AWS WAF now supports an additional action apart from allowing, block and counting. CAPTCHA is now available which will provide a captcha for the block and . Captcha.
- Allowing – Allow all requests except the ones that you specify
- Blocking – Block all requests except the ones that you specify
- Counting – Count requests that match the criteria specified. This option is primarily used for monitoring and testing new rules
- Captcha – Run Captcha against requests that match the criteria specified. This option is used primarily reduce non-humans or bot traffic
Note: that the Web ACL capacity limit is limited to 1500 web acl capacity units (WCUs) but can be increased by opening a support case
From the AWS Management Console, in the search bar search for WAF and choose WAF & Shield
2. Click web Acl from the side menu and then click Create web ACL
3. Enter a name for the Web ACL and description. The cloud watch metric name is populated with the web ACL name. The next step is to define
4. The next step is to choose the AWS resources to be associated with the Web ACL. In this case, an Application load balancer will be used. Once selected click Add
5. Once added click next
6. Click add rules to start adding the appropriate rules. We will use both AWS Managed rules groups and Add my own rules and rule groups
In this case, the add managed rule groups will be used
7. Click on the AWS managed rule groups and in this case choose SQL Database from the free rule groups and click to Add to web ACL and click Add rules
8. The next step is to create a custom rule
9. Choose the request criteria which will be used in our case matches the statement will be used
10. The setup is to choose the Inspect statement needed
11. For example to allow or block a particular country choose the option Originate from a country in
12. if this option is chosen you need to choose how the country origin is determined whether it is the source IP or the IP address in the header
If the IP address in the header is used, you need to define the Header and the fallback in the case there is no X-forwarded-for header
13. The next step is to choose the action required whether allowed, blocked, count or CAPTCHA. In this case CAPTCHA is selected
14. If needed, the default CAPTCHA token timer of 300 seconds can be modified
15. Click add rule to add the custom rule to the web acl
16. The next setup is to to Choose the default web ACL action that will be used if no rules are matched and click next
17. If needed change the rule priority by selecting the rule needed to be moved and choose Move up or down and then click next
18. The Enabled Sampled requests are needed and should be left enabled to view the request matching the web acl rules and click then next to continue
19. The last step is to review the settings and click create web acl. If needed click on the edit button to modify the settings again
In the case of failed requests, the CAPTCHA check is presented in the browser. In our case, we need to solve the puzzle