Skip to content

WAF & Shield


  • Web application firewall that lets you monitor the HTTP/HTTPS requests that are forwarded to CloudFront or an Application Load Balancer
  • Also lets you control access to your content


  • Allows 3 different behaviours:

    Behaviour Description
    ALLOW Allow all requests except the ones specified
    BLOCK Block all requests except the ones specified
    COUNT Count the requests that match the properties specified
  • Additional protection against web attacks by defining conditions using characteristics of web requests:

    • Source IP address
    • Source country
    • Values in request headers
    • Strings in requests / len of requests
    • Presence of malicious SQL code (SQL injection) or scripts (XSS)
  • Application load balancers (ALB) integrate with WAF at a regional level
    • Localization:
      • CloudFront is global
      • ALB WAF are regional
    • You can use AWS WAF to protect webapps not hosted in AWS via CloudFront (which supports custom origins outside of AWS)


Component Description
  • Inspect: IP addresses (+ region mapping), HTTP headers, HTTP body, URI strings
  • Match against: SQL injection, cross-site scripting, regex, strings, IP ranges, regions, sizes
  • Comprise a number of conditions in AND
  • Rule TypeDescription
    Rate Based5 minute period for given IP (e.g., to protect against DDoS or login brute forcing)
    condition is optional (no condition means COUNT all requests)
    NormalNeed a condition
    ManagedFrom Marketplace sellers
Web ACLs
  • Collection of rules ORed together
  • Actions per rule: allow, block, or count (for testing)
  • Default action if no rule matches
  • Can be associated with: CloudFront, ALB, AppSync, and API Gateway


DDoS mitigation


Type Description
  • Enabled for all AWS accounts (turned on by default)
  • No additional costs beyond what you already pay for AWS WAF
  • Integrated into existing services (not a stand-alone service)
  • Netflow monitoring & TCP/UDP protection
  • Advanced DDOS protection + DDOS response team support
  • Automated layer 7 traffic monitoring
  • Visibility and reporting
  • Extra cost ($3000/month)
  • Cost protection (reimburse related Route53, CloudFront and ELB DDOS charges)
  • CloudFront integration (can protect non-AWS origins)
  • CloudWatch metrics notifications of attacks