EKS and AWS WAF Integration: Web Application Security
EKS and AWS WAF Integration
You moved your application to Amazon EKS, but how will you protect it against web attacks? SQL Injection, Cross-Site Scripting (XSS), or bot attacks can crash your application and steal your data.
Solution: AWS WAF (Web Application Firewall).
How it Works?
Web applications running on EKS are usually behind an Application Load Balancer (ALB). AWS WAF integrates directly with this ALB. Traffic is inspected by WAF before it even reaches your pods.
Installation Steps
1. Create Web ACL
Create a Web ACL (Access Control List) in the AWS WAF console. Add "AWS Managed Rules" (ready-made rules managed by Amazon) into it:
- Core rule set (OWASP Top 10)
- SQL database (SQLi protection)
- Linux operating system
2. Ingress Integration
There are two ways to bind WAF to ALB:
- Manual: Selecting ALB from AWS Console and binding WAF.
- Automatic (Recommended): By adding an annotation to your Ingress file:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/wafv2-acl-arn: arn:aws:wafv2:eu-central-1:123456789012:regional/webacl/my-waf/id...
Thanks to this annotation, when Ingress is created, AWS Load Balancer Controller automatically binds WAF to ALB. This is the best way to manage security as code (SecOps).