AWS WAF

Concepts Covered

• AWS WAF
• Web ACLs
• Rules and rule groups
• AWS Managed Rules
• Rate-based rules
• CAPTCHA and challenge actions
• Bot Control
• CloudFront, ALB, API Gateway, AppSync, Cognito, App Runner, Verified Access, and Amplify protection
• WAF versus security groups and Shield
• SAA-C03 exam traps

1. Plain-English Mental Model

AWS WAF is a web application firewall for HTTP and HTTPS requests.

The simple model is:

internet request -> WAF web ACL -> allow, block, count, challenge, or rate-limit -> application

WAF looks at web request properties: IP addresses, headers, query strings, URI paths, request bodies, country, regex patterns, SQL injection patterns, cross-site scripting patterns, and request rates.

It does not replace security groups. Security groups decide whether network traffic can reach a resource by IP, port, and protocol. WAF understands web requests.

It also does not replace Shield. Shield focuses on DDoS protection. WAF provides customizable Layer 7 request rules and can work with Shield Advanced.

2. Why This Service Exists

Public web applications need protection before requests hit the app.

Applications can receive malicious HTTP requests: SQL injection attempts, cross-site scripting payloads, credential stuffing, scraper bots, path probing, unexpected countries, abusive request rates, and malformed inputs. If every request reaches application code, the application has to absorb the cost and risk.

WAF exists to move common web request filtering to the edge or front door.

For SAA-C03, WAF appears in questions about blocking SQL injection, cross-site scripting, IP sets, rate-based blocking, CloudFront web protection, ALB web protection, API Gateway request filtering, managed rule groups, CAPTCHA or challenge behavior, and bot control.

The exam phrase "web application firewall" is almost always WAF.

3. The Naive Approach And Where It Breaks

The naive pattern is to let the application handle everything:

internet -> load balancer -> application code validates and blocks

This breaks because malicious traffic consumes application capacity and may exploit bugs before application code rejects it.

Another naive pattern is to use security groups for web-layer attacks. Security groups can allow port 443 from the internet, but they cannot inspect whether the request body contains SQL injection patterns.

Another mistake is deploying WAF rules directly in block mode without testing. A strict rule can block legitimate users if application behavior is not understood.

WAF is powerful, but it should be introduced with count mode, logs, sampled requests, and careful rule tuning.

4. Core Primitives

A web ACL is the main WAF policy resource. It contains rules and is associated with protected resources.

A rule defines match conditions and an action.

Actions include allow, block, count, CAPTCHA, challenge, and related rule behavior depending on rule type.

A rule group is a reusable set of rules.

AWS Managed Rules are maintained rule groups for common threats and patterns.

Rate-based rules count requests over an evaluation window and take action when a limit is exceeded.

IP sets and regex pattern sets allow reusable match lists.

Web ACL capacity units, or WCUs, represent rule processing capacity.

WAF logs and metrics support tuning and investigation.

5. Architecture Use Cases

Use WAF with CloudFront to protect globally delivered public websites.

Use WAF with an Application Load Balancer to protect regional web applications.

Use WAF with API Gateway REST APIs to protect public APIs.

Use AWS Managed Rules for common web threats:

CloudFront -> WAF web ACL -> managed rules + custom rules -> origin

Use rate-based rules to reduce abusive clients or simple request floods.

Use Bot Control when bot visibility and handling are needed.

Use count mode before blocking when rules may affect legitimate traffic.

Use Firewall Manager later when WAF policies must be deployed consistently across many accounts.

7. Security Model

WAF security is about request inspection and rule governance.

Only trusted security or platform roles should be able to edit production web ACLs. A bad WAF rule can take an application offline.

Logs may contain request details. Treat WAF logs as security-sensitive because they can include URLs, headers, client IPs, and attack payloads.

Managed rules reduce rule-writing burden, but teams still need to understand false positives and exclusions.

CAPTCHA and challenge actions affect user experience. Test them with real traffic paths.

WAF does not make insecure application code safe. It reduces exposure and blocks known patterns, but application validation and secure coding are still required.

8. Reliability And Resilience

WAF improves resilience by reducing malicious or abusive traffic before it reaches the application.

Rate-based rules can protect origin capacity during request spikes from a small set of clients.

Managed rules can block common exploit attempts before application code handles them.

However, WAF can also create outages through false positives. Use count mode, logs, sampled requests, and staged rollout.

Associate WAF at the right layer. CloudFront-level WAF can stop requests at the edge, while ALB-level WAF protects a regional entry point.

For high-risk DDoS scenarios, combine WAF with Shield Advanced and CloudFront or Global Accelerator architecture patterns.

9. Performance And Scaling

WAF is managed, but rules have capacity and cost implications.

More rules and managed rule groups can add inspection work and WCUs.

CloudFront plus WAF can absorb and filter traffic closer to users and attackers.

Rate-based rules are useful, but they are not a full bot-management strategy for every scenario.

Tune rules based on logs and sampled requests. A web ACL that blocks too broadly can harm conversion, API clients, or internal integrations.

10. Cost Model

WAF pricing commonly includes web ACLs, rules, and request inspection volume. Managed rule groups such as Bot Control can add extra fees.

CloudFront, ALB, API Gateway, and logging costs are separate.

WAF can reduce application cost by blocking bad traffic before it consumes compute, but inspection itself has cost.

Use count mode to estimate impact before broad blocking.

Avoid attaching overly complex WAF policies everywhere without understanding traffic and cost.

12. SAA-C03 Exam Signals

"Block SQL injection or cross-site scripting" points to WAF.

"Filter HTTP requests by headers, query strings, paths, or IP sets" points to WAF.

"Rate-limit requests from clients" points to WAF rate-based rules.

"Protect CloudFront or ALB from web attacks" points to WAF.

"DDoS protection at network and transport layers" points to Shield.

"Allow port 443 from the internet" points to security groups or NACLs, not WAF.

"Centrally manage WAF rules across accounts" may point to Firewall Manager.

13. Common Exam Traps

Do not use security groups for Layer 7 attack patterns.

Do not confuse WAF with Shield Standard.

Do not expect WAF to patch application vulnerabilities.

Do not deploy block rules without testing if false positives matter.

Do not forget supported resource types.

Do not forget WAF logs and sampled requests for tuning.

15. Related Topics

Review Amazon CloudFront, ALB vs NLB vs GWLB, Amazon API Gateway, and AWS Shield.

Official AWS references:

• What are AWS WAF, AWS Shield Advanced, and AWS Firewall Manager?
• How AWS WAF works
• AWS WAF rules
• Using rate-based rule statements in AWS WAF