[AWS] AWS WAF (Web Application Firewall)

WAF (Web Application Firewall) is a firewall service to protect web applications from common web exploit attacks.

  • It is an OSI Layer 7 firewall.
  • It monitors HTTP or HTTPS requests to ELB, CloudFront, or API Gateway.
  • Blocked traffic returns HTTP 403 (Forbidden) error status.


  • A Web Access Control List (Web ACL) gives you fine-grained control over the web requests.
  • A Web ACL can be associated with Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources.

Setting up WAF

WAF can act in 3 ways:

  • Allow all requests except the specified ones (blacklist)
  • Block all requests except the specified ones (whitelist)
  • Count the requests that match the specified conditions

You can specify the following conditions:

  • Source IP address
  • Country of origin
  • Values in request query parameters or headers
  • Length of a request
  • Presence of SQL code that can be malicious (SQL injection)
  • Present of script that can be malicious (Cross-site-scripting)

Rate-base Rules

AWS WAF supports a new rule type – “rate-based” rules.

  • Rate-based rules allow you to configure a rate-based threshold. If, for example, the threshold for the rate-based rule is set to (say) 2,000, the rule will block all IPs that have more than 2,000 requests in the last 5-minute interval.
  • You can create a deny-list of IP addresses that exceed the configured threshold rate (configurable in web requests per trailing 5 minute period).
  • The rule can be used to protect you from use cases such as web-layer DDoS attacks, brute force login attempts and bad bots.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s