This topic outlines the process for deploying an AWS Web Application Firewall (WAF) to protect LabKey instances from DDoS (Distributed Denial of Service) and other malicious attacks.


Public facing LabKey instances are subject to “internet background radiation” by nefarious miscreants who seek to comprise systems to gain access to protected data. Typically motivated by financial extortion, these individuals use DDoS and bot networks to attack victims. Fortunately there are some easy and low cost tools to protect against many attacks. This document describes how to deploy an AWS Web Application Firewall (WAF) to protect against the OWASP top 10 vulnerabilities and many malicious bot networks.

Review the AWS documentation here:

A tutorial for learning how is available here:


  • LabKey Instance Deployed in AWS on EC2
  • Configured Elastic Load Balancer with target group routing to LabKey EC2 Instance
  • Required AWS Permissions to use CloudFormation, WAF, IAM Policies, S3, Lambda, etc.


Many LabKey core features require uploading and downloading of files. These types of activities are difficult to distinguish from malicious activities as the methods used to upload malicious code is indistinguishable from normal workflows. To address possible false positives, clients have the following options:

  • Create an "Allow list" of specific IP addresses or IP Address ranges of users originating from within the clients network. (e.g. allow the Public NAT gateway of the client’s network).
  • If this explicit listing is not feasible due to expectation of random user IP addresses from various internet locations; consider setting the XSS rule to count vs block. (See information below). While this may reduce the effectiveness of the WAF to protect against XSS attacks, clients still gain the benefit of other WAF features which block known malicious attacker source IP’s.



Deployment Steps

Follow the AWS Tutorial for detailed steps to deploy the WAF using the CloudFormation Template: High level steps:
  1. Deploy the WAF in the same region as your LabKey Instance.
  2. Configure the WAF to protect your Elastic Load Balancer.
  3. Optional: Configure IP Address "Allow lists".
  4. Login to AWS and go to the WAF Console.
  5. From the WAF Console, choose WebACL’s.
  6. In the WebACL Conditions, choose IP Addresses.
  7. Locate the "Allow List" rule and edit it to include the IP addresses or address ranges you wish to allow.
  8. Test.

Optional: Configuring XSS Rule from Block to Count

Edit the WebACL following the steps below:

  1. Login to AWS and go to the WAF Console.
  2. From the WAF Console, choose WebACL’s.
  3. Click the WAF Name in the WebACL’s list. In the resulting dialog that opens, click the Rules tab to see the list of the ACL rules.
  4. Click the Edit web ACL button.
  5. For the XSS Rule, change the rule from "Block" to "Count".
  6. Click Update to save changes.
  7. Test.

Related Topics


Was this content helpful?

Log in or register an account to provide feedback

expand all collapse all