【Table of contents】
1. Introduction
AWS released a new version of AWS WAF on Nov 25, 2019. This blog is a summary of the new changes compared to the previous version.
Part 1: [New AWS WAF] Summary of Changes (this blog)
Part 2: [New AWS WAF] AWS Management Console Operation (Managed Rules)
Part 3: [New AWS WAF] AWS Management Console Operations (Original Rules)
Part 4: [New AWS WAF] AWS Management Console Operations (Pattern Sets & Rule Groups)
Part 5: [New AWS WAF] JSON Explanation
2. Changes
Here are some of the areas that have received changes:
・ Change of name
・ Introduction of AWS WAF Web ACL Capacity Units (WCU)
・ Changes to the management console
・ Changes in rule setting method
・ Ability to manage rules in document format
・ Launch of AWS Managed Rules (AMR)
・ Official support for level control of managed rules
・Change of name
The previous version of AWS WAF is now known as AWS WAF Classic, and the new version will now be referred to as AWS WAF.
・Introduction of the AWS WAF Web ACL Capacity Units (WCU)
AWS WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect each rule’s relative cost. Until now, the number of rules was limited to 10 rules and 5 regular expression pattern sets, but with WCU, the cost of processing each processing element is accounted and calculated by the number of processing elements to be applied, and the total number of rules can be registered as long as the total does not exceed the capacity. You can use up to 1500 WCU per Web ACL, and you can also increase the limit by requesting AWS support to relax the limit.
Notes:
・ There is a limit (10) to the number of regular expressions even if they are WCU.
There is also a limit of 10 regular expressions that can be included in a pattern set.
・ About IP restrictions
It takes the form of a pattern set, and 10,000 IPs can be specified in one pattern set.
・ About String Match Conditions
In the string match condition, "begins with ~" and "includes" were specified, but it should be noted that the processing cost of WCU is different for each.
※Please note that processing costs are also accounted in the string conversion process.
Official information:
https://docs.aws.amazon.com/waf/latest/developerguide/limits.html
Restrictions
| Resource | Default Restrictions |
| Web ACLs per region | 100 |
| Rule Groups per region | 100 |
| Web ACL capacity units (WCU) per Web ACL | 1,500 |
| WCU per rule group | 1,500 |
| IP Sets per region | 100 |
| Regular expression sets per region | 10 |
| Unique regular expression patterns per set of regular expressions | 10 |
| Rate-based rules per Web ACL | 10 |
| Requests per second per Web ACL (applies only to the Application Load Balancer) | 100,000 |
Example of WCU calculation:
If you try to detect SQL injection conditions at three points: URL, cookie header, and body
・ 3(detection points) × 20(SQL injection WCU) = 60 WCU
・ Managed rule is 1000 WCU
When both are used, the total is 1060 WCU. This is where the necessary settings are made in the WCU.
Rule conditions
| Matching Statement | WCU |
| Match by country | 1 |
| IP set matching | 1 |
| Regular expression pattern set | 25 per pattern set |
| Size constraint | 1 |
| SQLi Attacks | 20 |
| String match | Depends on the type of match |
| XSS Attacks | 40 |
Logical conditions
| Logical Statement | WCU |
| AND Logic | Depends on rules |
| NOT Logic | Depends on rules |
| OR Logic | Depends on rules |
Special conditions
| Statement | WCU |
| Rate-based | Depends on search criteria |
| Managed rule group | Defined by the rule group |
| Rule group | You define this when you create a rule group |
・Changes to the management console
The emphasis is on managed rules, and the console makes it easy to choose managed rules. The rule group functionality has been moved from the AWS Firewall Manager to the AWS WAF side.
We have explained about the console operation in the next blog.
・Changes in rule setting method
・It is now possible to use OR function in the condition part.
For example, it is now possible to use the OR function to add an IP blacklist together with country restriction conditions.
・Multiple decode processing is now possible.
It is possible to unify them to lowercase letters after decoding the URL.
・There is no longer a restriction on the expression in CIDR.
Until now, the contents were as follows.
IPv4 address ranges: /8 and /16 to /32 are supported.
IPv6 address ranges: /24, /32, /48, /56, /64, and /128 are supported.
・Changes in the items used in the FieldToMatch.
URI has been changed to UriPath.
・Ability to manage rules in document format
Until now, rules were updated using various APIs, but now it is possible to reflect this by simply implementing the API for updating Web ACLs in JSON format.
Managing it as a JSON file allows you to quickly revert to the previous state.
The IP Set and Regex Set are managed in separate files and called by ARN.
・ Launch of AWS Managed Rules (AMR)
AWS has released its own set of managed rules.
And now, it is also possible to use multiple managed rules.
"OWASP Top 10" compatible rules and "IP reputation lists" have been released for multiple uses. In addition, several limited rules such as "WordPress" and "PHP" are also released.
・Official support for level control of managed rules
WafCharm provides the ability to change the BLOCK / COUNT mode of the rules contained in the AWS WAF Classic Managed Rules on the WafCharm management screen. However, the new AWS WAF allows you to change the individual rules in the managed rules from the AWS Management Console, making it easy to change individual rules to COUNT in case of false positives.
3. Concerns
・What will happen to the old AWS WAF?
The service will continue as AWS WAF Classic. WafCharm is also still compatible with it.
・How do I migrate from AWS WAF Classic to the new AWS WAF?
Please refer to the following official information to configure the new AWS WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-migrating-from-classic.html
4. Conclusion
This is a major change in the operation and function of AWS WAF. Although it is relatively easy to write the rules by oneself, it is still difficult to create and select appropriate rules due to the limitations of the WCU. A way to simplify the operation is to use managed rules, so in case you haven't used it before, now is a perfect time to evaluate if that would be a good solution for your configuration.
