AWS WAF & Shield

Question 1

What service can I have the WAF with?

Answer 1

• ELB
• CloudFront
• API GW

Question 2

Where does the WAF sit in relation to traffic?

Answer 2

It sits in front of the service (CloudFront, ELB, API GW)

Question 3

I have an EC2 instance with a public IP, I wnat to use the WAF, what would be a good option to get this to work?

Answer 3

You need to use a service in front of the EC2 as WAF dose not work with EC2 service. Yopu could use the ELB or CloudFront in fronof the EC2 and then use the WAF.

Question 4

What is a WAF ACL condition?

Answer 4

Enable you to match incoming traffic, the condition could be XSS (cross-site scripting)

Question 5

I am using an ELB and I wnat to block XSS, what options do I have?

Answer 5

You cna use a WAF with the ELB and you can create a WAF ACL Condition to match again XSS

Question 6

I am using an ELB and I wnat to block attacks coming from China, what options do I have?

Answer 6

You can use a WAF with the ELB and you can create a WAF ACL Condition to match again GEO

Question 7

I am using an API Gateway and I wnat to block attacks coming from China, what options do I have?

Answer 7

You can use a WAF with the ELB and you can create a WAF ACL Condition to match again GEO

Question 8

I am using an ELB and I wnat to block attacks coming from IP (IPv4 and IPv6), what options do I have?

Answer 8

You can use a WAF with the ELB and you can create a WAF ACL Condition to match again IP

Question 9

I am receiving a header from an attacker, this is a large header then normal, how cna I block it?

Answer 9

Yse a WAF ACL Condation to match on size

Question 10

What is a WAF ACL Rule?

Answer 10

It enables you to match again a condition, you could say dis this occurs more the 2000 times in the last 5 min, then block it.

Question 11

What is a WAF Rule Action?

Answer 11

It enables you to take and action on a WAF ACL Rule match.

Question 12

What condition is available in AWS WAF?

Answer 12

• cross site scripting xss

Question 13

My infrastructure consists of both S3 acting as an origin for static content for CF CDN and also EC2 instances behind an LB that is using the CF CDN, I wnat to block all requests form embargoed countries as part of my WF firewall, how cna I do this?

Answer 13

You can use geo matching condition in a WAF ACL

Question 14

What condition is available in AWS WAF?

Answer 14

• cross site scripting xss
• Geo match
• Size constraints
• SQL INjection
• String and regex matching.

Question 15

My infrastructure consists of both S3 acting as an origin for static content for CF CDN and also EC2 instances behind an LB that is using the CF CDN, I wnat to block all requests form embargoed countries as part of my WF firewall, how cna I do this?

Answer 15

You can use geo matching condition in a WAF ACL to create a list of countries to block. This could be automated through infrastructure as code.

Question 16

I am getting a flood of suspicious requests for accessing resources, do I use an NACL to block them?

Answer 16

No, as the word flood was used this is a DDOS situation and requires a WAF.

Question 17

What services does WAF work with?

Answer 17

Cloudfront
ELB (ALB)
API Gateway

Question 18

Is WAF in front of the services it is protecting?

Answer 18

Yes 100%, this enables it to filter the incoming traffic.

Question 19

When you associate WAF with a service like ELB what are you doing?

Answer 19

You are associating a WEB ACL to be used to filter the incoming traffic.

Question 20

What is WAF?

Answer 20

It is a layer 7 firewall thet you can place in front of services like,
- CloudFront
-ELB
- API GW
It enables you to use ACL -> Rules-> Conditions to filter traffic.

Question 21

I have a global CloudFront distribution and I wnat to filter traffic so it does not come from know bad actor? region?

Answer 21

You can create a rule thet restricts to a region and apply to CF.

Question 22

Where in the traffic from the internet to you API GW endpoint is AF applied?

Answer 22

WAF is deployed so it is at the very edge infron of you API GW or the if uses CF or ELB.

Question 23

What is a WAF ACKL?

Answer 23

A WAF ACL is a set of rules applied to the traffic.

Question 24

What are the three elements thet make up WAF?

Answer 24

• Conditions
• Rules
• ACL

Question 25

What is the rule?

Answer 25

A rule is a set of conditions.

Question 26

What is the condition?

Answer 26

A condition is used to match again incoming traffic?

Question 27

What is an ACL?

Answer 27

It is a collection of rules applied to incoming internet traffic.

Question 28

What types of conditions can I have?

Answer 28

• Rate constraints
• cross-site scripting XSS
• Geo match
• Size constraints
• SQL INjection
• String and regex matching.

Question 29

Is WAF regional or global?

Answer 29

It depends on the services it is used with>

Question 30

What is shield used for?

Answer 30

It is used to stop DDOS attacks.

Question 31

Without purchasing Shield, is there protection?

Answer 31

Yes, shield coms in two forms, standard and advanced.
Standards give you network flow monitoring, help for syn and UDP attacks.
Advanced gives you layer 7 traffic monitoring, mitigation, reporting, cost recovery, team support.

Question 32

How can I get DDOS protection on my EIP?

Answer 32

Shiels covers not just ELB, CF and API GW but also EIP.

Question 33

I have has large scale DDOS attacks in the past in my on-prem infrastructure, we recently migrated our-on prem application to AWS and I am concerned about DDOS attacks and the AWS resources cost associated with such an attack, what cna I do to mitigate this?

Answer 33

You can opt to use shield advance and this service will not just protect your resource but will recover costs associated with such an attack for the AWS resources used.

Question 34

What services does WAF work with?

Answer 34

• CloudFront
• API gateway
• ELB

Question 35

How could I use AWF in front of an EC2 instance with an EIP?

Answer 35

EC2 does not support WAF, but you cna place and ELB info for the EC2 instance.

Question 36

What is the ACL?

Answer 36

An ACL is a set of Rules, with rules been a set of conditions and condition been like, block this IP.

Question 37

What are we inspecting with a WAF ACL?

Answer 37

Parts of the HTTP request, L7.

Question 38

I wnat to block HTTPS requests form a country, I am using an API Gateway, ELB or CloudFront, how can do this?

Answer 38

You can use a WAF ACL

Question 39

I wnat to allow HTTPS requests form a country, I am using an API Gateway, ELB or CloudFront, how can do this?

Answer 39

You can use ACL to just allow HTTPS requests form a country.

Question 40

I am seeing attacks form a country, how cna I block this country form my CF?

Answer 40

You can block using WAF ACL.

Question 41

I see incoming HTTPS request form what I know ot be bad actors, how cna I filter on a query string and other HTTP elements like headers, I am using CloudFront?

Answer 41

You cna use an ACL and create a rule.

Question 42

What is OWASP top 10?

Answer 42

These are the top 10 application threats.

Question 43

I want to rate-limit traffic coming from a country how cna I do this, I am using ELB?

Answer 43

I use WAF and build a rule to rate limit based on country.

Question 44

I wnat ot get an alarm when we see bad actions coming to form a country and trying to access our web-facing application behind an ELB, how cna we do this?

Answer 44

WAF integrates with the ELB and alos with CloudWatch form monitoring, you can capture a metric and have an alarm on the metric.

Question 45

Can you create a rate limit rule in WAF?

Answer 45

Yes 100%

Question 46

What are managed rules?

Answer 46

This is where you cna use AWS or 3rs parts rules sets.

Question 47

Does WAF provide the ability to do a white and blacklist?

Answer 47

Yes 100%, ability to block (blacklist) and allow (whitelist)

Question 48

I need to be able to quickly update rules in my WAF, is AWS WAF suitable?

Answer 48

No, it can take up to 45 min to push rules out to the edge locations.

Question 49

Does WAF support IPv6?

Answer 49

Yes

Question 50

I wnat to log request info from my WAF, how can I do this?

Answer 50

WAF integrated with Kinesis Firehose, you cna push the log stream where you wnat to go, like s3.

Question 51

Is logging enabled per ACL or per the WAF?

Answer 51

Per ACL, If you have 5 ACL and what logging enables you to have to enable for all 5 ACLs.

Question 52

Can you hide fields form WAF logs?

Answer 52

You can select the headers not to be included in the logs.