Skip to content

AWS Web Application Firewall (AWS WAF)

AWS Web Application Firewall (AWS WAF) Overview

  • Definition: AWS WAF is a managed web application firewall that protects web applications and APIs from common web exploits, bots, and DDoS attacks by filtering HTTP/HTTPS traffic at the application layer (Layer 7).
  • Key Features:
    • Creates customizable rules and web access control lists (web ACLs) to allow, block, or monitor requests based on conditions like IP addresses, headers, or payloads.
    • Protects against SQL injection, cross-site scripting (XSS), malicious bots, and Layer 7 DDoS attacks.
    • Integrates with CloudFront, ALB, API Gateway, and AppSync for global and Regional protection.
    • Offers managed rules, bot control, real-time monitoring via CloudWatch, and logging for analytics.
  • Use Cases: Secure public websites, protect APIs from abuse, block malicious IPs, prevent bot-driven fraud, mitigate application-layer DDoS.
  • Key Updates (2024–2025):
    • Enhanced Bot Protection: Advanced CAPTCHA and challenge controls for bot detection (October 2024).
    • Improved Logging and Metrics: Real-time visibility with CloudWatch and WAF logs (March 2024).
    • Integration with AWS Firewall Manager: Simplified multi-account and multi-resource management (January 2025).
    • FIPS 140-2 Compliance: Enhanced for AWS GovCloud (October 2024).

1. WAF Core Concepts

Components

  • Web Access Control List (Web ACL):
    • A collection of rules that define how to inspect and handle incoming web requests.
    • Associated with AWS resources like CloudFront (global), ALB, API Gateway, or AppSync (Regional).
    • Configurable capacity units (WCUs) limit rule complexity (default 1,500 WCUs).
    • Explanation: E.g., a web ACL for CloudFront blocks requests from a specific IP range.
  • Rules:
    • Define conditions to match requests (e.g., IP, headers, URI, SQL injection, XSS) and actions to take (allow, block, count, CAPTCHA).
    • Types:
      • Custom Rules: User-defined conditions and actions.
      • Managed Rules: Pre-configured by AWS or partners (e.g., OWASP Top 10, bot protection).
    • Prioritized evaluation (lower priority number evaluated first).
    • Explanation: E.g., a rule blocks requests containing “ in form submissions.
  • Layer 7 DDoS:
    • Rate-based rules mitigate HTTP floods and brute-force attacks.
    • Explanation: E.g., block IPs sending >2,000 requests/5 minutes.
  • Bot Mitigation:
    • Managed bot control rules detect crawlers, scanners, and fraud bots.
    • Explanation: E.g., block automated checkout bots on e-commerce site.
  • Exam Tip: Combine rate-based rules and bot control for DDoS protection.

Encryption

  • In Transit:
    • WAF processes HTTPS traffic; integrates with services using TLS.
    • Explanation: E.g., WAF protects CloudFront HTTPS distribution.
  • At Rest:
    • WAF logs encrypted in S3 with KMS keys.
    • Explanation: E.g., use KMS to encrypt WAF logs in S3 bucket.
  • Exam Tip: Ensure HTTPS and KMS for compliance.

Compliance

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., deploy WAF for PCI-compliant web application.

Key Notes:

  • Security: Rules + bot control + encryption + IAM = robust web protection.
  • Exam Tip: Configure WAF for SQL injection, XSS, and bot mitigation.

5. WAF Cost Optimization

Cost efficiency is a key exam domain.

Pricing

  • Web ACL: $5.00/month (prorated).
  • Rule: $1.00/month per rule (prorated).
  • Requests: $0.60/million requests.
  • Bot Control: Additional $10.00/month per web ACL.
  • Logging: S3 storage or Kinesis Data Firehose costs apply.
  • Example:
    • 1 web ACL, 10 rules, 10 million requests, bot control:
      • Web ACL: $5.00.
      • Rules: 10 × $1.00 = $10.00.
      • Requests: 10M × $0.60/1M = $6.00.
      • Bot Control: $10.00.
      • Total: $31.00/month.
    • Add logging to S3: ~$0.23/GB (standard storage).
  • Free Tier: None.

Cost Strategies

  • Use Managed Rules:
    • AWS or Marketplace managed rules reduce custom rule costs.
    • Explanation: E.g., use AWS Managed OWASP rules to save $5/month on 5 custom rules.
  • Optimize Rules:
    • Combine conditions into fewer rules to reduce WCU and costs.
    • Explanation: E.g., merge IP and geo-match into one rule.
  • Limit Requests with Rate-Based Rules:
    • Block excessive requests to reduce request charges.
    • Explanation: E.g., block IPs exceeding 1,000 requests/minute to save $0.60/million.
  • Selective Bot Control:
    • Enable bot control only for high-risk resources (e.g., login pages).
    • Explanation: E.g., skip bot control on static content to save $10/month.
  • Minimize Logging:
    • Log only blocked or critical requests to reduce S3/Kinesis costs.
    • Explanation: E.g., log only blocked requests to save $0.10/GB.
  • Tagging:
    • Use cost allocation tags to track WAF costs.
    • Explanation: E.g., tag web ACL with “Project:WebApp”.
  • Monitor Usage:
    • Use CloudWatch to optimize rule and request costs.
    • Explanation: E.g., remove unused rule if BlockedRequests = 0.

