LinkedIn Facebook Social Media
Amazon Web Services (AWS) Web Application Firewall (WAF) Service Delivery
Case Study - Startup Fintech Company uses AWS WAF to protect sensitive workloads
The fintech company is an online B2C (and B2B) portal which brings sellers of personal items to the ‘best priced’ and geographically closest buyer with the additional optionality for the seller to ‘buyback’ their item in the near future. These local retail stores (Members) who regularly buy and sell personal items like second-hand electronics and other goods. These Members put in bid prices and quantities for each individual item on our Portal.

The company is a startup that is focused on providing financial solutions to customers. The safety of the customer and financial data is of paramount importance, both in terms of regulatory and compliance requirements as well as the reputation of the company. Assets to be protected include web applications that serve as the entry points for consumer customers, businesses using secure access, as well as administrators of both the application servers and databases. Furthermore, external connectivity to third party SaaS solutions like MongoDB Atlas is also present in the environment, adding to the surfaces to be protected.

As the business started gaining popularity and the use base increased, it was observed that there was increasing attempts to gain unauthorized access and to compromise the enivronment. Large scale brute-force attacks, SQL injection attacks and Denial of Service attempts - though while not widely distributed, were enough to create concern, given that the operational domain was financial services. It was imperative that these attempts did not get past the perimeter.

To prevent compromise or non-availability of the critical workloads, AWS WAF was deployed at all entry points into the infrastructure - Regional AWS Web Application Firewalls in the Amazon Application Load Balancers (ALB) and Global WAF for the Content Delivery Network, Amazon CloudFront. The Top 10 OWASP WAF rules provided by AWS was used as the base set and a set of customizations for specific workload related requirements were developed by our internal teams. All the preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL) was selected. Once the solution was deployed, AWS WAF began inspecting web requests to the user’s existing Amazon CloudFront distributions or Application Load Balancers, and blocked them when applicable.

How the environment is protected

The AWS WAF was configured with a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that was pre-defined.

The AWS WAF is used to protect the environment against common web exploits which could affect workload availability and performance, compromise security, or consume excessive resources.

To customize the WAF, we used a combination of AWS pre-defined rules as well as wrote customized rules that helps protect the customer environment against attacks that are specific to the region or workload.

Manual IP lists   (Whitelist and Blacklist): This component creates two specific AWS WAF rules that allowed us to manually insert IP addresses that you want to block or allow.
SQL Injection Attacks   The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
HTTP flood   This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt.
Scanners and Probes   This component parsed application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time. 
IP Reputation Lists   This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.
Bad Bots   This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.

The image below shows the architecture of the Integra SOC ELK stack and the integration with customer accounts. This is a generic representation and is common to all customers.

The benefits of using AWS WAF to protect the workloads were immediate and clearly visible. A low predictable cost, compared to thousands of dollars for legacy WAFs, was most important to the finance and planning teams. Zero upfront costs and marginal running costs made sense to the customer, especially since it was important to optimize costs at all points.

The second benefit was the ease of deployment. Integra teams were able to deploy and start protection of the customers workload within a few hours, with the pre-built OWASP Top 10 Rules and our customizations that we applied on top of the base rules. Our customized rules were built based on the years of experience we had protecting workloads on AWS. The customer was very happy with the very low lead time, and the immediate impact of the deployment in enhancing security of their infrastructure.

The third benefit of using AWS WAF was the ability to customize rules and build upon the base rules. This allows for greater control of how attacks are identified, prevented and false postives reduced. Compared to AWS WAFv1 , v2 removes restrictions on the number of rules, and this greatly enhances options when it comes to building and deploying custom rules.

AWS Components Used

Amazon EC2

Amazon S3


Amazon CloudFront

Amazon ALB


AWS ACM Amazon QuickSight AWS ElasticCache



MongoDB Atlas


Integra Technologies FZE
PO 341352, A4-311, Dubai Digital Park
Dubai Silicon Oasis
Dubai, United Arab Emirates

Telephone: +971 4 3364 840
Fax: +971 4 3364 842

Current Events

Success Stories
Hear from customers!
Dates will be published soon.


Copyright © 2004-2022 Integra Technologies FZE