Let’s confirm you are human

AWS Cloud Computing Captcha Firewall

Anders Bjørnestad

AWS Authorized Instructor

AWS WAF now have support for Captcha

Captcha-support for AWS WAF Länk till annan webbplats. (Web Application Firewall) was announced recently. Most of us are seeing captchas when we are registering new accounts, making orders online or simply want to check the flight-times to Paris.

 

AWS WAF

AWS WAF

A CAPTCHA (/kæp.tʃə/ Länk till annan webbplats., a contrived acronym Länk till annan webbplats. for “Completely Automated Public Turing test Länk till annan webbplats. to tell Computers and Humans Apart”) is a type of challenge–response Länk till annan webbplats. test used in computing Länk till annan webbplats. to determine whether the user is human.

(source: Wikipedia Länk till annan webbplats.)


There are a different providers of Captcha solutions out there, and a lot requires you to alter your applications to implement their solution. AWS WAF has this integrated, and if you are using WAF already you can configure this in minutes without the need to change your solution. The captchas presented here are (from what I have seen) either a slider where you match a figure or a “car path” where you have to point to the end. The user can also select a voice-message where you have to recognise one of two words spoken (in English).

 

If you are not using AWS WAF you could, without much change, set up a CloudFront Länk till annan webbplats. distribution (AWS service for content delivery) and add WAF to the distribution.

Let us skip the part of setting up CloudFront (or another supported AWS services) and see how Captcha is configured.


Set up AWS Web ACL

Go to WAF in the AWS-console Länk till annan webbplats. and select “Web ACLs” in the menu. Make sure to select the correct region, or “Global” if you are using a global service like CloudFront.

 

WFA ACL page

WFA ACL page


You press “Create web ACL” and give your ACL a good name, and add an AWS resource (for example CloudFront).

 

AWS WAF how-to

Step 1


Then you need to define a rule for your ACL. This can be a custom rule or a managed rule. Managed rules can be AWS-provided or you can purchase rules from security-vendors. In my case I make a custom rule, and check that the query-string in the request does not matches “mysecretdoor”. This will then trigger an action unless are are accessing via the “secret door”.

 

AWS WAF how-to

Step 2 — Rule


Next is to define the action to perform when the rule is “true”. We select Captcha and for this demo I use 60 seconds as the immunity time (time before captcha is triggered for the user again). 300 sec is the default value.


AWS WAF How-to

Step 2 — Action


You can leave the other value as is if you are just experimenting. Then it is just to hit your webpage(s) to see if it works. You can try hitting this page https://norway-meetup.aws.wslab.no/ Länk till annan webbplats. which is just a simple html-page in an S3-bucket delivered via CloudFront configured as described in this document.


WAF also give you metrics and a list of requests being served.

 

AWS WAF how-to

Dashboard


AWS WAF is priced per WEB ACL, per rule and per request (see pricing Länk till annan webbplats.). On top of that you pay $0.40 per thousand challenge attempts.


To save money it is possible just to send some requests to WAF (path-based) and add Captcha to only some URLs, but that routing is up to the service WAF is hooked into.

 

Conclusion

There are a lot of captcha solutions out there with a lot of different pricing and technical requirements. If you are already using AWS, their solution is really quick to get going and does not require any major changes to your application. The cost depends on the traffic, and of course you need to look at the price related to the value it is to stop spammers and bots. Captchas presented are not to annoying.

Fler inspirerande inlägg du inte får missa