Web Application Firewall Integration

[blazinaj]

Is your feature request related to a problem? Please describe. We are trying to use an Amplify-CLI / Amplify-Console powered app in Production. A business (security) requirement is that we use a Web Application Firewall. Currently there is no way to implement that with the Amplify Console, so we will have to host our production app using a different service.

See: #8

We are a little sad about this, as the Amplify Console has 90% of the functionality needed for hosting a production level app, but "Only Basic Auth security" is a major deal breaker for us.

Describe the solution you'd like Allow us to create our own CloudFront distribution, with an associated WAF, and direct the Amplify Console Hosting through that domain, instead of the automatically generated "always public" domain (e.g. production.abcxyz.amplifyapp.com)

[matt-dalton]

1 would definitely be better.

Would 2 allow us to set rules as we normally would with WAF? e.g. show a captcha based on request conditions?

[jimmyn]

@mauerbac definitely 1

[sawravchy]

I would definitely prefer option 1.

[mauerbac]

@matt-dalton For #2, I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc..

@jimmyn @sawravchy Makes sense! Do you already use WAF today? What features in WAF do you plan to leverage?

Thank you for the super fast responses :)

[matt-dalton]

I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc.. I mean that sounds nice in principle. My worry would be we'd be stuck if it proved ineffective...or we had specific requirements somehow.

[thornyweb]

@matt-dalton For #2, I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc..

Based on this reply, option 2 would be sufficient for my needs, while option 1 would be more complete.

I appreciate that you are still at a very early stage, but is there a significant time difference between delivering the 2 solutions? If option 1 was going to add months of extra development beyond number 2, I'd strongly advocate for the quicker delivery.

[jimmyn]

@matt-dalton

For #2, I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc..

@jimmyn @sawravchy

Makes sense! Do you already use WAF today? What features in WAF do you plan to leverage?

Thank you for the super fast responses :)

Yes, we already use WAF for our API gateway and AppSync with custom rule sets, both configured in CloudFormation. For me, it would be easier to either assign the same instance or create a separate one in CloudFormation rather than opting for a managed solution through the UI. However, I believe both options should be implemented to cover all possible use cases.

[frattaro]

Option 2 because it's Amplify. What about new feature to "eject" from Amplify, where it provides you a cloud formation script?

[bsnyder74]

Whichever can be done the fastest and will actually get completed. We've been waiting on this for years. Can you provide any insights as to whether one will take longer than the other?

[mauerbac]

@matt-dalton For #2, I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc..

Based on this reply, option 2 would be sufficient for my needs, while option 1 would be more complete.

I appreciate that you are still at a very early stage, but is there a significant time difference between delivering the 2 solutions? If option 1 was going to add months of extra development beyond number 2, I'd strongly advocate for the quicker delivery.

Gotcha -- my question is when you say option 1 is more complete -- would you mind doing the added work to learn and properly configure WAF? Is that something you'd invest the time to do? Not sure if you've checked out AWS WAF before

[thornyweb]

@matt-dalton For #2, I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc..

Based on this reply, option 2 would be sufficient for my needs, while option 1 would be more complete. I appreciate that you are still at a very early stage, but is there a significant time difference between delivering the 2 solutions? If option 1 was going to add months of extra development beyond number 2, I'd strongly advocate for the quicker delivery.

Gotcha -- my question is when you say option 1 is more complete -- would you mind doing the added work to learn and properly configure WAF? Is that something you'd invest the time to do? Not sure if you've checked out AWS WAF before

@mauerbac - I would if that was what was required, but as I say my preference is for the speediest solution, I and many others have been working with risk exceptions because of this for too long now.

There is an argument to be made for option 2 and a solution being integrated directly into Amplify.

Would the IP coverage in option 2 include allowing IP ranges and CIDR blocks as well as single fixed IP's? Would it cover both V4 and V6? Would it be both safe list and block list? Say I want to block all traffic except a handful of IP's in one application and in another, I want to allow all but block a select few.

[mauerbac]

@matt-dalton For #2, I'd be managed so you'd have fewer controls around request conditions and let Amplify Hosting optimize for DDoS protection against Layer 3, 4, 7 attacks. ie. If we suspect your site is under heavy attack, we'd force users into CAPTCHA challenge. The tradeoff is you don't have to worry/learn about WAF etc..

Based on this reply, option 2 would be sufficient for my needs, while option 1 would be more complete. I appreciate that you are still at a very early stage, but is there a significant time difference between delivering the 2 solutions? If option 1 was going to add months of extra development beyond number 2, I'd strongly advocate for the quicker delivery.

Gotcha -- my question is when you say option 1 is more complete -- would you mind doing the added work to learn and properly configure WAF? Is that something you'd invest the time to do? Not sure if you've checked out AWS WAF before

@mauerbac - I would if that was what was required, but as I say my preference is for the speediest solution, I and many others have been working with risk exceptions because of this for too long now.

There is an argument to be made for option 2 and a solution being integrated directly into Amplify.

Would the IP coverage in option 2 include allowing IP ranges and CIDR blocks as well as single fixed IP's? Would it cover both V4 and V6? Would it be both safe list and block list? Say I want to block all traffic except a handful of IP's in one application and in another, I want to allow all but block a select few.

We are thinking the feature set would look like...

✅ Allow CIDR blocks and single fixed IPs ✅ IPv4 and IPv6 ✅ : Allowlist ❌ Block list

[matt-dalton]

Not having a block list would have been limiting for us in the past, but obviously I've no idea how effective the #2 automated protections you're planning are.

[rwbayer]

As another data point, we'd prefer the first option, but agreed with speed being the primary driver here (would prefer the second option if it's significantly faster)

[sumitsahoo]

@LarsPede @ppuvan @tuxillo @mathewmcnaughtonmass @jimmyn @joon623 👋 Hello everyone -- we are in active development of this feature! Sorry for the lack of communication.

We are working through a few implementation decisions, and I'm curious to get a bit of feedback. We are exploring two approaches 1) An integration with the AWS WAF service 2) A more managed approach where you can easily accomplish IP allowlists, country block, enable Bot Protection/DDoS Protection.

Can you provide feedback on which approach would better suit your needs? I'm also available for a call if you can DM me on Twitter/X (@mauerbac) or email mauerbac@amazon.com to setup

1 looking more feasible.

Also in our org, we use Imperva as WAF for all the applications. So flexibility needs to be there if a customer wants to implement a WAF other than AWS. We are trying to develop an application with Amplify for our org and sadly there are some org-level limitations that we need to follow (i.e. WAF).

[frattaro]

I'm surprised to see interest in Amplify by customers who require customized infra

[sumitsahoo]

I'm surprised to see interest in Amplify by customers who require customized infra

Well, we are currently using Amplify Gen 1 but plan to migrate to Gen 2. It makes the development a bit faster instead of going with traditional 3-tier architecture. Also, GraphQL helps in many ways. At least in our org, we are now more committed to serverless components :) Less focus on infra and more focus on data :)

[LarsPede]

I'm surprised to see interest in Amplify by customers who require customized infra

The fact that we don't have to worry about the rest of the infrastructure (fargate, ecs, what-not) makes it so easy to get up and running, that it outweighs the restrictions we currently have in amplify. Automatic PR builds, automatic teardowns, automatic image optimization, the list goes on...

👋 Hello everyone -- we are in active development of this feature! Sorry for the lack of communication.

We are working through a few implementation decisions, and I'm curious to get a bit of feedback. We are exploring two approaches 1) An integration with the AWS WAF service 2) A more managed approach where you can easily accomplish IP allowlists, country block, enable Bot Protection/DDoS Protection.

Can you provide feedback on which approach would better suit your needs? I'm also available for a call if you can DM me on Twitter/X (@mauerbac) or email mauerbac@amazon.com to setup

@mauerbac Nice to hear!

Both would honestly be fine for us. Approach 1 would be preferred, since it allows us more control. My ultimate request would be the ability to opt into one or the other. I think ejecting fully isn't a valuable feature - if we want full control, then we wouldn't have started with amplify. I'm much more into opt'ing for the extra features that are required for prod runs of an application infrastructure.

[drew-carter]

@LarsPede @ppuvan @tuxillo @mathewmcnaughtonmass @jimmyn @joon623 👋 Hello everyone -- we are in active development of this feature! Sorry for the lack of communication.

We are working through a few implementation decisions, and I'm curious to get a bit of feedback. We are exploring two approaches 1) An integration with the AWS WAF service 2) A more managed approach where you can easily accomplish IP allowlists, country block, enable Bot Protection/DDoS Protection.

Can you provide feedback on which approach would better suit your needs? I'm also available for a call if you can DM me on Twitter/X (@mauerbac) or email mauerbac@amazon.com to setup

Very keen on this implementation too. Option 1 would certainly be better for my use cases. Option 2 could suffice in many cases, but only if things like the IP lists were integrated with the WAFv2 IP Sets and potentially prefix lists.

[OlisaMarvis]

Wow, surprised this isn't available 1 year later.

[FavourOkonta]

Following up on this request? Any updates on WAF integration?

[MarlonJD]

Any updates? Can we use WAF with gen2 without any extra steps? What's the suggestion of Amplify team?