WAF (Web Application Firewall) is a firewall service to protect web applications from common web exploit attacks.
- It is an OSI Layer 7 firewall.
- It monitors HTTP or HTTPS requests to ELB, CloudFront, or API Gateway.
- Blocked traffic returns HTTP 403 (Forbidden) error status.

Web ACL
- A Web Access Control List (Web ACL) gives you fine-grained control over the web requests.
- A Web ACL can be associated with Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.
Setting up WAF
WAF can act in 3 ways:
- Allow all requests except the specified ones (blacklist)
- Block all requests except the specified ones (whitelist)
- Count the requests that match the specified conditions
You can specify the following conditions:
- Source IP address
- Country of origin
- Values in request query parameters or headers
- Length of a request
- Presence of SQL code that can be malicious (SQL injection)
- Present of script that can be malicious (Cross-site-scripting)
Rate-base Rules
AWS WAF supports a new rule type – “rate-based” rules.
- Rate-based rules allow you to configure a rate-based threshold. If, for example, the threshold for the rate-based rule is set to (say) 2,000, the rule will block all IPs that have more than 2,000 requests in the last 5-minute interval.
- You can create a deny-list of IP addresses that exceed the configured threshold rate (configurable in web requests per trailing 5 minute period).
- The rule can be used to protect you from use cases such as web-layer DDoS attacks, brute force login attempts and bad bots.