Scandinavian Environmental SaaS Provider Environmental Technology (CleanTech)

Deploying AWS WAF via IaC for a Multi-Application SaaS | Case Study | Logicata

Logicata deployed AWS WAF across a Scandinavian environmental SaaS's multi-application estate using Terraform, codifying rule sets across workloads.

Terraform IaC Deployment
Multi-application Coverage

Executive Summary

A Scandinavian environmental SaaS company had a clear mandate from their parent company to deploy a web application firewall, but their existing Classic Load Balancers were incompatible with AWS WAFv2. Logicata designed and deployed AWS WAF v2 via CloudFormation, migrated four Elastic Beanstalk environments from CLB to ALB, and taught the development team a CDK integration pattern so they could self-associate new applications with the WAF without external support. The whole engagement took around nine days.

Customer Overview

Sector: Environmental Technology (CleanTech)

Location: Scandinavia

The customer operates environmental reporting SaaS applications for the Oil & Gas industry, running multiple services on AWS Elastic Beanstalk across development and production accounts. Their development team uses AWS CDK for application infrastructure. They had a clear WAF mandate but no WAF in place.

The Challenge

The mandate was clear, but the execution had several obstacles:

  • No WAF protection. Public-facing applications had no web application firewall, despite handling sensitive environmental compliance data.
  • Classic Load Balancers. Existing Elastic Beanstalk environments used CLBs, which are not compatible with AWS WAFv2.
  • Multiple applications. WAF needed to protect multiple endpoints across ALBs, CloudFront distributions, and API Gateways.
  • Developer self-service needed. The team wanted to associate new applications with the WAF without requesting external help every time.
  • Compliance pressure. Parent company and CTO had mandated WAF implementation.
  • Short-lived environments. Development Elastic Beanstalk environments are created and destroyed frequently. Anything that required manual WAF wiring per environment would not scale.

The Solution

Logicata designed and delivered a WAF deployment that integrated cleanly with the customer’s existing CDK workflows:

  1. AWS WAF v2 deployed via CloudFormation in the development account. WAF ARN stored in SSM Parameter Store so it could be referenced without hardcoding. WAF lifecycle independent of the customer’s CDK applications.
  2. AWS Managed Rules proposed and configured: Core Rule Set, Known Bad Inputs, IP Reputation.
  3. CDK integration pattern taught to the development team. Each application’s CDK stack now calls AWS::WAFv2::WebACLAssociation, pulling the WAF ARN from SSM Parameter Store to associate with its ALB. Self-service WAF coverage without any out-of-band steps.
  4. Elastic Beanstalk migration. Four environments migrated from Classic Load Balancers to Application Load Balancers (a prerequisite for WAFv2 attachment).
  5. CloudWatch Logs configured for WAF logging, with CloudWatch Logs Insights queries demonstrated for analysing blocked requests and rule effectiveness.
  6. Production rollout. Once validated in development, the same pattern was deployed to production.

Why a decoupled WAF lifecycle

Building WAF management as a standalone stack with the ARN stored in Parameter Store means the security team can update managed rules or logging configuration without touching application stacks. Applications can attach themselves at deploy time, regardless of how short-lived they are. The two concerns move at their own pace, which is what self-service actually requires.

Results

  • Multiple applications protected. Elastic Beanstalk apps, CloudFront distributions, and API Gateway endpoints all covered.
  • Four environments migrated from CLB to ALB as part of the rollout.
  • Developer self-service. CDK integration pattern means new applications associate themselves with the WAF during their normal deployment lifecycle.
  • Logging in place. WAF logs flow into CloudWatch with Logs Insights queries ready for analysis.
  • Around nine days total build time (WAF deployment plus CLB-to-ALB migration).
  • Compliance mandate satisfied. Parent company WAF requirement complete.

AWS Services Used

  • AWS WAF v2
  • AWS CloudFormation
  • AWS Systems Manager (Parameter Store)
  • Amazon CloudWatch Logs
  • Amazon CloudWatch Logs Insights
  • Elastic Load Balancing (ALB)
  • Amazon Elastic Beanstalk
  • Amazon CloudFront
  • Amazon API Gateway

About Logicata

Logicata is an AWS Advanced Partner holding the AWS Cloud Operations Management Competency, validated through an independent third-party audit. Logicata helps organisations build and operate secure, well-governed cloud platforms on AWS, enabling customers to reduce operational risk, meet assurance expectations, and scale with confidence.

See how we can help your business

Every engagement starts with understanding where you are today. Book a free AWS consultation.

Book a free AWS consultation
Up to 80% Infrastructure costs cut
300% Traffic spike handled
4.9/5 Client CSAT
24/7 UK & US support
AWS Advanced Partner. View our credentials BSI ISO 27001 Certified PCI DSS Compliant BCS Services Company of the Year Finalist 2023 UK Business Tech Awards Finalist 2023

Trusted by

Virgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBenchVirgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBench