AWS Web Application Firewall Monitoring
AWS Web Application Firewall - Overview
AWS Web Application Firewall (AWS WAF) is a security service that helps protect web applications from common web exploits and threats. It allows you to monitor and control incoming HTTPS requests based on customizable security rules, helping to prevent attacks such as SQL injection, cross-site scripting (XSS), and bot traffic.
Creating a new AWS Web Application Firewall monitor
To learn how to create a new AWS Web Application Firewall monitor, refer here.
Monitored Parameters
Go to the Monitors Category View by clicking the Monitors tab. Click on the Web Application Firewall instance available under Amazon in the Cloud Apps section. Displayed below is the Amazon Web Application Firewall bulk configuration view distributed into three tabs:
- Availability tab gives the availability history for the past 24 hours or 30 days.
- Performance tab gives the health status and events for the past 24 hours or 30 days.
- List view tab enables you to perform bulk admin configurations.
By clicking a monitor from the list, you'll be taken to the AWS Web Application Firewall dashboard which includes the following tabs:
Performance Overview
| Parameter | Description |
|---|
| WAF REQUEST ACTIONS |
| Allowed Requests | The percentage of allowed web requests between the poll interval (in %). |
| Blocked Requests | The percentage of blocked web requests between the poll interval (in %). |
| Captcha Requests | The percentage of web requests subjected to CAPTCHA controls applied between the poll interval including all requests matching a CAPTCHA rule, regardless of the valid tokens (in %). |
| Challenge Requests | The percentage of web requests with challenge controls applied between the poll interval including all requests matching a Challenge rule, regardless of the valid tokens (in %). |
| REQUEST THROUGHPUT |
| Rate of Total Requests | The total number of requests passed through this webacl passing all the rules per minute between the poll interval (in requests/min). |
| Total Requests | The total number of requests passed through this webacl passing all the rules between the poll interval. |
| ALLOWED REQUESTS |
| Allowed Requests | The total number of allowed web requests between the poll interval. |
| BLOCKED REQUESTS |
| Blocked Requests | The total number of blocked web requests between the poll interval. |
| CAPTCHA REQUESTS |
| Captcha Requests | The total number of web requests subjected to CAPTCHA controls applied between the poll interval including all requests matching a CAPTCHA rule, regardless of the valid tokens. |
| Captchas Attempted | The total number of solutions that were submitted by an end user in response to a CAPTCHA puzzle challenge between the poll interval. |
| Captchas Solved | The total number of CAPTCHA puzzle solutions submitted that successfully solved the puzzle between the poll interval. |
| Captchas with Valid Token | The total number of web requests that had CAPTCHA controls applied and a valid CAPTCHA token between the poll interval. |
| CHALLENGE REQUESTS |
| Challenge Requests | The total number of web requests with challenge controls applied between the poll interval, including all requests matching a Challenge rule, regardless of the valid tokens. |
| Challenges with Valid Token | The total number of web requests that had challenge controls applied and had valid challenge tokens between the poll interval. |
| COUNTED REQUESTS |
| Counted Requests | The total number of web requests that match at least one of the rules between the poll interval. |
| PASSED REQUESTS |
| Passed Requests | The total number of web requests that go through a rule evaluation without matching any rules between the poll interval. |
Rules
| Parameter | Description |
|---|
| Rule Details |
| Priority | Specifies the evaluation order of rules in AWS WAF, where rules with lower priority values are processed first. |
| Rule Name | The name of the rule. |
| Rule Metric Name | The name of the Amazon Cloud watch metric dimension. |
| Action | The action that AWS WAF should take on a web request when it matches the rule statement. |
| Allowed | The total number of allowed web requests for the specific rule between the poll interval. |
| Blocked | The total number of blocked web requests for the specific rule between the poll interval. |
| Captcha | The total number of web requests subjected to CAPTCHA controls, applied for the specific rule between the poll interval, including all requests matching a CAPTCHA rule regardless of valid tokens. |
| Challenge | The total number of web requests subjected to Challenge controls, applied for the specific rule between the poll interval, including all requests matching a Challenge rule regardless of valid tokens. |
| Counted | The total number of web requests that match at least one of the rules for the specific rule between the poll interval. |
| Passed | The total number of requests that go through a rule evaluation without matching the specific rule between the poll interval. |
Applications Manager displays a line graph for the top 5 rules, visualizing key request types such as Allowed Requests, Blocked Requests, Captcha Requests, Challenge Requests, Counted Requests, and Passed Requests.
Client Device Types
| Parameter | Description |
|---|
| ALLOWED REQUESTS |
| Allowed via Desktop | The total number of allowed web requests from desktop devices between the poll interval. |
| Allowed via Mobile | The total number of allowed web requests from mobile devices between the poll interval. |
| Allowed via Tablet | The total number of allowed web requests from tablet devices between the poll interval. |
| BLOCKED REQUESTS |
| Blocked via Desktop | The total number of blocked web requests from desktop devices between the poll interval. |
| Blocked via Mobile | The total number of blocked web requests from mobile devices between the poll interval. |
| Blocked via Tablet | The total number of blocked web requests from tablet devices between the poll interval. |
| CAPTCHA REQUESTS |
| Captcha via Desktop | The total number of web requests which had captcha controls applied and passed through desktop devices between the poll interval. |
| Captcha via Mobile | The total number of web requests which had captcha controls applied and passed through mobile devices between the poll interval. |
| Captcha via Tablet | The total number of web requests which had captcha controls applied and passed through tablet devices between the poll interval. |
| CHALLENGE REQUESTS |
| Challenge via Desktop | The total number of web requests which had challenge controls applied and passed through desktop devices between the poll interval. |
| Challenge via Mobile | The total number of web requests which had challenge controls applied and passed through mobile devices between the poll interval. |
| Challenge via Tablet | The total number of web requests which had challenge controls applied and passed through tablet devices between the poll interval. |
| COUNTED REQUESTS |
| Counted via Desktop | The total number of web requests that matched at least one of the rules and passed through desktop devices between the poll interval. |
| Counted via Mobile | The total number of web requests that matched at least one of the rules and passed through mobile devices between the poll interval. |
| Counted via Tablet | The total number of web requests that matched at least one of the rules and passed through tablet devices between the poll interval. |
| PASSED REQUESTS |
| Passed via Desktop | The total number of requests that go through a rule evaluation without matching any rules through desktop devices between the poll interval. |
| Passed via Mobile | The total number of requests that go through a rule evaluation without matching any rules through mobile devices between the poll interval. |
| Passed via Tablet | The total number of requests that go through a rule evaluation without matching any rules through tablet devices between the poll interval. |
Configuration
| Parameter | Description |
|---|
| ACL ID | The unique identifier for the web ACL. |
| Cloudwatch Metric Name | A name of the Amazon CloudWatch metric dimension. |
| Description | A description of the web ACL that helps with identification. |
| Default Action | The action to perform if none of the rules in the WebACL match. |
| Capacity | The web ACL capacity units currently being used by this web ACL (in WCUs). |
