Deploy the dashboard for AWS WAF with reduced effort

In this article, I’ll demonstrate how to deploy a remedy in your Amazon Internet Services (AWS) accounts that will give a fully automatic dashboard for AWS Web Application Firewall (WAF) service. The answer uses logs gathered and generated by AWS WAF, and shows them in a user-pleasant dashboard shown in Shape 1.

Figure 1: User-useful dashboard for AWS Web App FirewallFigure 1: User-helpful dashboard for AWS Web Program Firewall

The dashboard provides several graphs so that you can reference, filter, and adjust that are offered out-of-the-box. The instance in Figure 1 exhibits data from the sample website that I developed, where one can see:

  • Executed AWS WAF tips
  • Number of most requests
  • Amount of blocked requests
  • Allowed versus blocked requests
  • Countries by amount of requests
  • HTTP methods
  • HTTP versions
  • Unique IP count
  • Request count
  • Best 10 IP addresses
  • Top 10 nations
  • Best 10 user-agents
  • Best 10 hosts
  • Top 10 internet ACLs

The dashboard is established using Kibana, which gives flexibility by helping you to add new visualizations and diagrams.

AWS WAF is really a web app firewall. It can help protect your online APIs or apps against common internet exploits that may affect availability, compromise safety, or consume excessive sources. In several steps just, it is possible to deploy AWS WAF to the application Load Balancer, Amazon CloudFront distribution, or even Amazon API Gateway stages. I’ll demonstrate how it could be used by one to have more insights into what’s happening with the AWS WAF level. AWS WAF offers two variations of the services: AWS WAF (version 2) and AWS WAF traditional. We recommend using edition 2 of AWS WAF to remain up-to-date with the latest functions as AWS WAF traditional is no much longer being updated. The perfect solution is that I explain in this website post works together with both AWS WAF variations.

The answer is swift to deploy: The dashboard could be ready to used in less than one hour. The solution is made with multiple AWS solutions such as for example Amazon Elasticsearch (Amazon ES), AWS Lambda, Amazon Kinesis Data Firehose, Amazon Cognito, Amazon EventBridge, and much more. Nevertheless, you don’t have to know those ongoing services at length to build and utilize the dashboard. I ready a CloudFormation template that you could deploy in the AWS Gaming console to set up the complete solution immediately on your own AWS account. There are also the complete solution on our AWS Github. It’s open supply, so you can make use of and edit it to meet up your needs.

The architecture of the perfect solution is can be divided into 7 measures, which are outlined in Number 2.

Figure 2: Interaction factors while architecting the dashboard

Figure 2: Interaction factors while architecting the dashboard

The interaction points are the following:

    1. One of the functionalities of AWS WAF assistance is AWS WAF logs. The logs capture information regarding allowed and blocked requests. These logs are usually forwarded to Kinesis Information Firehose service.
    2. Kinesis Information Firehose buffer receives details, and sends it to Amazon Sera&mdash then;the core of the answer.
    3. Some information, like the true brands of AWS WAF web ACLs aren’t provided inside the AWS WAF logs. To help make the whole answer more friendly for customers, I used EventBridge, which is called every time a user changes their construction of AWS WAF.
    4. EventBridge shall contact a Lambda functionality when new rules are manufactured.
    5. Lambda will retrieve the info about all existing guidelines and it will revise the mapping between IDs of the guidelines and their names inside the Amazon Sera cluster.

make the complete solution better

  1. To, I’m making use of Amazon Cognito program to shop the credentials of authorized dashboard customers.
  2. The user enters their credentials to gain access to the dashboard on Kibana that is installed on Amazon ES cluster.

Now, permit’s deploy the perfect solution is and observe how it works.

Stage 1: Deploy solution making use of CloudFormation template

Click Launch Stack to launch the CloudFormation stack inside your accounts and deploy the answer.

Select button to launch stack

You’end up being redirected to the CloudFormation provider within North Virginia ll, USA, that is the default area to deploy this solution for an AWS WAF WebACL associated to CloudFront. The spot could be changed by you if you would like. This template shall spin up multiple cloud assets, including but not really limited to:

  • Amazon Sera cluster with Kibana for storing information and displaying dashboard
  • Amazon Cognito user swimming pool with a registry of customers who have accessibility to dashboards
  • Kinesis Information Firehose for streaming logs to Amazon Sera

In the wizard, you’be asked to change or provide four various parameters ll. They are:

  • DataNodeEBSVolumeSize: Storage dimension of Amazon Sera cluster which is created. The default could be remaining by you value.
  • ElasticSearchDomainName: Name of one’s Amazon Sera cluster domain. It is possible to leave the default worth.
  • NodeType: Kind of the instance which is used to generate Amazon Sera cluster. You don’t have to change it in the event that you don’t desire to, nevertheless, you can if essential to accommodate your preferences.
  • UserEmail: You need to update this parameter. It’s the email address which will have the password to get on Kibana.

Step 2: Wait around

The procedure of launching a template, that i named aws-waf-dashboard because of this example, will need 20–30 minutes. A rest can be taken simply by you and wait before position of the stack adjustments to CREATE_COMPLETE.

Amount 3: Completed start of the CloudFormation template

Figure 3: Completed start of the CloudFormation template

Action 3: Validate that Kibana and dashboards function

Check your email. A contact should has been acquired by you with the mandatory password to get on the Kibana dashboard. Take note of it. Today go back to the CloudFormation support and choose the aws-waf-dashboard template. In the Output tab, there must be one parameter with a web link to your dashboard in the Value column.

Amount 4: Output the CloudFormation templateShape 4: Output the CloudFormation template

Choose the log and link directly into Kibana. Provide the email that you create in Step one 1 and the password that has been sent to it. You might be prompted to update the password.

In Kibana, choose the Dashboard tab, as shown in Body 5, and select WAFDashboard in the desk. This will contact the AWS WAF dashboard. It will still be empty since it hasn’t been yet linked to AWS WAF.

Amount 5: Empty Kibana dashboard

Figure 5: Empty Kibana dashboard

Phase 4: Connect AWS WAF logs

Now it’s time and energy to allow AWS WAF logs on the internet ACL that you desire to develop a dashboard and link them to this remedy. Open AWS WAF, choose the AWS WAF dropdown option, select Web ACLs, and choose your desired internet ACL then. In this example, I used a created internet ACL called MyPageWAF previously, as shown in Body 6.

Figure 6: WAF & Shield

Amount 6: WAF & Shield

If you didn’t allow AWS WAF yet logs, you must do it to be able to continue now. To get this done, select Logging and metrics in your online ACL, and Enable logging then, as shown in Physique 7.

Amount 7: Enable AWS WAF logsAmount 7: Enable AWS WAF logs

Select the drop-lower list below Amazon Kinesis Information Firehose Delivery Stream and then choose the Kinesis Firehose that was developed by the template within step two 2. Its name begins with aws-waf-logs. Save your valuable changes.

Amount 8: Choose the Kinesis FirehoseFigure 8: Choose the Kinesis Firehose

Step 5: Last validation

Your AWS WAF logs will undoubtedly be sent from the AWS WAF services through Kinesis Data Firehose right to an Amazon ES cluster and you will be accessible to you using Kibana dashboards. Following a couple of mins, you need to start seeing information on your dashboard like the screenshot in Figure 1.

And that’s all! As possible plainly see, in several steps we constructed and deployed a remedy just, which we are able to use to look at our AWS WAF construction and see what sort of requests are increasingly being made and when they’re allowed or blocked.

Sample Scenario

Let’s proceed through an example scenario to see a proven way this solution may be used by you. I built a little website for my doggy and configured CloudFront to accelerate it also to ensure it is more secure.

Amount 9: Java the Pet's homepageNumber 9: Java the Doggy’s homepage

Next, We configured an AWS WAF internet ACL and attached it to my CloudFront distribution, that is the entry way of my internet site. In my own AWS WAF internet ACL, I didn’t add any guidelines, but allowed just about all requests. This will let me log all requests and understand who’s visiting my website. I QUICKLY configured an AWS WAF dashboard by following steps in this website.

My imaginary web site is focused on three countries—USA, Japan&mdash and germany;where French Bulldogs have become popular. I pointed out that i got lots of users from India very, that was unexpected. In Shape 10, the AWS WAF dashboard includes information from all countries and informs me there were over 11,000 requests for my website.

Figure 10: Kibana dashboard with requests from United states, Japan, Germany, and India

Figure 10: Kibana dashboard with requests from United states, Japan, Germany, and India

To understand the info better, I filtered in requests coming just from India, that is shown in Figure 11:

Figure 11: Website requests via India onlyFigure 11: Site requests via India only

The dashboard implies that I got a lot more than 700 requests from India in the last hr. This could have already been an excellent success for my site, but unfortunately, all of the requests were via single Ip. Additionally, a lot of them possess a suspicious user-real estate agent header: “secret-hacker-broker.” These details is supplied in the Visualize tab in Kibana, demonstrated in Figure 12.

Figure 12: Visualize tab of Kibana dashboardDetermine 12: Visualize tab of Kibana dashboard

This doesn’t appear good, so I made a decision to block those requests using AWS WAF.

So, the query now exactly is what things to block? I could block all requests via India, but this isn’t the very best idea because there could be additional Indian fans of French Bulldogs. I could block this single Ip, however the hacker may use another IP to keep hitting my website. Finally, I made a decision to create an AWS WAF principle that inspects the user-realtor header. If the user-real estate agent header includes “secret-hacker-agent,” the rule shall block the demand

Within a short while of configuring my AWS WAF guideline, I pointed out that i was getting requests from India still, but this right time, requests with the suspicious user-agent header were blocked! As proven in Figure 13, there were 2 around,700 requests, but about 2,000 of these were blocked.

Figure 13: Blocked suspicious requests

Number 13: Blocked suspicious requests

The truth is, I was attacking my very own website as secret-hacker-agent with regard to the illustration. You can view in the next command series screenshot that my demand (making use of wget) with the suspicious user-broker header was blocked (finding a “403 Forbidden” information). When I take advantage of another header (“good-realtor”), my demand passes successfully the AWS WAF rule.

Figure 14: Command series screenshot of the 'wget' demand

Body 14: Command collection screenshot of the ‘wget’ demand


In this article we’ve detailed how exactly to deploy the dashboard for AWS WAF inside several steps, and how exactly to utilize it to troubleshoot and block the web application attack. It&rsquo now;s your switch to deploy this option for your own software. Please share your suggestions about the alternative and the dashboard. It is possible to submit remarks in the Remarks area below or on the task’s GitHub page.

This post was inspired by way of a blog post developed by my pal Tom Adamski, who furthermore described how exactly to use Kibana and Amazon ES to visualize AWS WAF logs, sufficient reason for help of Achraf Souk, who contributed his expert understanding in AWS edge providers.

Want a lot more AWS Security how-to articles, news, and show announcements? Stick to us on Twitter.


Tomasz Stachlewski

Tomasz is really a Senior Remedy Architecture Manager on AWS, where he assists companies of all dimensions (from startups to enterprises) within their Cloud journey. He could be a large believer in innovative technologies such as for example serverless architecture, that allows companies to accelerate their electronic transformation.

%d bloggers like this: