Merge pull request #15 from aws-samples/ckp/update-step-2

Ckp/update step 2

Author: matteofigus

docs/step-2.md

@@ -1,19 +1,25 @@
 # Step 2 - Customising and extending AWS WAF Security Automations Solution
 
+In this step, you will configure the WAF Security Automation Solution. Once you have configured the HTTP Flood Protection and Probe/Scanner Log Parser, you will test this new configuration.
 
 ## 2.1.1 Customise HTTP Flood Protection (AWS Lambda Log Parser)
 
+The HTTP Flood protection provided by the Security Automation Solution can be configured. In this step, you will explore the possible configuration options. [See the documentation](https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/appendix-c.html) for a complete list
+
+
 The HTTP Flood log parser comes with some extensions points, they are:
 
 * Request Threshold: the maximum acceptable requests per five minutes per IP address.
 * Block Period: the period (in minutes) to block applicable IP addresses.
 * Ignored Suffixes: requests accessing this type of resource will not count to request threshold. By default, this list is empty.
 * URI List: use this to define a custom request threshold and block period for specifics URLs. By default, this list is empty.
 
-The goal now is to apply customizations and check how it affects the log parser behavior. 
+The goal now is to apply customisations and check how it affects the log parser behavior. 
+
 
+### 2.1.2 Customising the HTTP Log Parser
 
-### 2.1.2 Customising the Parser
+In this step you will edit the configuration file for the HTTP Log parser. This configuration is used by the Lambda Log Parser when processing log files.
 
 * Go to the S3 bucket used for WAF Logs Bucket. To check it's name, go to stack's Outputs tab and search for the value defined for WafLogBucket;
 * Download the configuration file `<stack_name>-waf_log_conf.json`;
@@ -39,11 +45,17 @@ Here is a sample of changed file:
 ```
 
 ### 2.1.3 Testing the new rules
-Let's test your HTTP flood protection. We will use [Apache AB](https://httpd.apache.org/docs/2.4/programs/ab.html).
 
-> ⚠️ **Warning**: Do not run the benchmarking tool from your local machine!
+To test the HTTP Flood protection you customised earlier in this step, you will generate a large number of requests. The Flood Protection should add the source IP of the requests to a deny list.
 
-We will use [Systems Manager Session Manager](https://console.aws.amazon.com/systems-manager/session-manager/start-session) to connect to the instance and run the `ab` benchmarking tool.
+We will use [Apache AB](https://httpd.apache.org/docs/2.4/programs/ab.html).
+Apache AB is a tool for benchmarking a web server.  You will use it to generate a specified number of HTTP requests against your sample Application
+
+> ⚠️ **Warning**: Do not run the benchmarking tool from your local machine! \
+> Doing so will generate a large amount of traffic on your local network. \
+> Use the EC2 instance of the Sample Web App to perform the requests against the external endpoint.
+
+You will use [Systems Manager Session Manager](https://console.aws.amazon.com/systems-manager/session-manager/start-session) to connect to the instance and run the `ab` benchmarking tool. Apache AB is pre-installed on the instance.
 
 Run against your endpoint 50,000 requests, with concurrency 100.
 ```bash
@@ -62,12 +74,14 @@ curl -s -o /dev/null -w "Return Code: %{http_code}\n" <your-endpoint>
 
 
 
-Now we will customise our Scanner and Probe rules. These use Amazon Athena.
-The solutions refer to the Athena by a saved query ID. As Athena don't allow you to change saved queries, the process to apply customizations to Athena query is by creating a new query and updating the Athena log parser event to use the new query ID.
+Now you will customise our Scanner and Probe rules. These use Amazon Athena to query the logs generated by an application.
+The solutions refer to Athena by a saved query ID. As Athena doesn't allow you to change saved queries, you need to create a new query and update the Athena log parser event to use the new query ID.
+
+By customising the query performed by Athena, you can specify the rules for blocking scanners and probes. For further details, [see the documentation](https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/appendix-d.html)
 
 ### 2.2.1
 * Navigate to the Amazon Athena console, select the Saved Queries tab;
-* Select the query you want to customize (ScannersProbesLogParser);
+* Select the query you want to customise (ScannersProbesLogParser);
 
 ![athena-saved-queries](2-01-athena-saved-queries.png)