๐Ÿ’ก Big News! ๐Ÿง™ AI Wizard - Instant Page Insights is Here : Explore Smarter, Friendlier Solutions Just for You โ†’
Cloud
AWS
Security
Wafcloudfrontsecurity

๐Ÿ“„ Host-Based WAF Rule for ALB

๐ŸŽฏ Objective

Block unwanted or bot traffic hitting the ALB directly via its AWS DNS name or public IP, while only allowing requests that use the valid application domain (solutions.example.co.in).

Benefits:

  • Reduces 4XX noise in CloudWatch
  • Protects the application from direct scanning attempts

๐Ÿ”ง Approach

  • Use AWS WAF v2 Web ACL attached to the ALB.
  • Create a ByteMatch rule that inspects the Host header.
  • Allow requests only if the Host header exactly matches solutions.example.co.in.
  • Block everything else by setting the Web ACL default action to Block.

โœ… Rule Definition (JSON)

{
  "Name": "AllowSolutionsHost",
  "Priority": 7,
  "Action": {
    "Allow": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AllowSolutionsHost"
  },
  "Statement": {
    "ByteMatchStatement": {
      "FieldToMatch": {
        "SingleHeader": {
          "Name": "host"
        }
      },
      "PositionalConstraint": "EXACTLY",
      "SearchString": "solutions.example.co.in",
      "TextTransformations": [
        {
          "Type": "LOWERCASE",
          "Priority": 0
        }
      ]
    }
  }
}

โš™๏ธ Configuration Steps

  1. Navigate to AWS WAF โ†’ Web ACLs.
  2. Edit the Web ACL attached to your ALB.
  3. Add a new Rule โ†’ Rule builder โ†’ Custom request rule.
  4. Paste the JSON above or configure equivalent settings in the console.
  5. Set the Web ACL default action to Block.
  6. Place this rule at a higher priority than any managed rules.
  7. (Optional) Add additional Allow rules for other valid domains (e.g., api.example.co.in).

๐Ÿ›ก๏ธ Best Practices

  • Start in COUNT mode before enforcing to ensure no valid traffic is accidentally blocked.
  • If using multiple domains, define an OR condition or add separate rules for each.
  • Retain AWS Managed Rules (e.g., AWSManagedRulesCommonRuleSet) after the Host header rule for additional protection.
  • Monitor CloudWatch metrics for this rule to verify effectiveness.

๐Ÿ” Validation

Run test requests:

curl -H "Host: solutions.example.co.in" https://<ALB-DNS>    # โœ… Allowed
curl https://<ALB-IP>                                         # โŒ Blocked
curl https://<ALB-DNS>                                        # โŒ Blocked if Host header invalid
  • Query Athena ALB logs post-deployment to confirm only valid Host requests pass through.

๐ŸŽฏ Expected Outcome

  • Bots and scanners hitting the ALB via IP or AWS-assigned DNS are blocked at the WAF layer.
  • Only legitimate traffic using solutions.example.co.in is processed.
  • CloudWatch 4XX error alarms show reduced false positives from bot noise.
S3 Iam PolicyAws CLI
๐Ÿง™ AI Wizard - Instant Page Insights

Click the button below to analyze this page.
Get an AI-generated summary and key insights in seconds.
Powered by Perplexity AI!