# Automatically deploy a single web access control list that filters web-based attacks with Security Automations on AWS WAF
The Security Automations for AWS WAF solution deploys a set of preconfigured rules to help you protect your applications from common web exploits. This solution’s core service, [AWS WAF](https://aws.amazon.com/waf/), helps protect web applications from attack techniques that can affect application availability, compromise security, or consume excessive resources. You can use AWS WAF to define customizable web security rules. These rules control which traffic to allow or block to web applications and application programming interfaces (APIs) deployed on AWS resources such as [Amazon CloudFront](https://aws.amazon.com/cloudfront/), [Application Load Balancer](https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/) (ALB). For more supported resource types, see [AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) in the *AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide*.
Configuring AWS WAF rules can be challenging and burdensome to large and small organizations alike, especially for those who don’t have dedicated security teams. To simplify this process, the Security Automations for AWS WAF solution automatically deploys a single web access control list (ACL) with a set of AWS WAF rules designed to filter common web-based attacks. During initial configuration of this solution’s [AWS CloudFormation](https://aws.amazon.com/cloudformation/) template, you can specify which protective features to include. After you deploy this solution, AWS WAF inspects web requests to their existing CloudFront distribution(s) or ALB(s), and blocks them when applicable.
**A CloudFormation template deploys a web ACL with AWS WAF filtering rules.**
![\[configuration web acl\]](http://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/images/configuration-web-acl.png)
This implementation guide discusses architectural considerations, configuration steps, and operational best practices for deploying this solution in the Amazon Web Services (AWS) Cloud. It includes links to CloudFormation templates that launch, configure, and run the AWS security, compute, storage, and other services required to deploy this solution on AWS, using AWS best practices for security and availability.
The information in this guide assumes working knowledge of AWS services such as AWS WAF, CloudFront, ALBs, and [AWS Lambda](https://aws.amazon.com/lambda/). It also requires basic knowledge of common web-based attacks and mitigation strategies.
**Note**
As of version 3.0.0, this solution supports the latest version of the AWS WAF service API ([AWS WAFV2](https://docs.aws.amazon.com/waf/latest/APIReference/Welcome.html)).
This guide is intended for IT managers, security engineers, DevOps engineers, developers, solutions architects, and website administrators.
**Note**
We recommend using this solution as a starting point for implementing AWS WAF rules. You can customize the [source code](https://github.com/aws-solutions/aws-waf-security-automations), add new custom rules, and leverage more [AWS WAF managed rules](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) based on your needs.
Use this navigation table to quickly find answers to these questions:
| If you want to . . . | Read . . . |
| --- | --- |
| Know the cost for running this solution. The total cost for running this solution depends on the protection activated and the amount of data ingested, stored, and processed. | [Cost](cost.md) |
| Understand the security considerations for this solution. | [Security](security.md) |
| Know which AWS Regions are supported for this solution. | [Supported AWS Regions](plan-your-deployment.md#supported-aws-regions) |
| View or download the CloudFormation template included in this solution to automatically deploy the infrastructure resources (the "stack") for this solution. | [AWS CloudFormation template](aws-cloudformation-templates.md) |
| Use Support to help you deploy, use, or troubleshoot the solution. | [Support](contact-aws-support.md) |
| Access the source code and optionally use the AWS Cloud Development Kit (AWS CDK) to deploy the solution | [GitHub repository](https://github.com/aws-solutions/aws-waf-security-automations/) |
# Features and benefits
The Security Automations for AWS WAF solution provides the following features and benefits.
## Secure your web applications with AWS Managed Rules rule groups
[AWS Managed Rules for AWS WAF](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html) provides protection against common application vulnerabilities or other unwanted traffic. This solution includes [AWS Managed IP reputation rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html), [AWS Managed baseline rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html) and [AWS Managed use-case specific rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html). You have the option of selecting one or more rules groups for your web ACL, up to the maximum web ACL capacity unit (WCU) quota.
## Provide layer 7 flood protection with predefined HTTP Flood custom rule
The **HTTP Flood** custom rule protects against a web-layer Distributed Denial-of-Service (DDoS) attack for a customer-defined period of time. You can choose one of these options to activate this rule:
+ AWS WAF rate-based rule
+ Lambda log parser
+ [Amazon Athena](https://aws.amazon.com/athena/) log parser
The Lambda log parser or Athena log parser options allow you to define a request quota of less than 100. This approach can help you not reach the quota required by AWS WAF [rate-based rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html). For more information, see [Log parser options](log-parser-options.md).
You can also enhance the Athena log parser by adding a country and Uniform Resource Identifier (URI) to filtering conditions. This approach identifies and blocks HTTP flood attacks that have unpredictable URI patterns. For more information, refer to [Use country and URI in HTTP Flood Athena log parser](use-country-and-uri-in-http-flood-athena-log-parser.md).
## Block exploitation of vulnerabilities with predefined Scanners & Probes custom rule
The **Scanners & Probes** custom rule parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time. You can choose one of these options to activate this rule: Lambda log parser or Athena log parser. For more information, see [Log parser options](log-parser-options.md).
## Detect and deflect intrusion with predefined Bad Bot custom rule
The **Bad Bot** custom rule sets up a honeypot endpoint, which is a security mechanism intended to lure and deflect an attempted attack. You can insert the endpoint in your website to detect inbound requests from content scrapers and bad bots. Once detected, any subsequent requests from the same origins will be blocked. For more information, see [Embed the Honeypot link in your web application](embed-the-honeypot-link-in-your-web-application-optional.md).
