LinkedIn Facebook Social Media
Amazon Web Services (AWS) Web Application Firewall (WAF) Service Delivery
Case Study - Leading Luxury Real Estate Developer in Dubai uses AWS WAF to protect assets.
One of the major master developers in Dubai migrated from an on-premise hosted web presence to AWS which functions as a single integrated web front that ties to multiple backend systems - including lead capturing and processing with integration to SFDC and online software that customizes villa layouts, custom designs and interior customizations. The reasons for wanting the migration was frequent downtimes, slow responses and service unavailability.

Being the most visited part of their entire digital infrastructure - having almost 6 million hits a month, it is a priority business critical component. Our client is one of the biggest developers in the region, and they are naturally exposed to all kinds of attacks and efforts to compromise their systems.

It was imperative that the infrastructure is protected with all resources at hand so that there is no downtime and that the attacks are prevented. It was observed that there had been multiple instances of Denial of Service attacks, probe for operating system and application vulnerabilities and attempted SQL injection attacks.

We recommended the customer leverage AWS WAF, which is a web application firewall to enable them create custom, application-specific rules that block common attack patterns that could affect the digital estate availability and compromise security. The Top 10 OWASP WAF rules provided by AWS was used as the base. All the preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL) was selected. Once the solution was deployed, AWS WAF began inspecting web requests to the user’s existing Amazon CloudFront distributions or Application Load Balancers, and blocked them when applicable.

How the environment is protected

The AWS WAF was configured with a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that was pre-defined.

The AWS WAF is used to protect the environment against common web exploits which could affect workload availability and performance, compromise security, or consume excessive resources.

To customize the WAF, we used a combination of AWS pre-defined rules as well as wrote customized rules that helps protect the customer environment against attacks that are specific to the region or workload.

Manual IP lists   (Whitelist and Blacklist): This component creates two specific AWS WAF rules that allowed us to manually insert IP addresses that you want to block or allow.
SQL Injection Attacks   The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
HTTP flood   This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt.
Scanners and Probes   This component parsed application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time. 
IP Reputation Lists   This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.
Bad Bots   This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.

The image below shows the architecture of the Integra SOC ELK stack and the integration with customer accounts. This is a generic representation and is common to all customers.

The WAF security automations implemented based on OWASP Top 10 rules were able to block 90 percent of all non legitimate traffic as compared to before the AWS WAF was deployed with the rest being blocked by application specific controls. Traffic to and from the infrastrucure was monitored and is visible near real time with the AWS WAF, AWS Application Load Balancer (ALB) and Amazon CloudFront logs and Amazon CloudWatch logs. We also customized the access of specific applications/user by means of Whitelisting/Blacklisting and rate limiting features. There were repeated Denial of Service attempts from certain IP’s coming from certain countries, so country level blocking for varying time or graylisting was automatically enabled, and the attempts were thwarted.

AWS Components Used

Amazon EC2

Amazon S3


Amazon CloudFront

Amazon ALB


AWS ACM Lambda@Edge AWS ElasticCache


Integra Technologies FZE
PO 341352, A4-311, Dubai Digital Park
Dubai Silicon Oasis
Dubai, United Arab Emirates

Telephone: +971 4 3364 840
Fax: +971 4 3364 842

Current Events

Success Stories
Hear from customers!
Dates will be published soon.


Copyright © 2004-2022 Integra Technologies FZE