WAF rule to allow certain http headers

Hi,

We are using WAF Web ACL rules that are receiving all requests to our Load Balancer and filtering them (ALLOW or BLOCK). However there are some application requests which we are 100% sure that coming from safe source. We have filtered them out by uri headers. We would like to set a rule or configure current rules so that requests with such header will not go through WAF rules and directly reach our ALB. We have some questions regarding that:

Can we do it per rule in Web ACLs?
Or we have to create new rule for that? Our concern is that if we create new rule to wh*telist these requests, they will still go through other rules which we don't want.
May this help to decrease WAF costs?

Thank you

Ali

UPDATE: Guys, thank you all for responses. After two calls with support, I can sum up with the following: As if you have WAF Web ACL, mostly it doesn't matter how many Web ACL rules you requests are passing. WAF charges us per Web ACL and per number of requests, adding one more rule to whitelist certain requests to bypass other rules will not decrease our costs. On the opposite, it will add 1$ more as custom rule costs 1% per rule.

Topics

Security, Identity, & Compliance AWS Well-Architected Framework

Tags

AWS WAF Cost Optimization

Language

English

Ali_Valizada

asked a month ago439 views

3 Answers

Newest
Most votes
Most comments

Accepted Answer

No, you cannot choose which requests arriving at your ALB get sent to WAF for processing. Either all requests are evaluated by WAF or none of them are.

Which of the rules included in your web ACL's rule groups get processed for any individual request won't affect your costs one way or another, when you are using only the standard Allow/Block/Count actions for your rules. A "web ACL capacity unit", WCU for short, is calculated as a fixed value for your entire web ACL when you create or modify it. The WCU rating is based on the total complexity of all the rules/groups in the web ACL, and it is independent of the actual number of rules evaluated for an individual request.

In other words, even if you added an override rule at the top of your rule base and many requests hit it, avoiding the other rules from getting evaluated, your costs would still be based on the fixed WCU rating of your web ACL, representing the theoretical maximum amount of work that could have been done by WAF.

Only the extra features for the "Captcha" and "Challenge" actions have a cost dependent on the actual amount of work that WAF ends up doing. Those costs you can control by controlling the hits to rules with those actions. In your case, I assume you aren't using them, so your costs are fixed, regardless of how you order the rules internally within the web ACL.

What you can accomplish with the override rule is avoiding the request getting blocked or potentially slowed down by lower priority rules. You do this simply by ordering the rule groups in your web ACL such that the override rule group is evaluated before the other groups.

EXPERT

Leo K

answered a month ago

Hello,

please try this solution it will be helpful for you.

To allow certain HTTP headers to bypass AWS WAF rules and directly reach your Application Load Balancer (ALB), you can create a specific rule in your Web ACL. First, create a custom rule that allows requests with the trusted HTTP header (e.g., X-Trusted-Source with a value of true). In the AWS WAF console, define this rule with a string match condition on the desired header and set the action to ALLOW. Then, add this rule to your Web ACL and position it at the top of the rule list to ensure it is evaluated first. This setup allows trusted requests to bypass other WAF rules, reducing the overall processing load and potentially decreasing WAF costs.

please look at AWS Document you will get information.

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-action.html

https://aws.amazon.com/blogs/security/customize-requests-and-responses-with-aws-waf

EXPERT

Parthasaradi

answered a month ago

Hi Ali_Valizada,

Please go through the below steps and documentation link i hope it will be helpful to resolve your issue.

Create a Rule to White-list Safe Requests:

In the AWS WAF console, go to your Web ACL.
Create a new rule that matches the specific header values identifying your safe requests.
Set the action to ALLOW for this rule.

Set Rule Priority:

In the Web ACL configuration, ensure the whitelist rule has the highest priority (lowest numerical value) so it is evaluated first.
This will ensure that if a request matches this rule, it is allowed, and no further rules are evaluated for that request.

Example Rule Configuration:

Condition: Check for the specific header and its value that identifies the safe source. Action: ALLOW.

{
  "Name": "WhitelistSafeSources",
  "Priority": 1,
  "Statement": {
    "ByteMatchStatement": {
      "SearchString": "safe-header-value",
      "FieldToMatch": {
        "SingleHeader": {
          "Name": "X-Safe-Header"
        }
      },
      "TextTransformations": [
        {
          "Priority": 0,
          "Type": "NONE"
        }
      ],
      "PositionalConstraint": "EXACTLY"
    }
  },
  "Action": {
    "Allow": {}
  }
}

Ensure No Other Rules Affect These Requests:

By placing the white-list rule at the highest priority, any matching requests will be allowed and will not proceed to other rules.
This effectively ensures the requests bypass all other WAF rules and go directly to your ALB.

Cost Considerations:

WAF Cost Optimization:

Allowing safe requests to bypass WAF rules can help reduce the number of WAF requests processed, potentially lowering your costs.
Since AWS WAF charges based on the number of web requests processed and the number of rules evaluated per request, having fewer requests evaluated by fewer rules can lead to cost savings.

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-action.html

https://aws.amazon.com/blogs/security/customize-requests-and-responses-with-aws-waf/

EXPERT

Pandurangaswamy

answered a month ago

EXPERT

kranthi putti

reviewed 21 days ago

Relevant content

Why am I receiving 413 errors from AWS App Runner when no rules are configured in the associated Web ACL?
Accepted Answer
Louis Lloyd-Besson
asked a year ago
aws waf Is there a way to set up alerts on WAF rules when BLOCKS from certain rule crosses a minimum threshold? Please advise then we shall discuss implementation.
Anees Qureshi
asked 2 years ago
Few WAF Rules (Fortinet Rules) are blocking web requests whenever I save a page
AWS-User-0421808
asked 2 years ago
HOW CAN WE LIST ALL Web ACLs and the all the rules inside of those Web ACLs.
rePost-User-4327020
asked 2 years ago
How do I allow requests from a bot that's blocked by an AWS WAF Bot Control rule group?
AWS OFFICIALUpdated 2 months ago
How do I use AWS WAF to block HTTP requests that don't contain a user agent header?
AWS OFFICIALUpdated 2 months ago
How do I explicitly allow file uploads that an AWS WAF rule blocks without excluding the rule?
AWS OFFICIALUpdated a year ago
How do I use AWS WAF to allow or block requests from a specific country or geolocation?
AWS OFFICIALUpdated 2 months ago
How to use AWS WAF labels to fine tune webACL?
EXPERT
Lei Pei
published 5 days ago
AWS re:Post Live | Defending Against DDOS Attacks Using AWS Web Application Firewall (WAF)
EXPERT
AWS rePost Live
published 2 months ago