🛡️ WAF Setup for Bike4Mind API Protection

This directory contains scripts for setting up AWS WAF (Web Application Firewall) to protect your Bike4Mind application from API hammering and enable emergency IP blocking.

🚨 Emergency Protection Features

Rate Limiting: 1000 requests per 5 minutes per IP
Emergency IP Blocking: Instantly block malicious IPs
CloudWatch Monitoring: Track blocked requests and metrics
Emergency Commands: Quick scripts for threat response

📋 Prerequisites

AWS CLI configured with appropriate permissions
CloudFront distribution already deployed (via SST)
Admin access to AWS WAF and CloudFront

🚀 Setup Instructions

Step 1: Find Your CloudFront Distribution ID

# Run the helper script to find your distribution ID
./get-cloudfront-id.sh

This will either automatically find your distribution ID or list all distributions for you to choose from.

Step 2: Deploy WAF Protection

# Replace DISTRIBUTION_ID with your actual CloudFront distribution ID
./setup-waf.sh E1234567890ABC

What this creates:

✅ WAF Web ACL with rate limiting (1000 req/5min per IP)
✅ IP Set for emergency blocking
✅ CloudWatch metrics and monitoring
✅ Association with your CloudFront distribution

Step 3: Configure Emergency Commands

After WAF setup completes, it will output commands like:

✅ IP Set created: 12345678-1234-1234-1234-123456789012

Update the emergency script:

Edit emergency-waf-commands.sh
Replace REPLACE_WITH_ACTUAL_IP_SET_ID with your actual IP Set ID
Save the file

🚨 Emergency Response Commands

Block an IP Address

./emergency-waf-commands.sh block 192.168.1.100

Block an Entire Subnet

./emergency-waf-commands.sh block-subnet 10.0.0.0/8

Emergency Reset (Unblock All)

./emergency-waf-commands.sh unblock-all

List Currently Blocked IPs

./emergency-waf-commands.sh list

View WAF Metrics

# Last 1 hour (default)
./emergency-waf-commands.sh metrics

# Last 24 hours
./emergency-waf-commands.sh metrics 24

📊 Monitoring

CloudWatch Metrics

The WAF automatically sends metrics to CloudWatch:

Namespace: AWS/WAFV2
Metrics: BlockedRequests, AllowedRequests
Dimensions: WebACL, Rule

View in AWS Console

Go to AWS CloudWatch → Metrics
Select "WAFV2" namespace
View metrics for your Web ACL

🔧 Manual Commands (Reference)

If you need to run WAF commands manually:

Get Current Blocked IPs

aws wafv2 get-ip-set \
    --scope CLOUDFRONT \
    --id YOUR_IP_SET_ID \
    --region us-east-1

Block an IP

aws wafv2 update-ip-set \
    --scope CLOUDFRONT \
    --id YOUR_IP_SET_ID \
    --addresses "192.168.1.100/32" "10.0.0.0/8" \
    --region us-east-1

View WAF Rules

aws wafv2 get-web-acl \
    --scope CLOUDFRONT \
    --id YOUR_WEB_ACL_ID \
    --region us-east-1

🚨 Emergency Scenarios

Scenario 1: API Attack in Progress

# Immediately block the attacking IP
./emergency-waf-commands.sh block 203.0.113.15

# Check if blocking is working
./emergency-waf-commands.sh metrics

# View currently blocked IPs
./emergency-waf-commands.sh list

Scenario 2: Distributed Attack

# Block entire subnet ranges
./emergency-waf-commands.sh block-subnet 203.0.113.0/24
./emergency-waf-commands.sh block-subnet 198.51.100.0/24

# Monitor blocking effectiveness
./emergency-waf-commands.sh metrics

Scenario 3: False Positive (Unblock)

# Emergency reset to unblock all IPs
./emergency-waf-commands.sh unblock-all

# Or manually remove specific IPs by updating the IP set
# (requires getting current IPs and removing the specific one)

📝 Rate Limiting Details

Current Configuration:

Limit: 1000 requests per 5 minutes
Scope: Per IP address
Action: Block excess requests
Metric: Tracked in CloudWatch

To Modify Rate Limits:

Go to AWS WAF Console
Find your Web ACL: bike4mind-api-protection
Edit the api-rate-limit rule
Adjust the limit as needed

🔒 Security Best Practices

Regular Monitoring: Check WAF metrics weekly
IP Set Maintenance: Review blocked IPs monthly
Alert Setup: Configure CloudWatch alarms for high block rates
Access Control: Limit who can modify WAF rules
Documentation: Keep emergency procedures updated

🧹 Cleanup (If Needed)

To remove WAF protection:

# Disassociate from CloudFront
aws wafv2 disassociate-web-acl \
    --resource-arn "arn:aws:cloudfront::ACCOUNT:distribution/DISTRIBUTION_ID" \
    --region us-east-1

# Delete Web ACL
aws wafv2 delete-web-acl \
    --scope CLOUDFRONT \
    --id YOUR_WEB_ACL_ID \
    --lock-token LOCK_TOKEN \
    --region us-east-1

# Delete IP Set
aws wafv2 delete-ip-set \
    --scope CLOUDFRONT \
    --id YOUR_IP_SET_ID \
    --lock-token LOCK_TOKEN \
    --region us-east-1

🆘 Troubleshooting

WAF Not Blocking

Check if WAF is associated with CloudFront distribution
Verify rules are enabled in Web ACL
Check CloudWatch metrics for rule evaluation

Commands Not Working

Ensure AWS CLI is configured for us-east-1 region
Verify you have WAF permissions
Check IP Set ID is correct in emergency script

High False Positives

Review rate limit threshold (may be too low)
Check if legitimate traffic patterns changed
Consider allowlisting known good IPs

📞 Emergency Contacts

Primary: DevOps Engineer
Secondary: Security Lead
Escalation: CTO

🚨 Emergency Protection Features​

📋 Prerequisites​

🚀 Setup Instructions​

Step 1: Find Your CloudFront Distribution ID​

Step 2: Deploy WAF Protection​

Step 3: Configure Emergency Commands​

🚨 Emergency Response Commands​

Block an IP Address​

Block an Entire Subnet​

Emergency Reset (Unblock All)​

List Currently Blocked IPs​

View WAF Metrics​

📊 Monitoring​

CloudWatch Metrics​

View in AWS Console​

🔧 Manual Commands (Reference)​

Get Current Blocked IPs​

Block an IP​

View WAF Rules​

🚨 Emergency Scenarios​

Scenario 1: API Attack in Progress​

Scenario 2: Distributed Attack​

Scenario 3: False Positive (Unblock)​

📝 Rate Limiting Details​

🔒 Security Best Practices​

🧹 Cleanup (If Needed)​

🆘 Troubleshooting​

WAF Not Blocking​

Commands Not Working​

High False Positives​

📞 Emergency Contacts​

🔗 Related Documentation​