============ Editor’s Note: Over time the Deep Security API has evolved making this workflow trivial using the APIs. Therefore the integration code has been retired and instructions on how to replicate the workflow are available in the Deep Security Automation Center. ============

This post originally appeared at http://blog.trendmicro.com/aws-waf-and-deep-security/

When you’re looking at the security of your deployment, you want to make sure that it’s built as strong as possible. There are a ton of great features in the AWS Cloud that let you build resilience into your workloads. A resilient deployment has multiple layers of security and is able to bounce back when there’s an incident. This morning at AWS re:Invent, AWS announced a new service, AWS WAF. This is a fantastic new service that you should be looking to add to your deployment asap. Here’s what you need to know to start taking advantage of this new service today.

What is CloudFront?

In order to understand AWS WAF, you need to know that it sits in front (user side) of your CloudFront distribution. Most people think of CloudFront as a pure content delivery network but it’s capable of a lot more. One of the services’ best features is the ability to route requests to the resource that is best suited to serve them. A common implementation of this pattern is to serve static assets (.js, images, .css, etc.) from an S3 bucket and dynamic assets from a set of EC2 instances. The web application hosting and media serving patterns from the AWS architecture library are great examples of this pattern.

What is AWS WAF?

AWS WAF looks at every request sent to your CloudFront distribution. It compares these requests to a set of rules and then makes a determination; drop the request or allow it to continue. You can use AWS WAF to block HTTP and HTTPS requests based on source IP or more nuanced comparison to the values in various HTTP headers. This allows you to block cross-site scripting (XSS), SQL injection (SQLi), and other common web attacks. AWS has created a set of rules for the most common attacks (most of the OWASP top 10) but the service allows you to easily create your own rules so you can customize the defence of your workload.

Full stack defence

A modern web application has a lot of layers to it. While the app itself may be running on Node.js, Ruby on Rails, Go, or any other type of framework, that software runs on top of an operating system, which runs on top of a hypervisor, which runs on hardware, etc. One common way to look at how communications work in this stack is through the OSI model. In this (and any model) security should be applied at every layer. In the AWS Cloud, security works on a shared responsibility model. For the lower levels of the stack, AWS has integrated multiple redundant controls. This is commonly referred to as “security OF the cloud”. This is part of AWS’s responsibility and one of the huge security advantages of the cloud. As you move up the stack, it’s your responsibility to add security. AWS WAF is firmly targeted at HTTP/HTTPS security which means it sits at the presentation layer (layer 7). That still leaves a significant gap that you need to protect. Deep Security’s full intrusion prevention engine (IPS) can fill that gap. The IPS engine ensures that traffic sent to your application doesn’t contain any malicious content and that it conforms to the specs (TCP/IP, HTTP, etc.) that your workload is expecting. Deep Security & AWS WAF OSI Model Web attacks target your application but attackers won’t stop there. They will scan and probe your entire workload to find vulnerabilities. It’s important to defend against all of these types of attacks. This makes Deep Security and AWS WAF a fantastic combination.


As an AWS advanced technology partner, the Trend Micro team is working to ensure that the Deep Security platform is tightly integrated with AWS WAF. Shortly, we’ll be releasing the first step in that integration. Through our APIs and the AWS WAF APIs, you’ll start to be able to leverage the knowledge that Deep Security gathers on your workload to create a set of customized rules for AWS WAF. This integration will create a customized defence for your web application workloads. Trend Micro is a global leader is threat awareness and intelligence and the Deep Security agent is in a privileged position on your EC2 instances. Using this level of intelligence to craft custom rules for AWS WAF is an extremely powerful combination that combines the best of both services.

What’s My First Step?

AWS WAF is now available and you can read more about AWS WAF in the Getting Started Guide from AWS. You can quickly and easily setup the service to start protecting your AWS workloads. Our Deep Security platform provides a great complimentary control with our full intrusion prevention engine. A free 30 day trial of Deep Security is available via our SaaS or Marketplace AMIs and only a click away. I’m on site at AWS re:Invent this week and would love to chat about the new service from AWS. Swing by booth 1004 or catch me on Twitter where I’m @marknca.