Asi implementing-cloud-waf-rules
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/implementing-cloud-waf-rules" ~/.claude/skills/plurigrid-asi-implementing-cloud-waf-rules && rm -rf "$T"
manifest:
plugins/asi/skills/implementing-cloud-waf-rules/SKILL.mdsource content
Implementing Cloud WAF Rules
When to Use
- When deploying new web applications or APIs behind cloud load balancers requiring OWASP protection
- When application penetration testing reveals SQL injection, XSS, or other injection vulnerabilities
- When experiencing brute force, credential stuffing, or bot attacks against authentication endpoints
- When compliance requirements mandate a WAF for PCI-DSS or similar standards
- When tuning WAF rules to reduce false positives blocking legitimate application traffic
Do not use for network-level DDoS protection (use AWS Shield or Azure DDoS Protection), for API authentication design (see managing-cloud-identity-with-okta), or for application code-level security fixes (WAF is a compensating control, not a replacement for secure code).
Prerequisites
- AWS ALB/CloudFront, Azure Application Gateway, or Cloudflare configured as the application entry point
- Application traffic logs for baseline analysis before WAF deployment
- Test environment for validating WAF rules before production enforcement
- Understanding of application request patterns to minimize false positives
Workflow
Step 1: Deploy Managed Rule Sets
Enable cloud provider managed rule sets that cover OWASP Top 10 vulnerabilities. Start in Count (detection) mode before switching to Block (prevention) mode.
# AWS WAF: Create Web ACL with AWS Managed Rules aws wafv2 create-web-acl \ --name production-waf \ --scope REGIONAL \ --default-action '{"Allow": {}}' \ --visibility-config '{ "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "production-waf" }' \ --rules '[ { "Name": "AWSManagedRulesCommonRuleSet", "Priority": 1, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet" } }, "OverrideAction": {"Count": {}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "CommonRuleSet" } }, { "Name": "AWSManagedRulesSQLiRuleSet", "Priority": 2, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesSQLiRuleSet" } }, "OverrideAction": {"Count": {}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "SQLiRuleSet" } }, { "Name": "AWSManagedRulesKnownBadInputsRuleSet", "Priority": 3, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesKnownBadInputsRuleSet" } }, "OverrideAction": {"Count": {}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "KnownBadInputs" } } ]'
Step 2: Create Custom Rate Limiting Rules
Deploy rate-based rules to protect login endpoints against brute force and credential stuffing attacks.
# Rate limiting rule for login endpoint (100 requests per 5 minutes per IP) aws wafv2 update-web-acl \ --name production-waf \ --scope REGIONAL \ --id <web-acl-id> \ --lock-token <lock-token> \ --default-action '{"Allow": {}}' \ --rules '[ { "Name": "RateLimitLogin", "Priority": 0, "Statement": { "RateBasedStatement": { "Limit": 100, "AggregateKeyType": "IP", "ScopeDownStatement": { "ByteMatchStatement": { "FieldToMatch": {"UriPath": {}}, "PositionalConstraint": "STARTS_WITH", "SearchString": "/api/auth/login", "TextTransformations": [{"Priority": 0, "Type": "LOWERCASE"}] } } } }, "Action": {"Block": {"CustomResponse": {"ResponseCode": 429}}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateLimitLogin" } } ]'
Step 3: Configure Geo-Blocking and IP Reputation
Block traffic from countries where the application has no legitimate users and leverage IP reputation lists to block known malicious sources.
# AWS WAF: Geo-blocking rule # Block countries not in the allowed list aws wafv2 create-ip-set \ --name blocked-ips \ --scope REGIONAL \ --ip-address-version IPV4 \ --addresses "198.51.100.0/24" "203.0.113.0/24" # Add Amazon IP Reputation rule # AWSManagedRulesAmazonIpReputationList blocks IPs flagged by AWS threat intelligence
Step 4: Tune Rules to Reduce False Positives
Analyze WAF logs in Count mode to identify legitimate requests being flagged. Create rule exceptions for specific URI paths or request patterns.
