Monitoring WAF using CloudWatch

Monitoring of your WAF rules, conditions, as well as your application's web traffic, plays an important part towards identifying and mitigating possible attacks and exploits. AWS provides a wide assortment of tools and services that you, as an administrator, can leverage for the monitoring and reporting of such activities. The following are the list of services briefly explained:

  • AWS WAF dashboard: Yes, you read it right! AWS WAF also provides a simple monitoring dashboard that lists the total requests made to your application via either the CloudFront CDN or the Application Load Balancer, as well as the number of requests that actually match to your specified rules. To view the dashboard, all you need to do is log in to your AWS WAF, select the Web ACLs page, and click on the Requests tab, as shown in the following screenshot:

The graph aggregates and displays the requests on a five-minute period basis. You can alternatively open the same graph using Amazon CloudWatch for further analysis.

  • Amazon CloudWatch: Amazon CloudWatch has been around for some time, and definitely provides various metrics that you can select and configure as a part of a customized requests monitoring dashboard. Here is a list of the supported WAF metrics, with a brief description:
    • AllowedRequests: Captures the number of allowed web requests. The valid dimensions for this metric are Rule and WebACL.
    • BlockedRequests: Captures the number of blocked web requests. The valid dimensions for this metric are Rule and WebACL.
    • CountedRequests: Typically used to test your web ACLs and rules, this metric provides a count of the web requests that match all of the conditions in a particular rule.

You can use these metrics to monitor your WAF rules, and even configure CloudWatch alarms to trigger and send notifications in case their threshold values are crossed. Based on your requirements, you can additionally take things a step further and configure CloudWatch events that trigger an appropriate Lambda function to mitigate against a possible attack, as we performed during the Security Automations solutions. You can even leverage Amazon CloudWatch to monitor the traffic flowing into the CloudFront CDNs as well as your Application Load Balancers.

  • AWSCloudTrail: AWS CloudTrail is yet another service that you can and should leverage for parsing and analyzing your application's access and error logs, as well as logs generated by the AWS services' logs themselves. Here is a sample of few Log Groups, created automatically by the Security Automations Solution, for capturing WAF traffic flow and events. We will be exploring more on AWS CloudTrail in the next chapter:

With this, we come towards the end of yet another chapter, but before we sign off, here's some interesting things that I feel you ought to try out as a part of AWS WAF.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset