Hands-on : Implementing Web Application Firewall (WAF) and AWS Config for Security and Monitoring in AWS

Welcome to this hands-on lab session where you will gain practical experience in securing and monitoring your AWS resources using Web Application Firewall (WAF) and AWS Config. In this lab, you will learn how to protect your applications against common web security threats and track changes to your security configurations to maintain a strong security posture.

Lab Overview

In today’s digital age, safeguarding online applications from threats like SQL injection attacks is paramount. We’ll guide you through a real-world scenario where a top university’s serverless online portal faced a security breach due to an SQL injection vulnerability. We will implement a solution using AWS services to secure the portal and track changes to our security configurations.

Learning Objectives

By the end of this lab, you will:

  1. Create and configure an AWS WAF Web ACL to protect an AWS API Gateway from malicious SQL injection attacks.
  2. Define WAF rules to block SQL injection attempts.
  3. Associate the Web ACL with the API Gateway to filter incoming requests.
  4. Set up AWS Config to monitor and track changes to your Web ACLs.
  5. Gain practical experience in maintaining a secure and monitored environment for your AWS resources.


Before you begin, make sure you have the following prerequisites in place:

  1. An AWS account with necessary permissions for creating and configuring AWS WAF and AWS Config.
  2. AWS Command Line Interface (CLI) installed and configured with the necessary credentials.

Lab Structure

This hands-on lab is divided into the following sections:

  1. Create a Web ACL: You will create a Web ACL named MyWebACL and define rules for protecting your API Gateway.
  2. Define WAF Rules: Create a WAF rule to block SQL injection attacks and define conditions for the rule.
  3. Attach Web ACL to API Gateway: Associate the Web ACL with your API Gateway to filter incoming requests.
  4. Set Up AWS Config: Configure AWS Config to track changes to your Web ACLs, including rule creations and deletions.
  5. Monitor and Update: Learn how to monitor AWS WAF logs, use AWS Config for tracking, and set up CloudWatch Alarms for alerts.


This lab provides a simplified example for educational purposes. In a real-world scenario, you may need to define more complex rules, handle false positives, and adapt the solution to your specific needs.

Now, let’s dive into the lab, secure your applications, and gain valuable experience in monitoring and maintaining the security of your AWS resources. Enjoy the hands-on learning experience!

To implement the solution of adding a Web Application Firewall (WAF) and AWS Config for tracking changes as described in the provided context, you can use the AWS Command Line Interface (CLI). Below are the steps to set up this configuration with AWS CLI along with explanations of the relevant AWS CLI parameters.

Step 1: Create an AWS WAF Web ACL

  1. Create a Web ACL named MyWebACL that defines the rules for protecting the API Gateway.
aws wafv2 create-web-acl --scope REGIONAL --name MyWebACL --default-action-action ALLOW
  • --scope: Specifies whether the Web ACL is associated with a CloudFront distribution or an Application Load Balancer. In this case, we use REGIONAL because it’s in front of the API Gateway.
  • --name: The name of your Web ACL.
  • --default-action-action: Specifies the action to take when no rule matches. In this example, we set it to ALLOW.

Step 2: Create and Define a WAF Rule to Block SQL Injection

  1. Create a WAF rule that defines conditions to block malicious SQL code.
aws wafv2 create-web-acl --name SQLInjectionRule --scope REGIONAL --default-action-action BLOCK
  • --name: Name of your rule.
  • --scope: Regional because the rule is created for your API Gateway in a specific AWS region.
  • --default-action-action: Set the default action to BLOCK to block requests that match this rule.
  1. Define the conditions for the SQL injection rule. For example:
aws wafv2 create-sql-injection-match-set --name SQLInjectionSet
  1. Add conditions to the SQL injection set that match SQL injection patterns. For example:
aws wafv2 create-sql-injection-match-tuple --field-to-match-type URI
  1. Define the SQL injection pattern to match:
aws wafv2 create-sql-injection-match --sql-injection-match-tuple-field-to-match-type URI

Step 3: Attach the WAF Web ACL to the API Gateway

  1. Associate the Web ACL with your API Gateway using its ARN.
aws wafv2 associate-web-acl --resource-arn API_GATEWAY_ARN --web-acl-arn WEB_ACL_ARN
  • --resource-arn: The ARN of your API Gateway.
  • --web-acl-arn: The ARN of the Web ACL created in Step 1.

Step 4: Set Up AWS Config

  1. Create an AWS Config rule to track changes to your Web ACLs:
aws configservice put-config-rule --config-rule-name TrackWAFChanges --source source_identifier=WAF_RULES_CHANGE,source_detail_type=AWS_WAFWebACL
  • --config-rule-name: Name of the AWS Config rule.
  • --source: Specifies the source for this rule, and in this case, it’s tracking changes to AWS WAF Web ACLs.

Step 5: Monitor and Update

Now, your API Gateway is protected by the Web ACL, and AWS Config is set up to track changes to your Web ACLs.

Remember to periodically check the AWS WAF logs and AWS Config for changes. You can also use AWS CloudWatch Alarms to alert you to any malicious activity blocked by the WAF.

Please note that this is a simplified example, and in a real-world scenario, you would need to define more complex rules, handle false positives, and adapt the solution to your specific needs. Make sure to replace placeholders like API_GATEWAY_ARN and WEB_ACL_ARN with actual ARNs from your AWS resources.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top