# Enable WAF logging to S3 aws wafv2 put-logging-configuration \ --logging-configuration '{ "ResourceArn": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/production-waf/id", "LogDestinationConfigs": ["arn:aws:s3:::waf-logs-bucket"], "RedactedFields": [{"SingleHeader": {"Name": "authorization"}}] }' # Query WAF logs with Athena to find false positives # Find rules triggered most frequently for legitimate traffic cat << 'EOF' > waf-analysis.sql SELECT terminatingRuleId, httpRequest.uri, httpRequest.httpMethod, COUNT(*) as block_count FROM waf_logs WHERE action = 'BLOCK' AND timestamp > date_add('day', -7, now()) GROUP BY terminatingRuleId, httpRequest.uri, httpRequest.httpMethod ORDER BY block_count DESC LIMIT 20 EOF
# Exclude specific rule from managed rule set that causes false positives # Example: Exclude SizeRestrictions_BODY for file upload endpoint aws wafv2 update-web-acl \ --name production-waf \ --scope REGIONAL \ --id <web-acl-id> \ --lock-token <lock-token> \ --rules '[{ "Name": "AWSManagedRulesCommonRuleSet", "Priority": 1, "Statement": { "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet", "ExcludedRules": [{"Name": "SizeRestrictions_BODY"}] } }, "OverrideAction": {"None": {}}, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "CommonRuleSet" } }]'
Step 5: Switch to Block Mode After Validation
After 7-14 days of Count mode with acceptable false positive rates, switch managed rules to Block mode for active protection.
# Change OverrideAction from Count to None (use rule group's default Block action) # Update each managed rule group from {"Count": {}} to {"None": {}} # Monitor CloudWatch metrics for sudden changes in blocked request volume
Key Concepts
| Term | Definition |
|---|---|
| Web ACL | Web Access Control List defining the set of rules evaluated against every HTTP request to a protected resource |
| Managed Rule Group | Pre-configured rule set maintained by the cloud provider or third-party vendor covering common attack patterns |
| Rate-Based Rule | WAF rule that tracks request rates per IP address and blocks IPs exceeding the threshold within a time window |
| Count Mode | WAF action that logs matching requests without blocking them, used for rule validation before enforcement |
| Rule Priority | Numerical ordering determining which rules are evaluated first; lower numbers have higher priority |
| Custom Response | WAF capability to return specific HTTP status codes and headers when blocking requests |
| Scope-Down Statement | Condition that narrows a rate-based rule to specific URI paths, methods, or headers |
| False Positive | Legitimate request incorrectly blocked by a WAF rule, requiring rule tuning or exclusion |
Tools & Systems
- AWS WAF: Cloud-native WAF integrated with ALB, CloudFront, API Gateway, and AppSync
- Azure WAF: Web application firewall on Application Gateway or Front Door with OWASP CRS rule sets
- AWS Firewall Manager: Centralized WAF policy management across multiple AWS accounts in an Organization
- WAF Security Automations: AWS solution that deploys Lambda-based automated WAF rule updates based on log analysis
- CloudWatch Metrics: Monitoring dashboard for tracking WAF rule match rates, block counts, and allowed requests
Common Scenarios
Scenario: Credential Stuffing Attack Against Authentication API
Context: An e-commerce application experiences 50,000 login attempts per hour from a botnet using stolen credential lists. The attacker rotates source IPs every few minutes to evade simple IP-based blocking.
Approach:
- Deploy rate-based rules limiting login endpoint requests to 10 per 5 minutes per IP
- Enable AWS WAF Bot Control managed rule group to detect automated request patterns beyond IP rotation
- Add a custom rule requiring valid CAPTCHA tokens for login requests exceeding 5 failures
- Implement IP reputation blocking using AWSManagedRulesAmazonIpReputationList
- Create a custom rule matching on User-Agent patterns common to credential stuffing tools
- Monitor blocked request metrics and adjust thresholds based on legitimate traffic patterns
Pitfalls: Setting rate limits too aggressively blocks legitimate users behind shared NAT IPs. Blocking by User-Agent alone is easily bypassed by rotating agent strings.
Output Format
Cloud WAF Configuration Report ================================ Web ACL: production-waf Scope: Regional (us-east-1) Protected Resources: ALB (arn:aws:elasticloadbalancing:...) Report Date: 2025-02-23 RULE CONFIGURATION: [P0] RateLimitLogin - BLOCK (100 req/5min/IP) [P1] AWSManagedRulesCommon - BLOCK (1 exclusion: SizeRestrictions_BODY) [P2] AWSManagedRulesSQLi - BLOCK [P3] AWSManagedRulesKnownBad - BLOCK [P4] AWSManagedRulesBotControl - COUNT (evaluation phase) [P5] GeoBlockRule - BLOCK (12 countries blocked) TRAFFIC ANALYSIS (Last 7 Days): Total Requests: 2,847,293 Allowed: 2,791,456 (98.0%) Blocked: 51,234 (1.8%) Counted: 4,603 (0.2%) TOP BLOCKED RULES: RateLimitLogin: 23,456 blocks (45.8%) SQLi Detection: 8,234 blocks (16.1%) CommonRuleSet (XSS): 7,891 blocks (15.4%) GeoBlockRule: 6,543 blocks (12.8%) KnownBadInputs: 5,110 blocks (10.0%) FALSE POSITIVE ANALYSIS: Reported False Positives: 3 Confirmed False Positives: 1 (SizeRestrictions_BODY for /api/upload) Action Taken: Rule exclusion applied