AWS WAF

AWS WAF is a web application firewall that helps protect web applications and APIs against common web exploits and vulnerabilities, such as SQL injection (SQLi), cross-site scripting (XSS), and HTTP flood attacks.

It operates mainly at Layer 7 (Application Layer) and allows us to create customizable rules to block, allow, or monitor web traffic based on conditions like IP addresses, HTTP headers, URI strings, and request rates.

AWS WAF works closely with AWS Shield Advanced, which provides managed DDoS protection for Layers 3–7 (Network, Transport, and Application layers) and offers 24/7 access to the AWS Shield Response Team (SRT) for faster attack mitigation.

  1. Use AWS WAF when we need customizable protection against common web application vulnerabilities and moderate HTTP floods.
  2. Use AWS Shield Advanced when we need broader DDoS protection (L3-L7), financial protections (DDoS cost protection), 24/7 SRT support, and automatic advanced mitigations for high-risk applications.

1. WAF integration with AWS services

AWS WAF is tightly integrated with:

  1. Amazon CloudFront (Global service) — Protects content delivery across the world.
  2. Application Load Balancer (ALB) (Regional service) — Protects HTTP/HTTPS applications in a specific AWS region.
  3. Amazon API Gateway(Regional service) — Protects REST and WebSocket APIs.
  4. AWS AppSync(Regional service) — Protects GraphQL APIs.

AWS WAF always behaves according to the scope of the associated service:

  1. Global when attached to CloudFront
  2. Regional when attached to ALB, API Gateway, or AppSync.

2. AWS WAF Rate-Based Rules

  1. AWS WAF offers a single "rate-based rule" feature.
  2. Different rules (such as blanket application-wide rules, URI-specific rules, and malicious IP-focused rules) are designed based on the application's needs, but technically they are all rate-based rules under the hood.
  3. How Rate-Based Rules Work:
    1. Tracks the number of requests from each unique source IP address over a rolling 5-minute period.
    2. If a source exceeds the configured rate threshold (number of requests), AWS WAF automatically blocks further requests from that IP until the request rate drops below the threshold.
  4. Purpose: Provides automatic protection against HTTP flood attacks and abnormal traffic spikes with minimal operational overhead.
  5. Common Use Cases:
    1. Blanket Rule: Protects the entire application from large-scale floods.
    2. URI-Specific Rule: Applies stricter request limits to sensitive endpoints (e.g., /login, /api/checkout).
    3. Known Malicious IP Rule: Proactively blocks traffic from IPs that have previously triggered suspicious activity.

Figure 1 shows how incoming request information is captured so that the operations team can use it to determine rate-based rules. alt text

3. Match Rule Statements to protect web applications

  1. Geographic Match: Based on the geographic location (country, region, continent) from where the request originates.
  2. IP Set Match: Filter traffic coming from specific IP addresses or IP ranges.
  3. Label Match: Custom match criteria based on AWS resource tags applied to incoming requests.
  4. Regex Match: Uses regex patterns to match specific patterns in HTTP headers, body, or URI strings.
  5. Regex Pattern Set: Uses multiple regex patterns in HTTP headers, body, or URI strings.
  6. Size Constraint: Based on the size of requests
  7. SQL Injection Attack: Protects against SQL injection
  8. String Match: Filters traffic based on specific string patterns in request headers, body, or URI.
  9. XSS Scripting Attack: Blocks requests that contain Cross-Site Scripting (XSS) threats.

4. Geographical filtering (country, regions, or IP addresses blocking)

  1. CloudFront’s Geo Restriction is simpler, faster, and built directly into CloudFront at the edge locations.
    1. Use it when just need basic country-level blocking — no need to configure a WAF web ACL.
    2. Lower operational overhead (no WAF rules, no web ACL management).
    3. Potentially faster because it happens very early in the request lifecycle at the CDN level.
  2. AWS WAF with Geo Match rules is more powerful and flexible:
    1. You can create complex combinations (e.g., allow US + CA, block a specific set of countries + allow a few IPs even inside a blocked country).
    2. You can combine geo rules with other conditions (like SQL injection protection, rate limiting, etc.).
    3. Useful when fine-grained control is needed beyond simple country blocking.

5. Handle SQL injection & Cross-site scripting

AWS WAF can detect and block requests that contain patterns typical of SQL injection attacks or cross-site scripting (XSS) attacks by using built-in managed rule groups or custom rules.

  1. SQL injection protection: Detects and blocks malicious SQL code intended to manipulate or compromise databases.
  2. Cross-site scripting (XSS) protection: Detects and blocks malicious scripts intended to be injected into web pages and executed by users' browsers.

alt text

6. Question: AWS WAF and API Gateway - 2025

A financial company hosts a web application on AWS. The application uses an Amazon API Gateway Regional API endpoint to give users the ability to retrieve current stock prices. The company's security team has noticed an increase in the number of API requests. The security team is concerned that HTTP flood attacks might take the application offline.

A solutions architect must design a solution to protect the application from this type of attack.

Which solution meats these requirements with the LEAST operational overhead?

  1. Create an Amazon CloudFront distribution in front of the API Gateway Regional API endpoint with a maximum TTL of 24 hours
  2. Create a Regional AWS WAF web ACL with a rate-based rule. Associate the web ACL with the API Gateway stage. (Correct Ans)
  3. Use Amazon CloudWatch metrics to monitor the Count metric and alert the security team when the predefined rate is reached
  4. Create an Amazon CloudFront distribution with Lambda@Edge in front of the API Gateway Regional API endpoint Create an AWS Lambda function to block requests from IP addresses that exceed the predefined rate.

Explanation:

  1. A rate-based rule in AWS WAF automatically blocks or throttles requests when they exceed a specified threshold (like too many requests per 5 minutes).
  2. This is the simplest, most automatic, and least operational overhead solution to protect API Gateway from HTTP flood attacks.
  3. Regional WAF can be directly attached to Regional API Gateway endpoints.

Why NOT the others?

  1. CloudFront with TTL: Helps cache content, but doesn’t protect against request floods.
  2. CloudWatch alarms: Only alerts you after a flood happens; it doesn't block anything automatically.
  3. CloudFront + Lambda@Edge: Can block requests, but needs custom code (Lambda@Edge) = higher operational overhead.