Project: Deploy a Web Application with a WAF on AWS
Scenario
A small startup recently launched its first web application hosted on Amazon Web Services (AWS). Unfortunately, due to a lack of proper security measures, the application was vulnerable to attacks. As a result:
- The application suffered SQL injection and Cross-Site Scripting (XSS) attacks.
- Customer data was exposed, leading to a loss of trust and reputational damage.
- The absence of monitoring delayed the detection and mitigation of these threats.
The company now aims to enhance security by deploying a Web Application Firewall (WAF) on AWS to protect their web app against these attacks.
Lab Objectives
In this project, you will:
- Launch a Web Application on an EC2 Instance.
- Set Up an Application Load Balancer (ALB) with WAF.
- Configure AWS WAF Rules.
- Simulate and Test Attacks on the Web Application.
- Review AWS WAF Logs and Metrics.
Exercise 1: Launch a Web Application on an EC2 Instance
Objective
Deploy a simple web application hosted on an Amazon EC2 instance.
Estimated Timing: 10-15 minutes
Step 1: Launch an EC2 Instance
- Log in to the AWS Management Console.
- Navigate to EC2 under Services and click Launch Instances.
- Configure the instance:
- Name:
DemoWebApp
- AMI: Amazon Linux 2 (Free Tier Eligible).
- Instance Type: t2.micro (Free Tier Eligible).
- Key Pair: Select an existing key pair or create a new one.
- Network Settings: Enable HTTP and SSH traffic.
- Click Launch Instance and wait for it to initialize.
Step 2: Deploy a Sample Web Application
- Connect to your EC2 instance via SSH using your terminal or a tool like PuTTY.
ssh -i <your-key.pem> ec2-user@<your-instance-public-ip>
- Install Apache Web Server:
sudo yum update -y
sudo yum install httpd -y
sudo systemctl start httpd
sudo systemctl enable httpd
- Create a simple HTML page:
echo "<h1>Welcome to Demo Web App</h1>" | sudo tee /var/www/html/index.html
- Verify your web app by visiting
http://<your-instance-public-ip>
in your browser.
Exercise 2: Set Up an Application Load Balancer (ALB) with WAF
Objective
Deploy an ALB in front of your EC2 instance and integrate AWS WAF.
Estimated Timing: 20 minutes
Step 1: Create an Application Load Balancer
- Go to the EC2 Dashboard and navigate to Load Balancers.
- Click Create Load Balancer and select Application Load Balancer.
- Configure the ALB:
- Name:
DemoALB
.
- Scheme: Internet-facing.
- Listeners: HTTP (port 80).
- Availability Zones: Select subnets in two or more AZs.
- Set up the target group:
- Target Group Name:
DemoTargetGroup
.
- Target Type: Instances.
- Add your EC2 instance to the target group.
- Review and create the ALB.
Step 2: Attach WAF to the ALB
- Navigate to WAF & Shield under AWS services.
- Click Create Web ACL and configure:
- Name:
DemoWAF
.
- Region: Same as your ALB.
- Resource to Protect: Choose your ALB.
- Save the Web ACL.
Objective
Set up WAF rules to block SQL injection and XSS attacks.
Estimated Timing: 15 minutes
Step 1: Add AWS Managed Rules
- In your Web ACL, click Add Rules.
- Add the AWS-AWSManagedRulesSQLiRuleSet to protect against SQL injections.
- Add the AWS-AWSManagedRulesCommonRuleSet, which includes XSS protection.
- Set the rules to Block action and save changes.
Step 2: Test the Rules in Count Mode (Optional)
- You can initially configure the rules in Count Mode to monitor how they behave without blocking traffic.
- Switch to Block Mode once verified.
Exercise 4: Simulate and Test Attacks
Objective
Verify that the WAF blocks SQL injection and XSS attempts.
Estimated Timing: 15-20 minutes
Step 1: Simulate SQL Injection
- Use tools like Burp Suite or Postman to send an HTTP POST request with an SQL payload:
http://<ALB-DNS-Name>/login
Payload: ' OR 1=1; --
- Verify that the WAF blocks the request with a 403 Forbidden response.
Step 2: Simulate Cross-Site Scripting (XSS)
- Send a GET or POST request with an XSS payload:
Payload: <script>alert('XSS')</script>
- Confirm the WAF blocks the request.
Exercise 5: Review AWS WAF Logs and Metrics
Objective
Monitor the WAF to analyze blocked requests and fine-tune rules.
Estimated Timing: 10 minutes
Step 1: Enable Logging
- Navigate to your Web ACL and enable logging.
- Choose an S3 bucket or CloudWatch Logs to store logs.
Step 2: Analyze Logs
- Use AWS CloudWatch Insights to filter and review WAF logs.
- Look for blocked requests and fine-tune rules as needed.
Outcome
By completing this project, you’ll have deployed a secure web application on AWS with WAF protection, configured to defend against common web-based attacks like SQL injection and XSS.
Side Task: Once done, take a screenshot of the completed task and upload on LinkedIn including the Hashtag #cloudprojectwithcyberpreacher #CPwCP while sharing your experiences around the project.
Note: Ensure to delete every resources created during this project, to ensure cost management.