AWScloud~30 mins

AWS WAF for web application firewall - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

AWS WAF for web application firewall

📖 Scenario: You are setting up a web application firewall (WAF) to protect a website from common web attacks like SQL injection and cross-site scripting.This firewall will filter incoming web traffic and block harmful requests before they reach your web servers.

🎯 Goal: Create an AWS WAF web ACL (Access Control List) with rules to block SQL injection and cross-site scripting attacks, then associate it with a web application resource.

📋 What You'll Learn

Create a web ACL named MyWebACL with default action to allow requests

Add a rule named BlockSQLInjection that blocks requests with SQL injection attempts

Add a rule named BlockXSS that blocks requests with cross-site scripting attempts

Associate the web ACL with a resource ARN arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4/stages/prod

💡 Why This Matters

🌍 Real World

AWS WAF protects web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.

💼 Career

Cloud engineers and security specialists use AWS WAF to secure applications and meet compliance requirements.

Progress0 / 4 steps

Create the initial AWS WAF Web ACL resource

Create an AWS WAFv2 web ACL resource named MyWebACL with scope REGIONAL and default action to allow all requests. Use aws_wafv2_web_acl resource with default_action set to allow.

AWS

# Your code here to create aws_wafv2_web_acl resource named MyWebACL with default allow action

Need a hint?

Use resource "aws_wafv2_web_acl" "MyWebACL" {} with default_action { allow {} }.

Add SQL injection blocking rule

Add a rule named BlockSQLInjection to the MyWebACL resource that blocks requests containing SQL injection attempts. Use statement { sqli_match_statement {} inside the rule. Set the rule action to block.

AWS

resource "aws_wafv2_web_acl" "MyWebACL" {
  name        = "MyWebACL"
  scope       = "REGIONAL"
  default_action {
    allow {}
  }
  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "MyWebACL"
    sampled_requests_enabled   = true
  }

  # Add rule BlockSQLInjection to block SQL injection attacks
  # Your code here
}

Need a hint?

Inside rule {}, set name = "BlockSQLInjection", action { block {} }, and use sqli_match_statement with field_to_match { all_query_arguments {} }.

Add cross-site scripting blocking rule

Add another rule named BlockXSS to the MyWebACL resource that blocks requests containing cross-site scripting (XSS) attempts. Use statement { xss_match_statement {} inside the rule. Set the rule action to block and priority to 2.

AWS

resource "aws_wafv2_web_acl" "MyWebACL" {
  name        = "MyWebACL"
  scope       = "REGIONAL"
  default_action {
    allow {}
  }
  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "MyWebACL"
    sampled_requests_enabled   = true
  }

  rule {
    name     = "BlockSQLInjection"
    priority = 1
    action {
      block {}
    }
    statement {
      sqli_match_statement {
        field_to_match {
          all_query_arguments {}
        }
        text_transformation {
          priority = 0
          type     = "URL_DECODE"
        }
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "BlockSQLInjection"
    }
  }

  # Add rule BlockXSS to block cross-site scripting attacks
  # Your code here
}

Need a hint?

Inside rule {}, set name = "BlockXSS", priority = 2, action { block {} }, and use xss_match_statement with field_to_match { all_query_arguments {} }.

Associate the Web ACL with a resource

Create an aws_wafv2_web_acl_association resource named MyWebACLAssociation that associates the MyWebACL web ACL with the resource ARN arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4/stages/prod. Use the web_acl_arn from aws_wafv2_web_acl.MyWebACL.arn.

AWS

resource "aws_wafv2_web_acl" "MyWebACL" {
  name        = "MyWebACL"
  scope       = "REGIONAL"
  default_action {
    allow {}
  }
  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "MyWebACL"
    sampled_requests_enabled   = true
  }

  rule {
    name     = "BlockSQLInjection"
    priority = 1
    action {
      block {}
    }
    statement {
      sqli_match_statement {
        field_to_match {
          all_query_arguments {}
        }
        text_transformation {
          priority = 0
          type     = "URL_DECODE"
        }
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "BlockSQLInjection"
    }
  }

  rule {
    name     = "BlockXSS"
    priority = 2
    action {
      block {}
    }
    statement {
      xss_match_statement {
        field_to_match {
          all_query_arguments {}
        }
        text_transformation {
          priority = 0
          type     = "URL_DECODE"
        }
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "BlockXSS"
    }
  }
}

# Create aws_wafv2_web_acl_association resource to link MyWebACL with the given resource ARN
# Your code here

Need a hint?

Create aws_wafv2_web_acl_association resource with resource_arn set to the given ARN and web_acl_arn set to aws_wafv2_web_acl.MyWebACL.arn.