Using AWS WAF and Deep Security

============ Editor’s Note: Over time the Deep Security API has evolved making this workflow trivial using the APIs. Therefore the integration code has been retired and instructions on how to replicate the workflow are available in the Deep Security Automation Center. ============

AWS WAF was announced at AWS re:Invent and since it’s launched, we’ve published a number of posts providing updates on our integration.

This post serves as a summary and one stop shop for our efforts in this area.


When you’re looking to secure your workloads, you should build your defences in layers to avoid any single weak point. The goal is to stop any attacks as far from your data as possible.

This approach lowers your risk as it provides multiple controls the opportunity to detect and prevent an attack.

Stop Attacks as Far Away From Your Data as Possible to Lower Risk

Protection from AWS WAF is applied at over 50 edge locations around the world. Attacks stopped by AWS WAF never touch your instance.

This is a great first line defence for your web applications.

For more complex attacks, Deep Security’s intrusion prevention capabilities fit the bill. Deep Security monitors all network traffic to your instances and can detect and stop attacks before they reach your applications.

AWS WAF and Deep Security's IPS

Working together, AWS WAF and Deep Security provide your web applications a strong, layered defence.


Taking that concept a step further, Deep Security knows a lot about what’s running on your EC2 instances. We’ve built a simple command line tool (that works in AWS Lambda as well…but more on that in the next post) that allows you to use that knowledge to start building out an AWS WAF web access control list (WACL).

The tool has three main functions;

  • the ability to push Deep Security IP lists to AWS WAF IP Set match conditions
  • the ability to use Deep Security’s knowledge of your EC2 instances to recommend, create, & apply an SQLi injection prevention rule in AWS WAF
  • the ability to use Deep Security’s knowledge of your EC2 instances to recommend, create, & apply a XSS prevention rule in AWS WAF

Used in combination, you’ll have a strong foundation for the protection of your web applications. See it in action in the video below;


IP Lists

In Deep Security you can use IP lists to manage firewall rules. This let’s you set a list of IPs (e.g., regional offices) and create rules that are far simpler to manage. If you bring a new office online, simply add it to the IP list. No need to edit the rule.

IP lists in Deep Security can be managed through the API or in the management console. They allow a number of IP formats from strict CIDR to lazy range (e.g.,–

AWS WAF IPSets have some restrictions in the formats accepted. All addresses must be submitted as a CIDR block with a mask of /8, /16, /24, or /32. This limitation won’t stop your from entering the IPs you want, it just requires some work to do the conversion.

Fortunately, we’ve done that work for you. Our integration tool will automatically convert any Deep Security list to a valid AWS WAF IPSet.

You can read more this feature at the tool’s GitHub repository.

Once your IP list is an IPSet in AWS WAF, you can build rules using it as a match condition. This satisfies use cases like, “Allow access to this application for all region office” or “Block access to this application from this set of IPs”.


Pushing IP lists from Deep Security to AWS WAF is useful and will save you a lot of time but it doesn’t really take advantage of the knowledge Deep Security has about your instances.

The sqli and xss features of our tool are great examples of what’s possible when you do start to leverage Deep Security to configure AWS security services.

Both of these features work in the same manner. The only difference is the type of attack they deploy protection for.

With a simple command, the tool will query the protection Deep Security has applied and recommended for your EC2 instances. In cases where the instance is a potential target for sqli or xss attacks, the tool will then recommend you apply similar protection on an AWS WAF WACL.

If you choose and if the tool can map your instance to a WACL, it will create and assign the rules for you.

Please keep in mind when you create a rule, there are AWS WAF charges associated with that rule.

Working Together

Using AWS WAF and Deep Security together let’s you easily create a layered defence for your web applications. We’ve built the first steps of this integration and have made the tool available on GitHub.

We’ve got a lot planned for this partnership already but would love to hear what use cases you see for these tools and what requirements you would like to it to meet.

Please feel free to email us at [] or open an issue or PR on the repository.


As mentioned in the introduction, we’ve been posting a lot on AWS WAF since the service’s introduction. Here’s a handy reference list;