← Back to Labs
Advanced02:00:00

Implementing AWS WAF with ALB to block SQL Injection, Geo Location and Query string

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Launch First EC2 Instance

↑ Top
  1. In this task, we are going to launch the first EC2 instance by providing the required configurations like name, AMI selection, security group , instance type and other settings. Furthermore, we will provide the user data as well.
  2. Make sure you are in the N. Virginia(us-east-1) Region.
  3. Navigate to EC2 by clicking on the Services menu in the top left, then click on EC2 in the Compute section.
  4. Navigate to Instances from the left side menu and click on Launch Instances button.
  5. Under the Name and tags section : Name : Enter MyEC2Server1
  6. Under the Name and tags section :
  7. Name : Enter MyEC2Server1
  8. Task 2: Launch First EC2 Instance
  9. Under the Application and OS Images (Amazon Machine Image) section : Select Quick Start tab and Amazon Linux under it Amazon Machine Image (AMI) : select Amazon Linux 2023 kernel 6.1 AMI
  10. Under the Application and OS Images (Amazon Machine Image) section :
  11. Select Quick Start tab and Amazon Linux under it
  12. Amazon Machine Image (AMI) : select Amazon Linux 2023 kernel 6.1 AMI
  13. Task 2: Launch First EC2 Instance
  14. Under the Instance Type section : Instance Type : Select t2.micro
  15. Under the Instance Type section :
  16. Instance Type : Select t2.micro
  17. Task 2: Launch First EC2 Instance
  18. Under the Key Pair (login) section : Click on Create new key pair hyperlink Key pair name: MyWebserverKey Key pair type: RSA Private key file format: .pem or .ppk Click on Create key pair and then select the created key pair from the drop-down.
  19. Under the Key Pair (login) section :
  20. Click on Create new key pair hyperlink
  21. Key pair name: MyWebserverKey
  22. Key pair type: RSA
  23. Private key file format: .pem or .ppk
  24. Click on Create key pair and then select the created key pair from the drop-down.
  25. Task 2: Launch First EC2 Instance
  26. Under the Network Settings section : Click on Edit button Auto-assign public IP: select Enable Firewall (security groups) : Select Create a new security group Security group name : Enter MyWebserverSG Description : Enter My EC2 Security Group To add SSH: Choose Type: SSH Source: Anywhere (From ALL IP addresses accessible). For HTTP, click on Add security group rule, Choose Type: HTTP Source: Anywhere (From ALL IP addresses accessible). For HTTPS, click on Add security group rule, Choose Type: HTTPS Source: Anywhere (From ALL IP addresses accessible).
  27. Under the Network Settings section :
  28. Click on Edit button
  29. Auto-assign public IP: select Enable
  30. Firewall (security groups) : Select Create a new security group
  31. Security group name : Enter MyWebserverSG
  32. Description : Enter My EC2 Security Group
  33. To add SSH: Choose Type: SSH Source: Anywhere (From ALL IP addresses accessible).
  34. To add SSH:
  35. Choose Type: SSH
  36. Source: Anywhere (From ALL IP addresses accessible).
  37. For HTTP, click on Add security group rule, Choose Type: HTTP Source: Anywhere (From ALL IP addresses accessible).
  38. For HTTP, click on Add security group rule,
  39. Choose Type: HTTP
  40. Source: Anywhere (From ALL IP addresses accessible).
  41. For HTTPS, click on Add security group rule, Choose Type: HTTPS Source: Anywhere (From ALL IP addresses accessible).
  42. For HTTPS, click on Add security group rule,
  43. Choose Type: HTTPS
  44. Source: Anywhere (From ALL IP addresses accessible).
  45. Task 2: Launch First EC2 Instance
  46. Under the Advanced details section : Under the User data: copy and paste the following script to create an HTML page served by an Apache HTTPD web server.#!/bin/bashdnf update -ydnf install -y httpdsystemctl start httpdsystemctl enable httpdecho "<html><h1> Welcome to Lab Server 1 </h1></html>" > /var/www/html/index.html
  47. Under the Advanced details section :
  48. Under the User data: copy and paste the following script to create an HTML page served by an Apache HTTPD web server.#!/bin/bashdnf update -ydnf install -y httpdsystemctl start httpdsystemctl enable httpdecho "<html><h1> Welcome to Lab Server 1 </h1></html>" > /var/www/html/index.html
  49. Under the User data: copy and paste the following script to create an HTML page served by an Apache HTTPD web server.
  50. Keep everything else as default and click on the Launch instance button.
  51. Launch Status: Your instance is now launching, Navigate to Instances page from the left menu and wait until the status of the EC2 Instance changes to running.
  52. Task 2: Launch First EC2 Instance
Task 3