## Block malicious IP addresses with predefined IP reputations lists custom rule
The **IP reputation lists** custom rule checks third-party IP reputation lists hourly for new IP ranges to block. These lists include the [Spamhaus](https://www.spamhaus.org/drop/) Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint [Emerging Threats IP list](https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt), and the [Tor exit node list](https://check.torproject.org/exit-addresses).
## Provide manual IP configuration with predefined allowed and denied IP lists custom rule
The **allowed and denied IP lists** custom rules allow you to manually insert IP addresses that you want to allow or deny. You can also configure [IP retention on Allowed and Denied IP lists](configure-ip-retention-on-allowed-and-denied-aws-waf-ip-sets.md) to expire IPs at a set time.
## Build your own monitoring dashboard
This solution emits [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) metrics such as allowed requests, blocked requests, and other relevant metrics. You can build a customized dashboard to visualize these metrics and gain insights into the pattern of attacks and protection provided by AWS WAF. For more information, refer to [Build monitoring dashboard](build-monitoring-dashboard.md).
# Use cases
The following are example use cases for using this solution. You can customize this solution in innovative ways that aren’t limited to this list.
**Automate the setup of AWS WAF rules**
AWS WAF protects your web application from common attacks; however, setting up AWS WAF rules can be complicated and time consuming. To help you, this solution automatically deploys a set of AWS WAF rules into your account with a CloudFormation template. This way, you don’t need to configure AWS WAF rules yourself, and you can get started with AWS WAF faster.
**Customize layer 7 HTTP Flood protection**
This solution provides three options to activate HTTP Flood protection. You can select the option that fits your needs to gain protection against DDoS attacks. For more information, see **Provide layer 7 flood protection with pre-defined HTTP Flood custom rule** in [Features and benefits](features-and-benefits.md).
**Leverage the source code for applying customization or building your own security automations**
This solution provides an example for how to use AWS WAF and other services to build security automations on the AWS Cloud. Its [open source code in GitHub](https://github.com/aws-solutions/aws-waf-security-automations) makes it convenient for you to apply customizations or build your own security automations that fit your needs.
# Concepts and definitions
This section describes key concepts and defines terminology specific to this solution.
**ALB logs**
This solution uses logs for the ALB resource. The **Scanner & Probe Protection** rule in this solution inspect these logs.
**Athena log parser**
Amazon Athena is a serverless, interactive analytics service that is built on open-source frameworks, supporting open-table and file formats. This solution runs a scheduled Athena query to inspect AWS WAF, CloudFront, or ALB logs if user chooses `yes - Amazon Athena log parser` when activating the **HTTP Flood Protection** rule or **Scanner & Probe Protection** rule, and can be used for **Activate Bad Bot Protection** through detection that operates through a structured logic chain.
**AWS WAF rule**
An AWS WAF rule defines:
+ How to inspect HTTP(S) web requests
+ The action to take on a request when it matches the inspection criteria
You define rules only in the context of a rule group or web ACL.
**CloudFront logs**
This solution uses logs for the CloudFront resource. The **Scanner & Probe Protection** rule in this solution inspects these logs.
**IP set**
An IP set provides a collection of IP addresses and IP address ranges that you want to use
together in a rule statement. IP sets are AWS resources.
**Lambda log parser**
This solution runs a Lambda function invoked by an [Amazon Simple Storage Service](https://aws.amazon.com/s3/) (Amazon S3) object create [event](https://docs.aws.amazon.com/AmazonS3/latest/userguide/NotificationHowTo.html). The Lambda function initiates an inspection of AWS WAF, CloudFront, or ALB logs if the user chooses `yes - AWS Lambda log parser` when activating the **HTTP Flood Protection** , **Scanner & Probe Protection** and can be used for **Bad Bot Protection** rule through detection that operates through a structured logic chain.
**Managed rule groups**
Managed rule groups are collections of predefined, ready-to-use rules that AWS and AWS Marketplace sellers write and maintain for you. [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/) applies to your use of any managed rule group.
**resource/endpoint type**
You can associate AWS resources with web ACLs to protect them. These resources are CloudFront, ALB, [AWS AppSync](https://aws.amazon.com/appsync/), [Amazon Cognito](https://aws.amazon.com/cognito/), [AWS App Runner](https://aws.amazon.com/apprunner/), and [AWS Verified Access](https://aws.amazon.com/verified-access/) resources. Currently this solution Amazon supports CloudFront and ALB.
**WAF logs**
This solution uses logs generated by AWS WAF for the resources associated with the web ACL. The **HTTP Flood Protection**, **Scanner & Probe Protection** and **Activate Bad Bot Protection** rules for this solution inspect these logs.
**WCU**
AWS WAF uses web access control list (ACL) capacity units (WCUs) to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs. AWS WAF enforces WCU quotas when you configure your rule groups and web ACLs. WCUs don’t affect how AWS WAF inspects web traffic.
**web ACL**
A web ACL gives you fine-grained control over the HTTP(S) web requests that your protected resource responds to.
**Note**
For a general reference of AWS terms, see the [AWS Glossary](https://docs.aws.amazon.com/general/latest/gr/glos-chap.html).