Amazon Web Services recently launched their own WAF product designed to give it’s cloud computing customers more control over the type of traffic that is allowed or not allowed to reach their web applications. By defining Access Control Lists, rules, and actions, companies can now block SQL injection, cross-site scripting, and other common vulnerabilities. Rules can be customized for each specific application. The product also includes an API that can be used to automate some of the setup and maintenance of the WAF.
Amazon is a little late to the WAF considering they are the largest cloud services provider on the planet. The move is an effort to catch up to some of the other major players in the cloud security space like Akamai/Prolexic, Incapsula, and CloudFlare. Up until now, many security conscious companies have been using services like Incapsula on top of their AWS stack simply because Amazon didn’t have an offering.
Jeff Barr, chief evangelist for Amazon Web Services, explained that the service can analyze the incoming IP address and various parameters of a request, such as URI, query string, HTTP header, and HTTP method. A set of rules then rely on these conditions to block or allow certain types of requests, while actions dictate which action is taken when a request matches the conditions in a rule. Access Control Lists reference one or more of these rules along with the action that is taken for each. Before the rules and filters are setup, users also have to identify the CloudFront distribution they want to protect with the WAF.
According to Amazon, there are no minimum commitments for the service and pricing is calculated based on the number of defined ACLs and the number of rules deployed for them.
The cost per ACL is $5 per month, and the cost per rule per month is $1. The volume of requests handled by the WAF is also charged at $0.60 per million requests. There are no additional charges for reusing an ACL across multiple CloudFront distributions.