Skip to content
Gallery
14. Security in the Cloud
AWS Directory Service
Identity Providers and Federation
Encryption Primer
AWS Key Management Service
AWS Certificate Manager
AWS Security Hub
AWS Web Application Firewall (WAF)
AWS Shield and Shield Advanced
Amazon Inspector
Amazon Macie
Amazon GuardDuty
AWS Audit Manager
More
Share
Explore

icon picker
AWS Web Application Firewall (WAF)

AWS Firewall Manager
AWS WAF is a web application firewall that lets you monitor the HTTP(S) requests that are forwarded to your protected web application resources. You can protect the following resource types:
Amazon CloudFront distribution
Amazon API Gateway REST API
Application Load Balancer
AWS AppSync GraphQL API
Amazon Cognito user pool
AWS App Runner service
AWS Verified Access instance
AWS WAF lets you control access to your content. Based on criteria that you specify, such as the IP addresses that requests originate from or the values of query strings, the service associated with your protected resource responds to requests either with the requested content, with an HTTP 403 status code (Forbidden), or with a custom response.
info
Note
You can also use AWS WAF to protect your applications that are hosted in Amazon Elastic Container Service (Amazon ECS) containers. Amazon ECS is a highly scalable, fast container management service that makes it easy to run, stop, and manage Docker containers on a cluster. To use this option, you configure Amazon ECS to use an Application Load Balancer that is enabled for AWS WAF to route and protect HTTP(S) layer 7 traffic across the tasks in your service. For more information, see
Service Load Balancing
in the Amazon Elastic Container Service Developer Guide.

How AWS WAF works?

You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the web ACL.
In your web ACL, you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following:
Allow the requests to go to the protected resource for processing and response.
Block the requests.
Count the requests.
Run CAPTCHA or challenge checks against requests to verify human users and standard browser use.

AWS WAF components

The following are the central components of AWS WAF:
Web ACLs – You use a web access control list (ACL) to protect a set of AWS resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about web ACLs, see
AWS WAF web access control lists (web ACLs)
.
A web ACL is an AWS WAF resource.
You can use criteria like the following to allow or block requests:
IP address origin of the request
Country of origin of the request
String match or regular expression (regex) match in a part of the request
Size of a particular part of the request
Detection of malicious SQL code or scripting
Rules – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges. For more information about rules, see
AWS WAF rules
.
A rule is not an AWS WAF resource. It only exists in the context of a web ACL or rule group.
You can define rules that inspect for criteria like the following:
Scripts that are likely to be malicious. Attackers embed scripts that can exploit vulnerabilities in web applications. This is known as cross-site scripting (XSS).
IP addresses or address ranges that requests originate from.
Country or geographical location that requests originate from.
Length of a specified part of the request, such as the query string.
SQL code that is likely to be malicious. Attackers try to extract data from your database by embedding malicious SQL code in a web request. This is known as SQL injection.
Strings that appear in the request, for example, values that appear in the User-Agent header or text strings that appear in the query string. You can also use regular expressions (regex) to specify these strings.
Labels that prior rules in the web ACL have added to the request.
Rule groups – You can define rules directly inside a web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see
AWS WAF rule groups
.
A rule group is an AWS WAF resource.

AWS WAF Benefits

Additional protection against web attacks using criteria that you specify. You can define criteria using characteristics of web requests such as the following:
IP addresses that requests originate from.
Country that requests originate from.
Values in request headers.
Strings that appear in requests, either specific strings or strings that match regular expression (regex) patterns.
Length of requests.
Presence of SQL code that is likely to be malicious (known as SQL injection).
Presence of a script that is likely to be malicious (known as cross-site scripting).
Rules that can allow, block, or count web requests that meet the specified criteria. Alternatively, rules can block or count web requests that not only meet the specified criteria, but also exceed a specified number of requests in a minute or in five minutes.
Rules that you can reuse for multiple web applications.
Managed rule groups from AWS and AWS Marketplace sellers.
Real-time metrics and sampled web requests.
Automated administration using the AWS WAF API.
Loading
docs.aws.amazon.com
How AWS WAF works?
AWS WAF components
AWS WAF Benefits
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.