Task 3: Launch Second EC2 Instances

↑ Top
  1. In this task, we are going to launch the second EC2 instance by providing the required configurations like name, AMI selection, security group , instance type and other settings. Furthermore, we will provide the user data as well.
  2. Now again click on Launch Instances button.
  3. Under the Name and tags section :
  4. Name : Enter MyEC2Server2
  5. Task 3: Launch Second EC2 Instances
  6. Under the Application and OS Images (Amazon Machine Image) section :
  7. Select Quick Start tab and Amazon Linux under it
  8. Amazon Machine Image (AMI) : select Amazon Linux 2023 kernel 6.1 AMI
  9. Task 3: Launch Second EC2 Instances
  10. Under the Instance Type section : Instance Type : Select t2.micro
  11. Under the Instance Type section :
  12. Instance Type : Select t2.micro
  13. Task 3: Launch Second EC2 Instances
  14. Under the Key Pair (login) section :Select MyWebserverKey from the list.
  15. Under the Key Pair (login) section :
  16. Select MyWebserverKey from the list.
  17. Under the Network Settings section :
  18. Click on Edit button
  19. Auto-assign public IP: select Enable
  20. Firewall (security groups) : Select existing security group
  21. Security group name : Enter MyWebserverSG
  22. Task 3: Launch Second EC2 Instances
  23. Under the Advanced details section : Under the User data: copy and paste the following script to create an HTML page served by Apache httpd web server:#!/bin/bashdnf update -ydnf install -y httpdsystemctl start httpdsystemctl enable httpdecho "<html><h1> Welcome to Lab Server 2 </h1></html>" > /var/www/html/index.html
  24. Under the Advanced details section :
  25. Under the User data: copy and paste the following script to create an HTML page served by Apache httpd web server:#!/bin/bashdnf update -ydnf install -y httpdsystemctl start httpdsystemctl enable httpdecho "<html><h1> Welcome to Lab Server 2 </h1></html>" > /var/www/html/index.html
  26. Under the User data: copy and paste the following script to create an HTML page served by Apache httpd web server:
  27. Keep everything else as default and then click on the Launch Instance button.
  28. Your instances are now launching. Navigate to the EC2 instance page and wait until the status changes to the Running. It will usually take 1-2 minutes.
  29. Task 3: Launch Second EC2 Instances
Task 4

Task 4: Create a Target Group

↑ Top
  1. In this task, we are going to create a target group for the load balancer and will add the target instances so that the load balancer can distribute the traffic among these instances.
  2. In the EC2 console, navigate to Target Groups in the left-side panel under Load Balancer in the Load Balancing section.
  3. Click on Create target group button on the top right corner.
  4. Task 4: Create a Target Group
  5. Basic configuration:
  6. Choose a target type : Select Instances
  7. Target group name : Enter MyWAFTargetGroup
  8. Protocol : Select HTTP
  9. Port : Enter 80
  10. Health Checks:
  11. Health check protocol : Select HTTP
  12. Under Advanced Health Check Settings :
  13. Choose Healthy threshold : 3
  14. Choose Unhealthy threshold : 2
  15. Choose Timeout : 5 seconds
  16. Choose Interval : 6 seconds
  17. Task 4: Create a Target Group
  18. Leave everything as default and click on Next button.
  19. Register targets:
  20. Select the two instances we have created i.e MyEC2Server1 and MyEC2Server2.
  21. Click on Include as pending below and scroll down.
  22. Task 4: Create a Target Group
  23. Review targets:
  24. Review the targets and click on Create target group button.
  25. Task 4: Create a Target Group
  26. Your Target group has been successfully created.
  27. Task 4: Create a Target Group
Task 5

Task 5: Create an Application Load Balancer

↑ Top
  1. In this task, we are going to create an Application Load balancer by providing the required configurations like name, target group etc.
  2. In the EC2 console, navigate to Load Balancers in the left-side panel under Load Balancing.
  3. Click on Create Load Balancer at the top-left to create a new load balancer for our web servers.
  4. On the next screen, choose Application Load Balancer since we are testing the high availability of the web application and click on Create button.
  5. Basic configuration: Load balancer name: Enter MyWAFLoadBalancer Scheme: Select Internet-facing IP address type: Choose IPv4
  6. Basic configuration:
  7. Load balancer name: Enter MyWAFLoadBalancer
  8. Scheme: Select Internet-facing
  9. IP address type: Choose IPv4
  10. Task 5: Create an Application Load Balancer
  11. Network mapping:
  12. VPC : Select Default
  13. Mappings : Check All Availability Zones
  14. Security groups:
  15. Security groups : Select an existing security group i.e MyWebserverSG from the drop down menu.
  16. Task 5: Create an Application Load Balancer
  17. Listeners and routing:
  18. Protocol : Select HTTP
  19. Port : Enter 80
  20. Default action : Select MyWAFTargetGroup from the drop down menu
  21. Task 5: Create an Application Load Balancer
  22. Leave everything as default and click on Create load balancer button.
  23. You have successfully created Application Load Balancer.
Task 6

Task 6: Test Load Balancer DNS

↑ Top
  1. In this task, we will test the working of load balancer by copying the DNS to the browser and find out whether it is able to distribute the traffic or not.
  2. Now navigate to the Target Groups from the left side menu under Load balancing.
  3. Click on the MyWAFTargetGroup Target group name.
  4. Now select the Targets tab and wait till both the targets become healthy (Important).
  5. Task 6: Test Load Balancer DNS
  6. Now again navigate to Load Balancers from the left side menu under Load balancing.
  7. Select the MyWAFLoadBalancer Load Balancer and copy the DNS name under Description tab.
  8. Task 6: Test Load Balancer DNS
  9. Copy the DNS name of the ELB and enter the address in the browser. DNS Example: MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com
  10. Copy the DNS name of the ELB and enter the address in the browser.
  11. DNS Example: MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com
  12. You should see the index.html page content of Web Server 1 or Web Server 2
  13. Task 6: Test Load Balancer DNS
  14. Now Refresh the page a few times. You will observe that the index pages change each time you refresh.
  15. Test SQL Injection :
  16. Along with the ELB DNS add the following URL parameter: /product?item=securitynumber'+OR+1=1--
  17. Syntax : http://<ELB DNS>/product?item=securitynumber'+OR+1=1--
  18. Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/product?item=securitynumber'+OR+1=1--
  19. You will be able to see the below output.
  20. Task 6: Test Load Balancer DNS
  21. Here the SQL Injection went inside the server and since we only have an index page, the server doesn't know how to solve the URL that is why you got Not Found page.
  22. Test Query String Parameter :
  23. Along with the ELB DNS add the following URL parameter: /?admin=123456
  24. Syntax : http://<ELB DNS>/?admin=123456
  25. Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/?admin=123456
  26. You will be able to see the below output.
  27. Task 6: Test Load Balancer DNS
  28. Here also the Query string went inside the server and the server always passes the query string inside and it is resolved by the code that you write. Here the query string is passed and there is no code to resolve the this but it wont throw any error it just becames an unused value. so you got a response back.
Task 7

Task 7: Create AWS WAF Web ACL

↑ Top
  1. In this task , we are going to create an AWS WAF Web ACL where we will add some customized rules for location restriction, query strings and
  2. Navigate to WAF by clicking on the Services menu in the top, then click on WAF & Shield in the Security, Identity & Compliance section.Click on Switch to the Old WAF Console option at the Bottom.
  3. Navigate to WAF by clicking on the Services menu in the top, then click on WAF & Shield in the Security, Identity & Compliance section.
  4. Click on Switch to the Old WAF Console option at the Bottom.
  5. Click on Create web ACL button.
  6. Task 7: Create AWS WAF Web ACL
  7. Describe web ACL and associate it to AWS resources :
  8. Resource type : Select Regional resources
  9. Region : Select US East (N.Virginia) from the dropdown.
  10. Name : Enter MyWAFWebAcl
  11. Description : Enter WAF for SQL Injection, Geo location and Query String parameters.
  12. CloudWatch metric name : Automatically selects the WAF name, so no changes required.
  13. Associated AWS resources :
  14. ?Click on the Add AWS resources button.
  15. Resource type : Select Application Load Balancer
  16. Select MyWAFLoadBalancer Load Balancer from the list.
  17. Task 7: Create AWS WAF Web ACL
  18. Now click on the Add button.
  19. Click on the Next button.
  20. Add rules and rule groups : Under Rules, click on Add rules and then select Add my own rules and rule groups. Rule type : Select Rule builder Name : Enter GeoLocationRestriction Type : Select Regular rule If a request : Select doesn't match the statement (NOT) Inspect : Select Originates from a country in Country codes : Select <Your Country> In this example we select India-INNote : You can also select multiple countries also. IP address to use to determine the country of origin : Select Source IP address
  21. Add rules and rule groups :
  22. Under Rules, click on Add rules and then select Add my own rules and rule groups. Rule type : Select Rule builder Name : Enter GeoLocationRestriction Type : Select Regular rule If a request : Select doesn't match the statement (NOT) Inspect : Select Originates from a country in Country codes : Select <Your Country> In this example we select India-INNote : You can also select multiple countries also. IP address to use to determine the country of origin : Select Source IP address
  23. Under Rules, click on Add rules and then select Add my own rules and rule groups.
  24. Rule type : Select Rule builder
  25. Name : Enter GeoLocationRestriction
  26. Type : Select Regular rule
  27. If a request : Select doesn't match the statement (NOT)
  28. Inspect : Select Originates from a country in
  29. Country codes : Select <Your Country> In this example we select India-INNote : You can also select multiple countries also.
  30. Country codes : Select <Your Country> In this example we select India-IN
  31. IP address to use to determine the country of origin : Select Source IP address
  32. Task 7: Create AWS WAF Web ACL
  33. Under Then : Action Select Block.
  34. Click on Add rule.
  35. Here we are only allowing requests to come from India and all the requests that come from other countries will be blocked.
  36. Under Rules, click on Add rules and then select Add my own rules and rule groups. Rule type : Select Rule builder Name : Enter QueryStringRestriction Type : Select Regular rule If a request : Select matches the statement Inspect : Select Query string Match type : Select Contains string String to match : Enter admin Text transformation : Leave as default. Under Then : Action Select Block. Click on Add rules.
  37. Under Rules, click on Add rules and then select Add my own rules and rule groups.
  38. Rule type : Select Rule builder
  39. Name : Enter QueryStringRestriction
  40. Type : Select Regular rule
  41. If a request : Select matches the statement
  42. Inspect : Select Query string
  43. Match type : Select Contains string
  44. String to match : Enter admin
  45. Text transformation : Leave as default.
  46. Under Then : Action Select Block.
  47. Click on Add rules.
  48. Anytime in the request URL contains a query string as admin WAF will block that request.
  49. Under Rules, click on Add rules and then select Add managed rule groups. It will take a few minutes to load the page. It lists all the rules which are managed by AWS. Click on AWS managed rule groups. Scroll down to SQL database and enable the corresponding Add to web ACL button.
  50. Under Rules, click on Add rules and then select Add managed rule groups.
  51. It will take a few minutes to load the page. It lists all the rules which are managed by AWS.
  52. Click on AWS managed rule groups.
  53. Scroll down to SQL database and enable the corresponding Add to web ACL button.
  54. Task 7: Create AWS WAF Web ACL
  55. Scroll down to the end and click on Add rules button.
  56. Now you have 3 rules added.
  57. Task 7: Create AWS WAF Web ACL
  58. Under Default web ACL action for requests that don't match any rules, Default action Select Allow.
  59. Click on the Next button.
  60. Set rule priority : No changes required, leave as default. You can move the rules based on your priority. Click on the Next button.
  61. Set rule priority :
  62. No changes required, leave as default.
  63. You can move the rules based on your priority.
  64. Click on the Next button.
  65. Configure metrics : Leave it as default. Click on the Next button.
  66. Configure metrics :
  67. Leave it as default.
  68. Click on the Next button.
  69. Review and create web ACL : Review the configuration done, scroll to the end and click on Create web ACL button.
  70. Review and create web ACL :
  71. Review the configuration done, scroll to the end and click on Create web ACL button.
  72. It will take a few seconds to create the Web ACL, so wait till its completed.
Task 8

