AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS WAF

    Web application firewall to protect against common web exploits

    WAF is like a bouncer at a nightclub who checks everyone at the door. Some people are on the VIP list (allowed), some are known troublemakers (blocked), and some need extra screening (rate limited). WAF protects your web applications from common attacks like SQL injection (hackers trying to mess with your database), cross-site scripting (XSS), and bots scraping your site. You define rules: block requests from certain countries, block requests with suspicious patterns, or rate-limit requests from a single IP. WAF sits in front of your application (CloudFront, ALB, API Gateway) and filters bad traffic before it reaches your servers.

    WAF inspects HTTP/HTTPS requests and applies rules to allow, block, or count requests. You create Web ACLs (access control lists) containing rules. Rules can match on IP addresses, HTTP headers, URI strings, SQL injection patterns, XSS patterns, geo-location, and rate limits. WAF supports managed rule groups (AWS and third-party pre-configured rules) and custom rules.

    Key Capabilities

    • Inspects HTTP/HTTPS requests to CloudFront, ALB, API Gateway, AppSync, and Cognito using rules you define in a web ACL
    • Rule types include IP sets, geo-match conditions, rate-based limits, SQL injection detection, XSS detection, and request size constraints
    • AWS Managed Rules provide pre-built, no-configuration protections covering OWASP Top 10, known malicious IPs, and specific CVEs
    • Bot Control distinguishes human traffic from bots and lets you allow, block, or challenge specific bot categories
    • Fraud Control add-ons detect account takeover and fraudulent account creation attempts
    • CAPTCHA and Challenge actions verify human users; rules are evaluated in priority order and can be tested in Count mode before switching to Block

    Gotchas & Constraints

    Gotcha #1: WAF is charged per Web ACL, per rule, and per million requests; costs can add up with complex rule sets. Gotcha #2: WAF rules are evaluated in order; place high-priority rules first for efficiency. Constraints: Maximum 1,500 WCUs (Web ACL Capacity Units) per Web ACL, and rule evaluation adds latency (typically <1ms).

    An e-commerce site suffers from bot attacks: scrapers stealing product data and credential stuffing attacks trying stolen passwords. They deploy AWS WAF in front of their ALB. They enable AWS Managed Rules for Core Rule Set (blocks common exploits like SQL injection, XSS) and Known Bad Inputs (blocks malicious patterns). For bot protection, they enable Bot Control managed rule group, which identifies and blocks automated traffic while allowing legitimate bots (Google, Bing). They create a rate-limiting rule: block IPs making more than 2,000 requests in 5 minutes (which prevents DDoS). For geo-blocking, they block requests from countries where they don't do business. WAF logs all blocked requests to S3 for analysis. During a DDoS attack, WAF blocks 10 million malicious requests, preventing the attack from reaching the application.

    The Result

    95% reduction in bot traffic, protection against common exploits, and improved site performance.

    Official AWS Documentation