How to Add OWASP 10 to a Load Balancer for Kubernetes Clusters and EC2 Instances

By Toul DeGuia-Cranmer

DevOps Engineer
HP Inc. in Houston

The compact title of this post chould be: OWASP 10 WAF for Kubernetes ALBs and EC2s on AWS. But that's a bit cryptic, even for me.

If I blow up all the acronyms, it becomes: How to Add an OWASP 10 Web Application Firewall to an Application Load Balancer for Kubernetes Clusters and EC2 Instances in Amazon Web Services.

But that's not a headline. That's almost a dissertation title. So let me unpack it all in a way that makes sense.

 


Quick links



About AWS WAF

The Amazon Web Service Web Application Firewall is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives control over which traffic to allow or block to your web applications by defining customizable web security rules. 

The AWS WAF can control how API Gateway, Amazon CloudFront, or in this case an Application Load Balancer (ALB) responds to web requests. The template provided by AWS is based off of the OWASP Top 10 Web Application Vulnerabilities white paper published by AWS. Information about the OWASP org can be found here. It is important to note that the base template is not the end all or be all and should be tailored to fit the needs of the organization applying it.

How the AWS Web Application Firewall works

The following is provided to help with changing the default template. When working with AWS WAF there are three important ideas to be aware of:

  • Conditions
  • Rules
  • Web ACLs

N.B. The full details can be found in the AWS WAF Docs

Conditions

Allow for the defining of the basic things that AWS WAF to will look for in web requests. There are 6 fields that can be adjusted as necessary.

  • Check for Scripts
  • Check for IP addresses or ranges that web requests originate from
  • Geolocation that IP addresses originate from
  • Length of certain parts of the web requests like header length
  • Check for malicious SQL code
  • Check for strings that appear in text strings. Can use regex expressions

Rules

Are created by combining conditions to allow, block, or count web requests and there are two types of rules Rate-based and Regular. The Rate-based rule counts the requests from a specified IP address every 5 minutes and if the amount of requests is greater than the allowed amount the rule is triggered. Also, rate-based rules can be combined with conditions, and will be triggered by an IP address surpassing the rate limit AND matching the condition. Lastly, Regular rules match conditions for target specific web requests, to trigger them the requests must meet each condition.

Web ACLs

Are the result of combining conditions into rules, and then combining the rules into a web ACL. Here is where you set set an action for the rule either ALLOW, BLOCK, or COUNT. The WAF controls the the response to the request based upon the rules. For example if a web request matches all of the conditions of a rule then the rule is triggered. If a web request does not trigger any rule then a default action is taken which can be to ALLOW or BLOCK.

Add the WAF template to Cloud Formation

Start by logging into the AWS Console and then,

  1. Go to the CloudFormation page
  2. Click create stack
  3. Select the aws owasp top 10 template
  4. Name the stack appropriately
  5. Click next, click next, and then click create stack
  6. Wait for the stack to be created

Adding WAF to ALB in EC2

Adding a WAF to an ALB connected to a service that is just an EC2 instance is easy and can be entirely done from the AWS console GUI.

  1. Go to AWS WAF page
  2. Click web ACL
  3. Click rules
  4. Scroll to the bottom that reads AWS Resources using this web ACL
  5. Click add association
  6. Select the EC2 instance name
  7. Click done

Adding WAF to ALB in a Kubernetes Cluster

Adding a WAF to an ALB in a Kubernetes Cluster is a little more involved and can only be done through the terminal. Because depending on your cluster set up if you follow the same steps for the EC2 instance mentioned above then it may be observed that ALB association has disappeared after a few days. So you need to change the the configuration of the ALB's file in the cluster.

  1. Go to AWS WAF page
  2. Click web ACL
  3. Copy the ID, found next to the name
  4. Open terminal

                   >$ export NAME=name_of_your_cluster
                    >$ export KUBECONFIG=path/to/your/kubeconfig
                    >$ helm get values alb-nginx-wiring > alb.yaml // this may be different for you depending on how your ALB 

Add the following to the alb.yaml file

                    >$ vim alb.yaml
                    // alb.yaml
                    ingress:
                      annotations:
                        alb.ingress.kubernetes.io/waf-acl-id: your_web_acl_id 
                

Now, upgrade the helm chart

                    >$ helm upgrade alb-nginx-wiring -f alb.yaml --wait
                    >$ kubectl delete external-alb-alb-ingress-controller-controller-{$ID_of_yours} pod --n your_name_space 
                

Check,

  • Navigate back to the WAF page in the AWS console and click web acls.
  • Click your web acl
  • Click rules
  • Scroll down to the bottom
  • Notice there is now a resource associated with your Web ACL

More about Toul...

I interned at HP in 2018 while finishing a double-degree in Geophysics and Computer Science at the University of Houston. During undergrad, I studied abroad in Valencia, Spain and Stavenger, Norway. The highlight of my time in Europe was a month-long holiday through Barcelona, Paris, London, Stockholm, Cologne, and Amsterdam.

After graduation, I transitioned into my dream career as a DevOps Engineer at HP, Inc. where I am currently growing into a security focused DevOps Engineer. (Some would say that makes me a DevSecOps Engineer.) One of my first security improvement projects is auditing Docker and Kubernetes--two tools at the crux of our Continous Integration/Continous Deployment pipeline. By improving the security on those two tools in the toolchain I hope to further support Dion Weisler's claim of the world's most secure PC.

In my spare time, I like to apply my degree in Geophysics to suspenseful personal challenges.

Author : toul.deguia-cranmer