Task 8: Test Load Balancer DNS

↑ Top
  1. Now again navigate to Load Balancers from the left side menu under Load balancing.
  2. Select the MyWAFLoadBalancer Load Balancer and copy the DNS name under Description tab.
  3. Copy the DNS name of the ELB and enter the address in the browser. DNS Example: MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com
  4. Copy the DNS name of the ELB and enter the address in the browser.
  5. DNS Example: MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com
  6. You should see the index.html page content of Web Server 1 or Web Server 2.
  7. Task 8: Test Load Balancer DNS
  8. Now Refresh the page a few times.You will observe that the index pages change each time you refresh.Note: The ELB will equally divide the incoming traffic to both servers in a Round Robin manner.
  9. Now Refresh the page a few times.You will observe that the index pages change each time you refresh.
  10. Test SQL Injection : Along with the ELB DNS add the following URL parameter: /product?item=securitynumber'+OR+1=1-- Syntax : http://<ELB DNS>/product?item=securitynumber'+OR+1=1-- Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/product?item=securitynumber'+OR+1=1-- You will be able to see the below output.
  11. Test SQL Injection :
  12. Along with the ELB DNS add the following URL parameter: /product?item=securitynumber'+OR+1=1--
  13. Syntax : http://<ELB DNS>/product?item=securitynumber'+OR+1=1--
  14. Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/product?item=securitynumber'+OR+1=1--
  15. You will be able to see the below output.
  16. Task 8: Test Load Balancer DNS
  17. Here the SQL Injection is blocked by WAF before it goes inside the server.
  18. Test Query String Parameter : Along with the ELB DNS add the following URL parameter: /?admin=123456 Syntax : http://<ELB DNS>/?admin=123456 Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/?admin=123456 You will be able to see the below output.
  19. Test Query String Parameter :
  20. Along with the ELB DNS add the following URL parameter: /?admin=123456
  21. Syntax : http://<ELB DNS>/?admin=123456
  22. Example : MyWAFLoadBalancer-2020171322.us-east-1.elb.amazonaws.com/?admin=123456
  23. You will be able to see the below output.
  24. Task 8: Test Load Balancer DNS
  25. Here also the Query string which contains admin is blocked by WAF before it could go inside the server.
  26. WAF can offer protection against Distributed Denial of Service (DDoS) attacks by analyzing traffic patterns, detecting abnormal behavior, and mitigating the impact of such attacks.
Task 9

Task 9: Validation Test

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the left side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 9: Validation Test
Task 10

Task 10: Delete AWS Resources

↑ Top
  1. 1 Deleting an EC2 Instance
  2. Make sure you are in the US East (N. Virginia) us east-1 Region.
  3. Navigate to EC2 by clicking on the Services menu in the top, then click on EC2 under Compute section.
  4. Now select the EC2 instance that you have created, click on the Instance State and click on the Terminate option.
  5. Click on Yes,Terminate button and your EC2 will start terminating.
  6. 2 Deleting Elastic LoadBalancer and Target Group
  7. In the EC2 console, navigate to Load Balancer in the left-side paneol.
  8. MyWAFLoadBalancer will be listed here.
  9. To delete the load balancer, need to perform the following actions: Select the load balancer, Click on the Actions button, Select the Delete option.
  10. To delete the load balancer, need to perform the following actions:
  11. Select the load balancer,
  12. Click on the Actions button,
  13. Select the Delete option.
  14. Task 10: Delete AWS Resources
  15. Confirm by typing confirm and then click on Delete button when a pop-up is shown.
  16. Task 10: Delete AWS Resources
  17. MyWAFLoadBalancer be deleted immediately.
  18. In the EC2 console, navigate to Target Groups in the left-side panel.
  19. MyWAFTargetGroup will be listed here.
  20. To delete the target group, need to perform the following actions: Select the target group, Click on the Actions button, Select the Delete option.
  21. To delete the target group, need to perform the following actions:
  22. Select the target group,
  23. Click on the Actions button,
  24. Select the Delete option.
  25. Task 10: Delete AWS Resources
  26. Now click on the Yes, delete button to confirm deletion.
  27. MyWAFTargetGroup will be deleted immediately.
  28. 3 Deleting Web ACL
  29. Navigate to WAF by clicking on the Services menu in the top, then click on WAF & Shield in the Security, Identity & Compliance section.
  30. On the left side menu, select Web ACLs and then click on the Web ACL name that you created, MyWAFWebAcl.
  31. Select Associated AWS resources tab, select the application load balancer and click on Diassociate button.
  32. In the textbox enter remove and click on Diassociate button.
  33. On the left side menu, select Web ACLs and then select the radio button of the Web ACL that you created, MyWAFWebAcl.
  34. Click on the Delete button, In the textbox enter delete and click on Delete button.
  35. Now the WAF will be successfully deleted.
  36. You have successfully launched First EC2 Instance.
  37. You have successfully launched Second EC2 Instance.
  38. You have successfully created an Application Load Balancer and Target Group.
  39. You have successfully tested Load Balancer DNS.
  40. You have successfully created AWS WAF Web ACL.
  41. You have successfully tested Load Balancer DNS.
  42. Sign out of the AWS Account.
  43. You have successfully completed the lab.
  44. Once you have completed the steps, click on End Lab from your lab lab console and wait till the process gets completed.
← Back to Labs