Back to: AWS-Basics-Advanced
AWS WAF (Web Application Firewall) β Complete Guide
πΉ Introduction
In todayβs digital era, web applications are continuously exposed to security threats like SQL injection, Cross-Site Scripting (XSS), DDoS, and bot attacks.
To safeguard your applications from these attacks, AWS WAF (Web Application Firewall) acts as your first line of defense.
AWS WAF helps you monitor HTTP(S) requests, filter malicious traffic, and allow/block requests based on customizable rules.
π What is AWS WAF?
AWS WAF is a web application firewall that protects web applications and APIs from common web exploits that can affect availability, compromise security, or consume excessive resources.
It allows you to control access to your web applications by defining conditions such as:
-
IP addresses
-
HTTP headers
-
Query strings
-
URI paths
-
Request body
-
Geolocation
-
Rate limiting
𧩠Where Can You Deploy AWS WAF?
AWS WAF can be associated with:
-
Amazon CloudFront (for CDN-level protection)
-
Application Load Balancer (ALB) (for layer 7 protection)
-
API Gateway
-
AWS AppSync
-
AWS Cognito
βοΈ Components of AWS WAF
| Component | Description |
|---|---|
| Web ACL (Access Control List) | The main container that holds rules and determines if traffic should be allowed, blocked, or counted. |
| Rule | A single filtering condition or logic (e.g., block SQL injection). |
| Rule Group | A reusable collection of rules. |
| Conditions | Define match criteria like IP sets, string matching, regex, etc. |
| Action | What to do when a request matches a rule β Allow, Block, or Count. |
𧱠Types of AWS WAF
| Type | Description | Example |
|---|---|---|
| AWS Managed Rules | Predefined security rules managed by AWS to protect from common threats. | SQLi, XSS, Bad Bots |
| AWS Marketplace Rules | Rules provided by third-party vendors like Fortinet, Trend Micro. | Bot Control, API Protection |
| Custom Rules | Your own rules based on headers, IPs, URIs, etc. | Block /admin, limit /login requests |
-
Open AWS Management Console β AWS WAF.
-
Create a Web ACL if you donβt have one yet.
-
Click Create web ACL
-
Name:
MyApp-WAF -
Choose resource: e.g. Application Load Balancer (ALB)
-
Region: same as ALB
-
Action: Allow all traffic by default
-
Click Next β Add rules later.
-
Now you can start adding your custom rules π
𧩠Rule 1: Block Specific IP Address
Use case: Block requests from IP 1.2.3.4.
Steps:
-
Open your Web ACL β Rules β Add rule β Add my own rules and rule groups.
-
Rule name:
Block-Specific-IP -
Choose Rule type: IP set match.
-
Click Create IP set β Add
1.2.3.4/32. -
Select Action: Block.
-
Save and add to Web ACL.
Test:
𧩠Rule 2: Allow Only Specific Country (India)
Use case: Allow traffic from India only.
Steps:
-
Add new rule β Rule type: Geo match.
-
Rule name:
Allow-India -
Select Country: India (IN).
-
Action: Allow
-
Add another Default Rule: Block all (so other traffic is blocked).
Test:
𧩠Rule 3: Block SQL Injection
Use case: Block SQL keywords like ' OR 1=1 --.
Steps:
-
Add rule β Rule type: String match.
-
Rule name:
Block-SQL-Injection. -
Inspect field: Query string.
-
Match type: Contains.
-
Add values like:
-
' OR 1=1 -
UNION SELECT -
DROP TABLE
-
-
Action: Block.
Test:
𧩠Rule 4: Block Cross-Site Scripting (XSS)
Use case: Prevent script injection.
Steps:
-
Add rule β Rule type: String match.
-
Rule name:
Block-XSS. -
Inspect field: Body.
-
Match condition: Contains
<script>. -
Action: Block.
Test:
𧩠Rule 5: Block /admin Path
Use case: Restrict admin URLs.
Steps:
-
Add rule β Rule type: URI Path match.
-
Rule name:
Block-Admin-Path. -
Inspect field: URI path.
-
Match type: Starts with
/admin. -
Action: Block.
Test:
𧩠Rule 6: Block Bad User-Agent
Use case: Block scanners or bots like βsqlmapβ.
Steps:
-
Add rule β Rule type: Header match.
-
Rule name:
Block-Bad-UA. -
Inspect field: Header β User-Agent.
-
Match type: Contains.
-
Values:
sqlmap,bot,crawler. -
Action: Block.
Test:
𧩠Rule 7: Allow Only HTTPS
Use case: Enforce secure connections.
Steps:
-
Add rule β Rule type: Header match.
-
Rule name:
Allow-HTTPS. -
Inspect field:
X-Forwarded-Proto. -
Match type: Equals
https. -
Action: Allow.
-
Add another rule to Block others (HTTP).
Test:
(Expected: Blocked)
(Expected: Allowed)
𧩠Rule 8: Rate-Limiting Login Endpoint
Use case: Limit login requests per IP.
Steps:
-
Add rule β Rule type: Rate-based rule.
-
Rule name:
RateLimit-Login. -
Rate limit: 100 requests / 5 minutes.
-
Scope: IP address.
-
Add condition: URI Path β Contains
/login. -
Action: Block when exceeded.
Test:
𧩠Rule 9: Block Debug Query Parameter
Use case: Block ?debug=true query strings.
Steps:
-
Add rule β Rule type: String match.
-
Rule name:
Block-Debug-Param. -
Inspect field: Query string.
-
Match condition: Contains
debug=true. -
Action: Block.
Test:
𧩠Rule 10: Block Custom Header (X-Block-Me)
Use case: Block any request containing a specific header.
Steps:
-
Add rule β Rule type: Header match.
-
Rule name:
Block-Custom-Header. -
Inspect field:
X-Block-Me. -
Match type: Equals
yes. -
Action: Block.
Test:
π Verifying and Monitoring
Once your rules are created:
-
Go to your Web ACL β Logging and Metrics.
-
Enable logging to CloudWatch Logs or S3.
-
Check request metrics under:
-
AllowedRequests -
BlockedRequests -
CountedRequests
-
This helps you verify which rules are triggering most often.
π Final Words
Youβve now built a customized, layered web security defense using AWS WAF.
These rules protect your applications from common threats like:
-
IP abuse
-
SQL injection
-
XSS
-
Path-based attacks
-
Rate limiting issues
Combine these with AWS Managed Rules and AWS Shield for enterprise-grade protection.