Primary Use Case

This tool is designed for cloud security engineers and DevOps professionals who want to automate the deployment of AWS App Runner applications secured by AWS WAF rules. It enables easy configuration of firewall rules, rate limiting, and request body size restrictions to protect web applications from malicious traffic. Users can also optionally integrate with AWS ECR for container image management.

Key Features

Terraform template for AWS App Runner and WAF integration

Customizable WAF rules including allowed country codes

Rate limiting with custom blocking messages

Request body size inspection and blocking on specific endpoints

Support for AWS Managed Rules Core rule set

Optional integration with AWS ECR for container image deployment

Local testing support for .NET applications and Docker images

Insights & Recommendations

AWS WAF inspects only the first 8 KB of the request body, which is a hard limit and cannot be changed. Users should customize WAF rules carefully, especially rate limiting and country-based restrictions, to avoid unintended blocking. When using ECR integration, ensure proper IAM roles and authentication configurations are set. Local testing is supported but may require Docker and .NET SDK installed.

Installation

Run `terraform init` to initialize the Terraform configuration
Run `terraform apply -auto-approve` to create the infrastructure
Optionally configure `.auto.tfvars` for ECR usage
Create an ECR repository using AWS CLI if using ECR
Build and push Docker images to ECR if applicable
For local testing, restore and run the .NET app with `dotnet restore` and `dotnet run`
Build and run the Docker image locally with `docker build -t dotnet-app-image .` and `docker run --rm -p 80:80 --name dotnet-app dotnet-app-image`

Usage

terraform init

Initializes the Terraform working directory and downloads necessary providers

terraform apply -auto-approve

Applies the Terraform configuration to create AWS App Runner and WAF resources without manual approval

bash loop.sh https://<app_id>.us-east-2.awsapprunner.com

Tests the WAF rate-limiting rule by sending repeated requests to the App Runner endpoint

bash ecrPushHttpbin.sh

Script to build and push a Docker image to AWS ECR (optional step)

aws ecr create-repository --repository-name dotnet-app

Creates an AWS ECR repository for storing Docker images

docker build . -t <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/dotnet-app:latest

Builds a Docker image tagged for pushing to AWS ECR

aws ecr get-login-password --region <REGION> | docker login --username AWS --password-stdin <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com

Authenticates Docker CLI to AWS ECR

docker push <ACCOUNT_ID>.dkr.ecr.<REGION>.amazonaws.com/dotnet-app:latest

Pushes the Docker image to AWS ECR

dotnet restore

Restores .NET dependencies for local testing

dotnet run

Runs the .NET application locally

docker build -t dotnet-app-image .

Builds the Docker image locally for the .NET app

docker run --rm -p 80:80 --name dotnet-app dotnet-app-image

Runs the Docker container locally exposing port 80

Smart Usage Notes

Integrate this Terraform template into CI/CD pipelines to enforce consistent WAF protections on all AWS App Runner deployments.

Customize WAF rules dynamically based on threat intelligence feeds to block emerging attack vectors automatically.

Leverage rate limiting and geographic restrictions to reduce attack surface and mitigate automated scanning and brute force attempts.

Use local testing capabilities to validate security configurations before production deployment, reducing misconfigurations.

Combine with AWS X-Ray tracing to correlate blocked requests with application performance and detect anomalous behavior patterns.

OpenSec Atlas

aws-apprunner-waf

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like