Key Notes:

  • Cost Savings: Managed rules + optimized rules + selective logging = lower costs.
  • Exam Tip: Calculate costs for web ACLs, rules, requests, and bot control.

6. WAF Advanced Features

Enhanced Bot Control:

  • Purpose: Block sophisticated bots.
  • Features:
    • Advanced CAPTCHA and silent challenges (e.g., JavaScript, browser fingerprinting) (new 2024).
    • Detects crawlers, scanners, and fraud bots.
  • Explanation: E.g., block checkout bots with CAPTCHA on e-commerce site.
  • Exam Tip: Know bot control for fraud prevention.

Managed Rules:

  • Purpose: Simplify configuration.
  • Features:
    • Pre-configured rule groups for OWASP Top 10, IP reputation, bot protection, and fraud prevention.
    • Provided by AWS, F5, Fortinet, and others via AWS Marketplace.
  • Explanation: E.g., deploy AWS Managed Rules for OWASP in 5 minutes.
  • Exam Tip: Use managed rules for rapid deployment.

AWS Firewall Manager Integration:

  • Purpose: Centralized management.
  • Features:
    • Manages WAF rules across multiple accounts, Regions, and resources (new 2025).
    • Enforces consistent policies via AWS Organizations.
  • Explanation: E.g., apply OWASP rules to 10 CloudFront distributions.
  • Exam Tip: Know Firewall Manager for enterprise scenarios.

Real-Time Monitoring:

  • Purpose: Immediate threat visibility.
  • Features:
    • Enhanced CloudWatch metrics (AllowedRequests, BlockedRequests) (new 2024).
    • WAF logs for detailed request analysis.
  • Explanation: E.g., monitor BlockedRequests in real-time with CloudWatch Dashboard.
  • Exam Tip: Use CloudWatch and logs for troubleshooting.

Integration with GuardDuty:

  • Purpose: Automated threat response.
  • Features:
    • GuardDuty findings trigger WAF rule updates via EventBridge and Lambda (new 2024).
  • Explanation: E.g., Lambda adds malicious IP to WAF IP set after GuardDuty alert.
  • Exam Tip: Know WAF-GuardDuty integration for automation.

Key Notes:

  • Flexibility: Bot control + managed rules + Firewall Manager = advanced protection.
  • Exam Tip: Know bot control, Firewall Manager, and GuardDuty integration for modern apps.

7. WAF Use Cases

Understand practical applications.

Public Website Protection

  • Setup: WAF on CloudFront with OWASP managed rules.
  • Features: Blocks SQL injection, XSS, and malicious payloads.
  • Explanation: E.g., protect e-commerce site from XSS attacks.

API Security

  • Setup: WAF on API Gateway with rate-based rules.
  • Features: Limits abusive requests, blocks bots.
  • Explanation: E.g., block IPs sending >1,000 API calls/minute.

Bot Mitigation

  • Setup: WAF bot control on ALB for login pages.
  • Features: Uses CAPTCHA to block credential stuffing.
  • Explanation: E.g., prevent bot-driven account takeovers.

Multi-Account Management

  • Setup: WAF with Firewall Manager for 10 accounts.
  • Features: Centralized rule enforcement.
  • Explanation: E.g., apply IP reputation rules across all accounts.

8. WAF vs. Other Security Services

Feature AWS WAF AWS Shield Network Firewall
Type Web Application Firewall DDoS Protection Network Firewall
Layer Application (Layer 7) Network/Transport/Application Network (Layers 3/4)
Protection SQL injection, XSS, bots DDoS (SYN, UDP, HTTP) Packet filtering, IDS/IPS
Integration CloudFront, ALB, API Gateway CloudFront, ELB, EC2 VPC, Transit Gateway
Cost $5/ACL, $1/rule, $0.60/M Free (Standard), $3,000/mo (Advanced) $0.395/hour, $0.026/GB
Use Case Secure website, API Prevent DDoS VPC traffic control

Explanation:

  • WAF: Protects web apps/APIs from Layer 7 exploits and bots.
  • Shield: Mitigates DDoS attacks at Layers 3/4/7.
  • Network Firewall: Filters VPC traffic at Layers 3/4 with intrusion detection.

9. Detailed Explanations for Mastery

  • Enhanced Bot Control:
    • Example: Block scraper bots with CAPTCHA on CloudFront login page.
    • Why It Matters: Reduces fraud and abuse—new for 2024.
  • Firewall Manager:
    • Example: Apply OWASP rules to 10 ALBs across accounts.
    • Why It Matters: Simplifies multi-account management—new for 2025.
  • GuardDuty Integration:
    • Example: Auto-block malicious IP in WAF after GuardDuty finding.
    • Why It Matters: Enables automation—new for 2024.

10. Quick Reference Table

Feature Purpose Key Detail Exam Relevance
Web ACL Filter web traffic Rules, actions, WCUs (1,500 max) Core Concept
Rules/Actions Define conditions Allow, block, count, CAPTCHA Core Concept
Bot Control Block automated traffic CAPTCHA, challenges (2024) Security, Performance
Rate-Based Rules Mitigate DDoS Limit requests/IP (e.g., 2,000/5m) Security, Resilience
Managed Rules Simplify configuration OWASP, IP reputation, bot protection Flexibility
Firewall Manager Multi-account management Centralized rules (2025) Resilience, Scalability
CloudWatch/Logs Real-time monitoring Metrics, detailed logs (2024) Resilience, Performance