|
1 | 1 | # Step 1 - Getting Started with AWS WAF Security Automations Solution |
2 | 2 |
|
3 | | -# [Next step](step-2.md) |
| 3 | +## 1.1 Associate the solution's AWS WAF Web ACL with your ALB |
| 4 | + |
| 5 | +After deploying the Web App, look at the [CloudFormation Exports](https://console.aws.amazon.com/cloudformation/home?#/exports). You should have a value called `site-url`. That is the address of the Application Load Balancer sitting on top of the Web App. Take note of that URL. |
| 6 | + |
| 7 | +Next, you need to associate the solution's AWS WAF Web ACL with your ALB. For that: |
| 8 | +* Go to the [AWS WAF console](https://console.aws.amazon.com/wafv2/home?#/webacls) |
| 9 | +* Check if the region drop-down filter (not the one on the top, the one in the page) is selected with your region as value. For instance, "EU (Ireland)" |
| 10 | +* Select the solution's WebACL - for instance "AWSWAFSecurityAutomations" |
| 11 | +* On the right panel, select the "Rules" tab |
| 12 | +* Scroll down to "AWS resources using this web ACL" section and click the "Add association" button |
| 13 | +* On the "Resource type" drop-down, select "Application load balancer" |
| 14 | +* On the "Resource" drop-down, select the ALB you've created |
| 15 | +* Finally, click the "Add" button. |
| 16 | + |
| 17 | + |
| 18 | +## 1.2 SQL Injection and XSS |
| 19 | + |
| 20 | +Access the `site-url` endpoint and include bad signatures to the requests. You can use, for example: |
| 21 | + |
| 22 | +* SQL Injection: `<your-endpoint>/?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1'` |
| 23 | +* XSS: `<your-endpoint>/?<SCRIPT>alert(“Cookie”+document.cookie)</SCRIPT>` |
| 24 | + |
| 25 | +## 1.3 HTTP Flood (AWS Lambda log parser) |
| 26 | + |
| 27 | +To test HTTP Flood, you can simulate an WAF log file deliver event. For that: |
| 28 | + |
| 29 | +* Go to the CloudFormation stack's `Outputs` tab and search for the value defined for `WafLogBucket` |
| 30 | +* Go to S3, and upload [this file](files/waf-access-log-sample.gz) to the `WafLogBucket` bucket |
| 31 | +* Wait a few seconds (while the log parser function processes the new WAF log file) |
| 32 | +* Check if the file `<stack_name>-waf_log_out.json` was added to the `WafLogBucket` bucket |
| 33 | +* Go to [AWS WAF console](https://console.aws.amazon.com/wafv2/home?#/webacls) and check if `HTTP Flood` rule contains any IP listed |
| 34 | + |
| 35 | +## 1.4 Scanners & Probe (Amazon Athena log parser) |
| 36 | + |
| 37 | +To test Scanners & Probe, you can simulate a CloudWatch event running a query in a bucket that contains a sample access log file. |
| 38 | +For that: |
| 39 | +* Go to the S3 bucket that you set as Access Log Bucket. If you don't remember, go to stack's `Outputs` tab and search for the value defined for `AppAccessLogBucket` |
| 40 | +* Create a new folder and name it AWSLogs and upload [this file](files/alb-access-log-sample.gz) to it |
| 41 | + |
| 42 | +This file will be processed during the next scheduled *Scanner and Probe* scan. Rather than wait, we will run it on demand. |
| 43 | + |
| 44 | +* Go to the [AWS Lambda console](https://console.aws.amazon.com/lambda/home) |
| 45 | +* Open the `<stack_name>-LambdaLogParserFunction-<ID>` lambda function |
| 46 | +* Follow the link related the CloudWatch scheduled event |
| 47 | +* Copy the event data and create a Lambda test event with that information |
| 48 | +* Run the lambda function using the same event data used by the scheduled event |
| 49 | +* Wait a few seconds (while Athena processes the data, save the result back on S3 and the log parser function is called again to process the result file) |
| 50 | +* Go to [AWS WAF console](https://console.aws.amazon.com/wafv2/home?#/webacls) and check if `Scanners & Probes` rule contains any IP listed |
| 51 | + |
| 52 | +# [Next step](step-2.md) |
0 commit comments