In just a short period within the cloud digital revolution, organizations have transitioned more web applications to AWS out of the data center than ever before.  The agility to spin up workloads instantly provides a Dev & SRE team endless opportunities to share resources & celebrate many sprint cycle wins.  This ingenuity naturally can leave applications naked to nefarious actors without predictability, exposing diligent work on the wrong side of the tracks.  Thankfully, many WAF providers, including Amazon recognized parallel speed to deploy apps should not outpace security.  Are you new to what a WAF is? Read our prior post on What is a WAF, as it focuses on the very basics, how they align with OWASP and more great points.

Luckily coverage natively in Amazon is achievable through their internal solution, protecting applications with their cloud-based Web Application Firewall.

Core components of Amazon WAF

  • Web ACLs– Create ACLs to surround & protect a set of  AWS resources.  In its simplest form, you create an ACL to build the inspection logic allowing good traffic into your resources or block said requests during this flow.
  • Rules– Each rule contains a statement defining how to inspect traffic & what to do with it.  When the traffic rules identify a match, it meets the criteria & takes action.

AWS has a calculation for rule capacity and requirement guidelines. The good news, AWS publishes its WAF Statements which guide the WAF on how the inspection should occur.  All rules include a top-level rule statement which can have additional statements as well.  Complexity & simplicity can exist within statements from blocking a source address to building nesting statements which is equally supported.

How does AWS WAF work?

AWS WAF sits between the end-user requests and your applications to mitigate threats while administering rules designed for your resources.  The first advantage against hardware-based device firewalls for anyone who is brand new to a WAF is the management.  No hardware, support maintenance or potential points of device failure absorbing all traffic in a data center are additional key attributes.

Unlike traditional Firewalls, there is no upfront racking, fees etc. users must worry about which probably seems intuitive.  Since AWS WAF is blocking bad traffic, that has a huge impact on your requests to the application itself and the flexibility to deploy cloud firewall protection.

(image from AWS)

What types of traffic does AWS WAF protect against:

AWS WAF offers many protection advantages & knowledge of security-based threats is a must.  Some, not all of the protection areas include:

  • SQL Injection attack
  • XSS (cross-site scripting)
  • Source IP
  • Country Origin – however, do not be confused here with origin traffic nested through an allowable VPN for example
  • Bots – good and bad ones depending on your uses case.


How much does AWS WAF cost?

There is a clear & transparent AWS WAF pricing model shared with customers on their console.  It is recommended users determine a few key data points first in order to size properly which will determine the price:

  1. How many Web ACLs
  2. How many Rules will be built?
  3. # of Requests against your application – sometimes unknown until deployment

Should you use Amazon’s WAF or another provider?

Great question & we are asked this often.  Why?  For many organizations, they do prefer their security agnostic to their IaaS Cloud vendor, providing flexibility between Cloud Service Providers (CSPs) in the future.

We help more organizations connect multi-cloud architectures while installing a 3rd party WAF.  This approach regardless of if it is Amazon, Azure, Oracle Cloud, GCP etc. provides organizations immense flexibility should they move between CSPs.  Key points to consider:

  1. An agnostic 3rd party WAF is a separate instance that can protect multiple clouds
  2. If an organization departs a CSP for another, it allows the WAF to remain constant. For example, an organization decides to leave AWS for Oracle Cloud.  Utilizing an agnostic WAF provider affords the customer constant protection, process and more without losing the Amazon WAF.

What is the ultimate WAF guide for customers in 2021?  It all depends on the use case so please ask and we would be happy to discuss architectural WAF options for your business.