Feature | Security: Support Security Automations for AWS WAF

[marianod92]

Describe the Feature

Add an extra layer of automation for attack defense and mitigation by combining the AWS WAF service with different components that allow dynamic update of different rules based on detection of attack patterns/anomalies. While there are different levels / complexities of WAF automation to address, there is a need to incorporate / support this functionality.

This issue could then be evaluated and segmented into smaller ones for each available automation, but this requires more in-depth research and proof of concept to find the most optimal implementation path.

Expected Behavior

Complement AWS WAF managed rules with mechanisms to dynamically update IP reputation lists, block malicious IPs by adding them to denied/allowed lists, detect and deflect DDoS attempts and bot attacks.

Use Case

Depending on the architecture, implementation and regulatory requirements that the platform/infrastructure must pass (e.g. compliance issues, PCI, etc.) we may require different levels and complexities in the solution to be designed.

These automations are intended for architectures that have strong internet exposure and/or require to pass security/compliance audits relying on the best practices and services made available by

Describe Ideal Solution

A complete and complex solution can be found in the following article, which presents a very detailed service-to-service diagram and explains in general terms the purpose of each rule-based automation available by AWS WAF. In addition to providing a cost estimate based on different implementations and a reference to a Cloud Formation stack (it should be noted that it would only serve as a reference since the implementation is intended to be done entirely with Terraform).

• Security Automations for AWS WAF

  • Cost estimate: https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/cost.html
  • CloudFormation code reference: https://github.com/aws-solutions/aws-waf-security-automations

Figure: Security Automations for AWS WAF | Version 3.2.3 | Last updated: 12/2022 | Author: AWS (just as reference) "AWS Solution overview: Security Automations for AWS WAF", AWS Solutions Library: Security Automations for AWS WAF, accessed January 25th 2023).

This new functionality should be able to be activated from the AWS WAF module via boolean flags without requiring a separate or segmented component deployment.

• terraform-aws-waf-webaclv2

Alternatives Considered

Possibly, there are more reduced/limited versions for each case of attack/mitigation and dynamic update of rules. This will also depend on our base architecture, where for example, we may or may not be using a CloudFront distribution which requires activating/deploying other types of services in order to obtain the automated mechanisms.

• Terraform code reference

• Limited automation alternative: IP retention on Allowed/Denied WAF IP sets

• How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

• Automate Threat Mitigation Using AWS WAF and Amazon GuardDuty

Additional Context

• Youtube video: Solving with AWS Solutions: AWS WAF Security Automations