can use labels to share rule outcomes, allowing you to combine managed rule results with additional custom conditions. This approach ensures greater accuracy in blocking threats.

To optimise costs, use scope-down statements to limit the requests evaluated by managed rule groups. For example, if certain endpoints don’t require specific protections, excluding them can reduce processing overhead.

If you're tackling cross-site scripting (XSS), focus on injection points like form fields, URL parameters, and HTTP headers. Use regex patterns to detect script tags, JavaScript event handlers, and other XSS-related elements specific to your application.

As with managed rules, deploy custom rules in count mode first. Once you’re confident they won’t interfere with legitimate traffic, switch to blocking mode.

Finally, monitor the performance of your custom rules using CloudWatch dashboards. Regularly review these rules - ideally on a monthly basis - to ensure they remain effective as attack methods evolve. This proactive approach helps you stay ahead of potential threats.

Step 4: Add Other AWS Security Services

After setting up your initial configurations and rules, you can strengthen your security setup by integrating other AWS services. Combining AWS WAF with additional AWS security tools allows you to protect both the application and network layers. This layered approach ensures that threats are addressed at the appropriate level, offering a more robust defence against various attack types. Start by integrating AWS Shield to counter DDoS attacks, then enhance network-layer security with AWS Network Firewall.

Integrate AWS WAF with AWS Shield

AWS Shield works alongside AWS WAF to provide protection against DDoS attacks. While AWS WAF focuses on analysing HTTP/HTTPS requests for threats like SQL injection and cross-site scripting, AWS Shield is designed to handle large-scale network attacks that could disrupt your infrastructure.

AWS Shield Standard, included at no additional cost, automatically defends against common network and transport layer DDoS attacks. For advanced protection, AWS Shield Advanced offers extra features such as direct assistance from the Shield Response Team during DDoS events, the ability to group multiple resources into protection bundles, and automatic protection against application-layer (L7) DDoS attacks without manual input.

To maximise protection, associate your AWS WAF web ACL with resources protected by AWS Shield Advanced. This setup ensures that your network remains operational during an attack while AWS WAF filters out malicious application-layer traffic. If your organisation manages multiple AWS accounts, AWS Firewall Manager can simplify the deployment of AWS Shield Advanced and AWS WAF across all accounts, streamlining security management.

Use AWS Network Firewall for Layer 3/4 Protection

Once you’ve addressed DDoS threats with AWS Shield, secure the network layer by deploying AWS Network Firewall. This service provides stateful packet inspection and intrusion prevention for all traffic entering or leaving your VPC, making it a perfect complement to AWS WAF's application-layer protection. While AWS WAF examines HTTP requests and interprets web-specific elements like cookies and JSON content, AWS Network Firewall inspects raw network packets, covering both HTTP and non-HTTP traffic.

By combining these services, you can filter traffic at both the application and network layers. AWS Network Firewall protects your network perimeter by blocking unwanted traffic before it reaches your applications, while AWS WAF focuses on application-specific vulnerabilities. This layered defence is particularly useful for environments where threats might target non-web services, database connections, or internal communications.

To manage costs effectively, use scope-down statements in your WAF rules to avoid reprocessing traffic that has already been filtered by AWS Network Firewall. This reduces unnecessary overhead and keeps your setup efficient.

Step 5: Monitor and Optimise AWS WAF

With your security framework in place, the next priority is keeping a close eye on your AWS WAF setup and managing costs effectively. Regular monitoring and fine-tuning are essential to maintaining strong protection without overspending.

Monitor Traffic with CloudWatch Metrics

AWS WAF works seamlessly with CloudWatch, giving you real-time metrics to track your security's effectiveness. Key metrics such as allowed, blocked, passed, and counted requests provide insight into how your rules are performing and highlight areas that may need adjustment.

To dig deeper, enable AWS WAF logging. This captures detailed request data, which is invaluable for threat analysis and troubleshooting. Logs can be sent to S3, CloudWatch Logs, or Kinesis Data Firehose, and you can filter them based on rule actions for easier analysis.

If you’re using CAPTCHA or challenge-based features to tackle bots, keep an eye on metrics specific to these tools. By comparing successful challenges against blocked attempts, you can refine sensitivity levels and reduce false positives, ensuring legitimate users aren’t unnecessarily blocked.

Cost Optimisation Strategies for SMBs

For small and medium-sized businesses, managing costs is just as important as securing your applications. AWS WAF’s pricing is simple: £5.00 per month for each Web ACL, £1.00 per month per rule, and £0.60 per million requests processed. However, costs can climb if not managed carefully.

Track your Web ACL capacity units closely. Exceeding the 1,500-unit limit results in extra charges. To optimise capacity, consider using regex patterns instead of multiple string match statements. A single regex can often replace several string matches, cutting down on capacity usage.

Order your rules strategically. Place high-impact, low-cost rules at the top of your list to catch obvious threats early. This reduces the amount of traffic processed by more complex, resource-intensive rules. Start with basic rules and expand gradually as threats evolve. For SQL injection and cross-site scripting (XSS) detection, begin with low sensitivity settings to avoid false positives and conserve capacity units.

