Today at re:Invent AWS announced the availability of AWS WAF Partner Rules. Trend Micro is proud to be included as a security launch partner to help customers manage and secure their cloud workloads. 

What are AWS WAF Managed Rules?

AWS WAF Managed Rules provide the ability for trusted AWS security partners like Trend Micro to provide RuleGroups for AWS WAF through a simple AWS Marketplace user interface.

 AWS WAF provides a robust rules language but customers must provide their own rules in order to protect their web applications. The AWS WAF Managed Rules help to ease this process by allowing trusted partners to provide, update, and support rules running in your AWS account.

What you will need to get started:

  • An Application Load Balancer (ALB) or CloudFront distribution
  • One or more AWS resources that are receiving traffic from said ALB or CloudFront distribution

How to use Trend Micro AWS WAF Managed RuleGroups:

  1. Login to your AWS Account and navigate to the AWS Marketplace. Search for the Trend Micro Managed Rules for either WebServers or CMS. Follow the steps to subscribe to the desired RuleGroup and have your charges included on your AWS bill.
  2. From the AWS management console, go to ‘Services’ and select ‘WAF & Shield
  3. Select ‘Go to AWS WAF’ on the next page that appears
  4. Now we need to create a new Web Access Control List (ACL). This ACL will house the Trend Micro RuleGroup that you selected in step 1
  5. Click on ‘Web ACLs’. On the next page, ensure that you select the region that contains the ALB or CloudFront distribution you want to protect. For CloudFront, select the global region
  6. Click ‘Create web ACL’.
  7. Specify a name for your ACL, and a metric name. The metric name is the name that will appear in the logs generated by this ACL
  8. Under region, choose the same region you chose in step 5. For ‘AWS resource to associate’, select the ALB or CloudFront distribution you wish to protect. This ACL will be applied to all traffic that passes through the associated resource
  9. On the next page, you have the opportunity to create conditions.  You can do so if you wish, but it is not required.
  10. When you are done with the ‘Create conditions’ page, continue to the next step. You should see a screen that looks like this:
  11. Under ‘Rules’ select the Trend Micro RuleGroup you purchased earlier. Click ‘Add rule to web ACL’. You can also select the action for the RuleGroup.  If you don’t specify one, each rule in the RuleGroup will use the action specified by Trend Micro. If you wish to test the RuleGroup in your environment, you may wish to select ‘Count’. This will force all rules in the group to generate a log for matched traffic, instead of blocking the request. For ‘Default action’ select the action you would like to happen if none of the rules in the RuleGroup are matched. Unless you have added separate rules to allow normal traffic you should select allow as the default action.
  12. Click ‘Review and create’ to continue. On the next page review the summary of your ACL. Double check that the appropriate RuleGroup and resource are selected and complete creation.
  13. You’re done!

Logging

From the main WAF dashboard if you go ‘Web ACLs’ and select your new ACL, you can view requests that were processed by the ACL under the ‘Requests’ tab. At the bottom of this page is the ‘Sampled requests’ area. If you select the RuleGroup (or another rule) from the dropdown, you can then click ‘Get new samples’ to view requests that matched the RuleGroup or rule.

Note that this sample data is limited to the time period specified in the graph at the top of the page.

If you would like to see data over a longer time period, open the CloudWatch dashboard. You can select the desired date and time range, along with the metrics would like to graph.