AWS WAF - Paul Swail

AWS Web Application Firewall. > AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or monitor (count) web requests based on customizable web security rules and conditions that you define. ## Pricing https://aws.amazon.com/waf/pricing/ 3 standard charge units: | Resource Type | Price | |- |- | | Web ACL | $5.00 per month (prorated hourly) | | Rule | $1.00 per month (prorated hourly) | | Request | $0.60 per 1 million requests | Optional features: - **Bot Control**: $10 per month subscription, $1 per million requests inspected - **Captcha**: $0.40 per thousand challenge attempts analyzed - **Account Takeover Protection**: $10.00 per month, $1.00 per thousand login attempts analyzed ## #OpenQuestions - Q: What is a sensible set of ACLs to configure for an [[AWS AppSync|AppSync]] API endpoint? - [Core rule set (Managed Rule Group)](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs) — Standard OWASP vulnerability checks - [Known bad inputs (Managed Rule Group)](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs) — rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities - [AWS Bot Control (Managed Rule Group)](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) — Blocks requests to categories of bots (Note: this has an extra $10/mo subscription fee) - [AWSManagedIPReputationList (Managed Rule)](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html) - Rate Limit Throttling By IP (Custom Rule) — Limits the number of allowed requests from a single IP address within a 5-minute period. Suggested value to use is 100. - Q: What [[AWS CloudWatch|CloudWatch]] alarms should be set up based on these ACLs?