For log storage, switch to Infrequent Access (IA) storage for non-critical logs, and set S3 lifecycle policies to archive or delete older logs automatically. This can significantly lower storage costs over time. Additionally, using S3-managed encryption keys instead of custom KMS keys can help keep encryption costs down.

To avoid unexpected expenses, set up budget alerts for real-time monitoring. The AWS CUDOS Dashboard is another valuable tool - it provides insights into your usage patterns and flags irregular spending, which could indicate misconfigurations or potential security threats.

For more tips on managing AWS costs, especially for small and medium-sized businesses, check out the AWS for SMBs blog. Regular reviews of your AWS WAF setup will ensure you’re staying secure while keeping costs under control. Together, these steps complete your layered defence approach.

Key Takeaways

A five-step approach lays the groundwork for a strong security strategy tailored to small and medium-sized businesses (SMBs), helping them stay ahead of emerging threats. Combining AWS WAF (Web Application Firewall) with your existing network security adds extra layers of protection, shielding web applications from common cyber risks.

One standout feature of AWS WAF for SMBs is its affordable pricing. At just £5.00 per month for each Web ACL, £1.00 per rule, and £0.60 per million requests, it offers enterprise-level security without breaking the bank. The pay-as-you-go model ensures businesses only pay for what they use, making it particularly appealing for those with fluctuating traffic levels.

The cost efficiency of AWS WAF is matched by its robust security features. It defends against threats like SQL injection, cross-site scripting (XSS), and DDoS attacks. Additionally, it allows for custom rules based on IP addresses, headers, or geographic regions, offering flexibility and precision. When paired with other AWS services, these measures provide even stronger protection.

With CloudWatch, businesses gain access to real-time metrics that deliver instant insights into potential threats. This allows for quick responses to security incidents, bolstering overall defence.

The value of AWS WAF becomes even clearer when considering the financial impact of cybercrime. In 2024, the average cost of a data breach is estimated at £3.9 million, while cybercrime damages are expected to reach a staggering £8.4 trillion annually by 2025. For SMBs, integrating AWS WAF offers an effective way to mitigate these risks without excessive spending.

To maintain both security and efficiency, regular reviews and rule updates are essential. Keeping false positives below 1–2% and ensuring latency remains under 50 ms are key performance benchmarks.

For more expert advice on managing costs and enhancing security for SMBs, check out the AWS for SMBs blog, which provides tailored insights for growing businesses.

FAQs

How can AWS WAF work with existing network security tools to improve protection against cyber threats?

AWS WAF: Strengthening Your Web Application Security

AWS WAF (Web Application Firewall) plays a key role in boosting network security by working seamlessly with your current tools to keep an eye on and filter HTTP and HTTPS traffic. With the ability to create custom security rules, it helps guard against common threats like SQL injection and cross-site scripting (XSS), shielding your web applications from vulnerabilities, including those listed in the OWASP Top 10.

When combined with services like AWS Shield, AWS WAF adds an extra layer of protection to defend against advanced threats such as DDoS attacks. Plus, its managed rule groups, maintained and updated by AWS security experts, keep your defences aligned with the latest threat landscape. This integration not only bolsters your security but also simplifies operations with features like real-time monitoring and automated updates. It's a smart choice for small and medium-sized businesses aiming to protect their digital assets efficiently.

What are the advantages of using AWS-managed rule groups over custom rule sets in AWS WAF?

AWS-managed rule groups bring several advantages when compared to creating custom rule sets in AWS WAF. First off, these rule groups are maintained by skilled security professionals, ensuring they’re always updated to tackle the latest threats and vulnerabilities. This means you don’t have to spend time manually monitoring and applying updates yourself. Secondly, they’re incredibly simple to implement. With pre-configured rules ready to go, you can deploy them quickly without needing deep technical expertise or spending hours on setup. Lastly, AWS takes care of automatic updates for these managed rules, ensuring they adapt to new threats as they arise. This not only saves you time but also provides solid protection against common web application risks, including those outlined in the OWASP Top 10.

For small and medium-sized businesses, these managed rule groups can also be a budget-friendly option. Instead of investing in the development and upkeep of custom rules, you can allocate resources more efficiently while still maintaining strong network security.

How can small and medium-sized businesses control AWS WAF costs while ensuring strong network security?

Small and medium-sized businesses (SMBs) can keep their AWS WAF expenses under control without compromising security by adopting a few smart strategies. One effective approach is using AWS Managed Rule Groups. These come pre-configured and are automatically updated to counter emerging threats, cutting down on manual effort and operational complexity.

It's also essential to keep an eye on your web traffic and fine-tune your rule sets based on actual usage patterns. Since AWS WAF charges are tied to the number of active rules and the volume of web requests processed, optimising these configurations can help you avoid paying for what you don't need.

For broader cost efficiency, consider AWS cost-saving options like Reserved Instances or Savings Plans. When combined with thoughtful WAF management, these tools can help SMBs maintain strong security while staying within budget, all tailored to their specific operational requirements.

Related posts

• AWS Security Checklist: Essential Steps for SMBs
• 5 Steps to Set Up AWS Incident Manager
• AWS Firewall Rules: 7 Best Practices
• AWS Network Firewall Deployment Models Explained