[AWS] AWS WAF (Web Application Firewall)

WAF (Web Application Firewall) is a firewall service to protect web applications from common web exploit attacks such as SQL injection or Cross-Site Scripting. You can setup the rules to filter out malicious traffic.


  • It is an OSI Layer 7 firewall.
  • It monitors HTTP or HTTPS requests to ELB, CloudFront, or API Gateway.
    • AWS WAF needs to be configured for a specific region if used with ALB or API Gateway, but if used with CloudFront it is configured globally.
  • Blocked traffic returns HTTP 403 (Forbidden) error status.
  • Get real-time metrics and alarms through CloudWatch.

Use Cases

  • Throttle the number of API calls (limit traffic) using rate-based rules
  • Block users – If users generate too many 4xx errors, block traffic from those IPs.
  • Receive notification with unusual traffic

WAF Building Blocks

  • Condition: IP, string, or geo matches; size constraints; SQL injection match; Cross-site scripting match
  • Rule: a group of conditions
  • Web ACL: a group of rules


  • A Web Access Control List (Web ACL) gives you fine-grained control over the web requests.
  • A Web ACL can be associated with Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.
  • You can re-use a Web ACL across multiple Cloudfront distributions to help reduce costs.


  • You can send Web ACL logs to
    • CloudWatch Logs
    • S3
    • or Kinesis Data Firehose.

Setting up WAF

You can customize your own rules or use Manged Rules, a preconfigured set of rules managed by AWS or AWS Marketplace Sellers.

WAF can act in 3 ways:

  • Allow all requests except the specified ones (blacklist)
  • Block all requests except the specified ones (whitelist)
  • Count the requests that match the specified conditions

You can specify the following conditions:

  • Source IP address
  • Country of origin
  • Values in request query parameters or headers
  • Length of a request
  • Presence of SQL code that can be malicious (SQL injection)
  • Present of script that can be malicious (Cross-site-scripting)

Rate-base Rules

AWS WAF supports a new rule type – “rate-based” rules.

  • Rate-based rules allow you to configure a rate-based threshold.
    • If, for example, the threshold for the rate-based rule is set to (say) 2,000, the rule will block all IPs that have more than 2,000 requests in the last 5-minute interval.
  • You can create a deny-list of IP addresses that exceed the configured threshold rate (configurable in web requests per trailing 5 minute period).
  • The rule can be used to protect you from use cases such as web-layer DDoS attacks, brute force login attempts and bad bots.

You can retrieve the blocked IPs like this:

# CloudFront
aws wafv2 get-rate-based-statement-managed-keys --scope=CLOUDFRONT --region=us-east-1 --web-acl-name=WebACLName --web-acl-id=WebACLId --rule-name=RuleName

# Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, or an Amazon Cognito user pool
aws wafv2 get-rate-based-statement-managed-keys --scope=REGIONAL --region=region --web-acl-name=WebACLName --web-acl-id=WebACLId --rule-name=RuleName

IP sets

You can block the traffic from the range of source IPs.

  • Create an IP set
  • Create a rule based on the IP set

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s