AWS WAF and CloudFront: How to Use Them Together

Peter Grainger
|
September 16, 2021

Security is really important. There is nothing like the gut-wrenching feeling of exposing users' data. However, security isn't the most exciting part of web development and is often ignored. Using AWS CloudFront and AWS WAF together, you can add some security to your sites with less work and focus on making features for your users.

In this post, I'll provide some information about AWS CloudFront, AWS WAF, and SQL injection. Then I'll provide a step-by-step guide on how to use the two AWS services together to protect against SQL injection.

Some Background Information on AWS WAF, CloudFront, and Injection

A Web Application Firewall (WAF) Checks If the Contents of a Message Can Be Trusted

You probably already know what a firewall is—you've likely seen a physical one. The most common that you'll come into contact with are network firewalls. These firewalls deny or allow access from a trusted source at the network layer, sometimes called Layer 3. However, a web application firewall (WAF) works in Layer 7, the application layer of networking. Closest to the user, this layer can check if the contents of a message can be trusted. AWS WAF is the web application firewall available from AWS.

The Best Way to Serve Your Content Fast Is a Content Delivery Network

There are many ways to build a website, but all ways have something in common—you need to store files and allow users to download them the quickest way possible. The best way to deliver content around the world with AWS is CloudFront. This service is a content delivery network, distributing your files to hundreds of data centers, which serve content to users directly. CloudFront provides a gateway to most AWS services and even arbitrary HTTP endpoints.

The Best Way to Serve Your Content Fast Is a Content Delivery Network

According to OWASP, Injection Is the Most Critical Security Risk to Web Applications

OWASP is a nonprofit foundation. It helps people like you and me understand and tackle complex security issues. OWASP periodically updates a list of the top 10 most critical security risks to web applications. Injection is normally in the top three—since 2017 it's number one.

Providing Protection for the GeoJS API Using AWS WAF

The rest of this post will provide instructions on how to configure AWS CloudFront with a WAF using an origin of the GeoJS API. This API provides geolocation lookup and is free to use, which makes it a great API to test against.

1) Create an AWS WAF to Guard Against Injection Attacks

First, log in to the AWS console and go to the AWS WAF homepage. The screenshot below shows the welcome page.

AWS WAF

Press the orange Create web ACL button.

2) Give Your CloudFront WAF Web ACL a Name

Add the following to the Create web ACL (access control list) wizard:

  • Name: injection_acl
  • Resource type: CloudFront distributions

Press the orange Next button to go to the next page of the wizard. The screenshot below shows these values input into page one of the wizard.

WAF Web ACL

3) Add a Web ACL Rule to Block Injection Attacks

The second page of the wizard adds the protection against injection attacks. Click the Add rules dropdown and select Add managed rule groups. The screenshot below shows page two of the wizard with the option to add managed rule groups.

Web ACL Rule

Open the AWS managed rule groups menu and scroll down to the SQL database option. Toggle Add to web ACL. Lastly, press the orange Add rules button. Using an AWS managed rule group means you're up to date with the latest SQL injection rules automatically. The below image shows the location of the SQL database rule group.

Web ACL Rule

Press Next again to go to the third step in the wizard.

4) Rule Priority Is the Order That Rules Are Evaluated In

The third step in the wizard is rule priority. This is the order in which rules are evaluated. As there is only one rule, press the Next button. The screenshot below shows the Set rule priority step.

Rule Priority

5) Metrics Allow You to Monitor Web Requests

The fourth step in the wizard is to configure metrics. Metrics allow you to monitor web requests, web ACLs, and rules. Leave the default selections and press the Next button. The following image shows the default options for the Configure metrics step.

Configure Metrics

6) Review and Create a Web ACL

The final step is to review your web ACL. If you followed the above steps, you can press the Create web ACL button. The image below shows a section of the Review and create web ACL step.

Review and Create a Web ACL

You now have a web ACL. You can use this web ACL in the following section.

7) Create a CloudFront Distribution With GeoJS API as Origin

If you followed the previous section on creating an AWS WAF Web ACL, you're now ready to create an AWS CloudFront distribution with the GeoJS API as the origin. First, go to the CloudFront homepage. The below image shows the homepage with your current distributions. If you don't already have any distributions, you'll see a welcome screen.

Create a CloudFront Distribution

Press the orange Create distribution button. This will redirect you to the creation wizard.

8) Create Distribution Wizard

Next, enter the following into the Create distribution wizard page:

  • Origin domain: get.geojs.io
  • Protocol: HTTPS only
  • Minimum origin SSL protocol: TLSv1.2
  • AWS WAF web ACL: injection_acl (the Web ACL we created earlier in this post)

Press the orange Create distribution button.

The following image shows the first three inputs into the Create distribution wizard page. The dropdown to add the WAF is further down the page.

Create Distribution Wizard

Congratulations! You now have a WAF protecting a CloudFront distribution.

WAF protecting a CloudFront distribution

9) Verify the CloudFront Distribution Works

The CloudFront homepage now contains the new distribution. Copy the Domain name for the distribution with the origin get.geojs.io. The image below shows the row in the table for my distribution. Your Domain name will be different.

Verify the CloudFront Distribution Works

To verify the CloudFront distribution works, add /v1/ip/country.json to the Domain name. For example, for my distribution, this would be https://de6odi519cua3.cloudfront.net/v1/ip/country.json. Pasting this URL into my browser gives the below output. You'll get different values in the response, but the format will be the same.

Verify the CloudFront Distribution Works

10) Check the WAF Rules Are Triggered When Simulating an Injection Attack

To check the WAF is working, simulate an SQL injection attack. The specific vulnerability chosen comes from example three of the SQL injection OWASP page.

If successful, this attack would allow you to run arbitrary database commands—which is really bad!

Add ?itemName=%22name%27);%20DELETE%20FROM%20items;%20--%22 to the base URL. In my example, that would be https://de6odi519cua3.cloudfront.net/v1/ip/country.json?itemName=%22name%27);%20DELETE%20FROM%20items;%20--%22.

The image below shows the error when your WAF blocks communication to your API.

WAF blocks communication to your API

Return to the AWS WAF console for CloudFront rules and select injection_acl. The image below shows that the URL with the attack was blocked because of the AWS managed rule AWS#AWSManagedRulesSQLiRuleSet#SQLi_QUERYARGUMENTS.

How to Use CloudFront and AWS WAF Together to Protect Against SQL Injection Attacks

This post explains how to use CloudFront and AWS WAF together to protect against SQL injection attacks. Injection is the number one critical risk for web applications according to OWASP. Setting up AWS WAF with AWS managed rules means you have less maintenance updating the WAF for each new vulnerability. You connect to the AWS WAF in the CloudFront distribution wizard when creating a new distribution. After configuring both services, you can test the WAF will block incoming SQL injection attacks before they reach your application.

How to Use CloudFront and AWS WAF Together to Protect Against SQL Injection Attacks

This guide only deals with one type of vulnerability, SQL injection. It's a good idea to guard against all the critical risks for web applications according to OWASP. This will depend on how your application is written. For example, if your app doesn't use an SQL database, then protecting against these attacks is pointless! Use your own judgment to decide which rules are best. In addition to the AWS managed rules, there are many third-party rule groups, and you can even make your own.

If this sounds complicated and like a lot of work—it is. To avoid having to set up and manage security for your web applications yourself, take a look at Traceable AI. Traceable AI not only automatically protects your web applications from the OWASP (web) top 10 attacks, but it also  uses AI to protect your application’s APIs, all without you needing to be the expert.

This post was written by Peter Grainger. Peter is a senior engineer at Sage with over 10 years of experience in diverse industries such as satellite communications, public sector, and finance. He’s content to automate himself out of most jobs and is happiest deleting code rather than writing more. Peter has deep knowledge of Java, JavaScript, Node, MongoDB, and GitLab.

Download Blog Post

The Inside Trace

Subscribe for expert insights on application security.

Thanks! Your subscription has been recorded.

or subscribe to our RSS Feed

Read more

See Traceable in Action

Learn how to elevate your API security today.