TASKS
-
Create an IAM User (
workshop-sec) - Grant Access to Manage AWS WAF and ALB
-
Use
workshop-secCredentials for Deployment - Deploy the Web App with WAF Protection
1. Create an IAM User
Creating an IAM user workshop-sec with permissions to manage EC2, ALB, and WAF.
Create the IAM User
aws iam create-user --user-name workshop-sec
Attach IAM Policy for WAF and ALB Management
Creating a custom policy allowing ALB and WAF actions:
aws iam create-policy \
--policy-name WAF-ALB-Management \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"elasticloadbalancing:*",
"wafv2:*",
"iam:GetUser"
],
"Resource": "*"
}
]
}'
Attaching the policy to workshop-sec IAM user:
aws iam attach-user-policy \
--user-name workshop-sec \
--policy-arn arn:aws:iam:::469031999xxx:policy/WAF-ALB-Management
2. Generating Access Credentials for workshop-sec:
aws iam create-access-key --user-name workshop-sec
Store the Access Key ID and Secret Access Key securely.
3. Use workshop-sec Credentials
Updating the AWS CLI profile:
aws configure --profile workshop-sec
Provide:
- Access Key ID
- Secret Access Key
-
Region (e.g.,
us-east-1) -
Output format (e.g.,
json)
Verify:
aws sts get-caller-identity --profile workshop-sec
4. Deploying the Web App on Ec2 (Amazon-linux) with WAF Protection :
Launching the EC2 Instance with Apache
aws ec2 run-instances \
--image-id ami-05b10e08d247fb927 \
--count 1 \
--instance-type t2.micro \
--key-name Seckey-2025 \
--security-groups WebServerSG \
--user-data "#!/bin/bash
yum update -y
yum install -y httpd
systemctl start httpd
systemctl enable httpd
echo 'Hello, AWS WAF!' > /var/www/html/index.html" \
--tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=WebServer}]' \
--profile workshop-sec
Creating ALB and Attach EC2
aws elbv2 create-load-balancer \
--name WebAppALB \
--type application \
--subnets 0f4679cf88554ab67 03b90dbf86a29d7db \
--security-groups sg-0019ab95b18d2cf94 \
--profile workshop-sec
Creating AWS WAF WebACL
aws wafv2 create-web-acl \
--name WebAppFirewall \
--scope REGIONAL \
--default-action Allow={} \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=WebAppMetrics \
--rules '[{"Name": "AWSManagedRulesCommonRuleSet","Priority": 0,"Statement": {"ManagedRuleGroupStatement": {"VendorName": "AWS","Name": "AWSManagedRulesCommonRuleSet"}},"Action": {"Allow": {}},"VisibilityConfig": {"SampledRequestsEnabled": true,"CloudWatchMetricsEnabled": true,"MetricName": "WebAppMetrics"}}]' \
--region us-east-1 \
--profile workshop-sec
Associate WAF with ALB
aws wafv2 associate-web-acl \
--web-acl-arn arn:aws:wafv2:us-east-1:469031999xxx:regional/webacl/WebAppFirewall/34345678-abcd-534-1d8d-5134567890ab \
--resource-arn arn:aws:elasticloadbalancing:us-east-1:469031999xxx:loadbalancer/app/WebAppALB/6dc6c495c0c9188 \
--region us-east-1 \
--profile workshop-sec
Verification
- Check API Identity
aws sts get-caller-identity --profile workshop-sec
-
Check WAF Logs
- Go to AWS WAF Console → WebACL → View Request Logs.
CONCLUSION
- Created IAM user workshop-sec can manage EC2, ALB, and WAF.
- Deployed AWS-managed WAF rules in place to secure the web application.
- Associated WAF WebACL with the ALB to enforce protection.
- Operations use the workshop-sec profile
Top comments (0)