How do I protect my Elastic Beanstalk environment against attacks from known unwanted hosts?

3 minute read
0

My AWS Elastic Beanstalk instances get requests from an unwanted hostname.

Resolution

In an Elastic Beanstalk environment with an Application Load Balancer, use AWS WAF as a custom resource to protect your instances against attacks. You can choose to block either one hostname or block multiple hostnames.

Block one hostname

1.    Create a waf.config configuration file in your .ebextensions directory.

2.    Update your waf.config file based on this example.

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
  aws:elasticbeanstalk:customoption:
    BlockedHost1: 'exampletoblock.com'
Resources:
  BlockedHostnames:
    Type: "AWS::WAFv2::RegexPatternSet"
    Properties:
      Description: 'List of Hostnames to be block by WebACL'
      Name: BlockedHostsSet
      RegularExpressionList:
         - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
      Scope: REGIONAL

WafAcl:
    Type: "AWS::WAFv2::WebACL"
    Properties:
      Description: "Web ACL to Block requests from unknown hosts on AWSEBV2LoadBalancer"
      Name: "BlockHostACL"
      Scope: REGIONAL
      DefaultAction:
        Allow: {}
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: BlockHostACLMetric
      Rules:
        - Name: BlockedHostsRule
          Priority: 1
          Action:
            Block: {}
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: UnknownHostRule1
          Statement:
            RegexPatternSetReferenceStatement:
              Arn: '`{ "Fn::GetAtt" : ["BlockedHostnames", "Arn" ]}`'
              FieldToMatch:
                 SingleHeader:
                  Name: Host
              TextTransformations:
                 - Priority: 0
                  Type: NONE

WebACLAssociation:
    Type: AWS::WAFv2::WebACLAssociation
    Properties:
       ResourceArn: '`{ "Ref" : "AWSEBV2LoadBalancer" }`'
      WebACLArn: '`{ "Fn::GetAtt" : ["WafAcl", "Arn" ]}`'

Note: Replace BlockedHost1 with the hostname that you want to block from your Elastic Beanstalk environment.

3.    Create or update your Elastic Beanstalk environment with your waf.config file from the preceding step.

Important: If you run your waf.config file on an existing Elastic Beanstalk environment that doesn't have an Application Load Balancer, then you get an error. You receive the error because you can define the load balancer type only during environment creation. Change your Load Balancer type with a blue/green deployment. For more information, see Configure an Application Load Balancer.

4.    To confirm that BlockedHost1 is blocked from sending requests to your Elastic Beanstalk environment, first open a terminal. Then, to simulate a request that originates from exampletoblock.com, run this command:

$ curl -I -H 'host: exampletoblock.com' http://YOUR-ENV-NAME.YOUR-ENV-ID.AWS-REGION.elasticbeanstalk.com

Note: Replace exampletoblock.com with the hostname that's configured on waf.config that you want to block. Replace http://YOUR-ENV-NAME.YOUR-ENV-ID.AWS-REGION.elasticbeanstalk.com with your Elastic Beanstalk environment URL.

If the hostname is blocked, then you receive output similar to this example:

> HTTP/1.1 403 Forbidden
  Server: awselb/2.0
  Date: Mon, 20 Apr 2020 17:31:14 GMT
  Content-Type: text/html
  Content-Length: 134
  Connection: keep-alive

5.    To simulate a normal request, run this command:

$ curl -I http://ENV-NAME.ENV-ID.eu-west-1.elasticbeanstalk.com

If the request is successful, then you see a successful 200 status code. You receive an output similar to this example:

> HTTP/1.1 200 OK
  Date: Mon, 20 Apr 2020 17:38:04 GMT
  Content-Type: text/html
  Content-Length: 3352
  Connection: keep-alive
  Server: nginx/1.16.1

Block multiple hostnames

To block multiple hostnames, add hostnames to a Web Access Control List (WEB ACL) that uses the RegexPatternSet. In your waf.config file, add additional hostnames as custom options in the RegularExpressionList:

option_settings:
  aws:elasticbeanstalk:environment:
    LoadBalancerType: application
  aws:elasticbeanstalk:customoption:
    BlockedHost1: 'exampletoblock.com'
    BlockedHost2: 'anothertoblock.com'
Resources:
  BlockedHostnames:
    Type: "AWS::WAFv2::RegexPatternSet"
    Properties:
      Description: 'List of Hostnames to be block by WebACL'
      Name: BlockedHostsSet
      RegularExpressionList:
         - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost1" }}
         - { "Fn::GetOptionSetting" : {"OptionName" : "BlockedHost2" }}
      Scope: REGIONAL

Related information

Add and customize Elastic Beanstalk environment resources

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago