{"id":326,"date":"2026-04-13T16:18:23","date_gmt":"2026-04-13T16:18:23","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/aws-waf-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/"},"modified":"2026-04-13T16:18:23","modified_gmt":"2026-04-13T16:18:23","slug":"aws-waf-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/aws-waf-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security-identity-and-compliance\/","title":{"rendered":"AWS WAF Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security, identity, and compliance"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Security, identity, and compliance<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

AWS WAF is AWS\u2019s managed web application firewall for protecting HTTP(S) applications from common web exploits and unwanted traffic. You attach AWS WAF to supported entry points\u2014such as Amazon CloudFront distributions, Application Load Balancers (ALB), and Amazon API Gateway REST APIs\u2014and then define rules that allow, block, or monitor requests.<\/p>\n\n\n\n

In simple terms: AWS WAF sits in front of your web app and filters incoming web requests based on rules you control<\/strong> (for example, \u201cblock SQL injection patterns,\u201d \u201crate-limit abusive IPs,\u201d or \u201conly allow certain countries\u201d). You can start with AWS Managed Rules and then add custom rules as you learn your application\u2019s traffic patterns.<\/p>\n\n\n\n

Technically, AWS WAF evaluates each incoming HTTP(S) request against a web ACL<\/strong> (Access Control List) containing ordered rules (custom rules and managed rule groups). Each rule can take actions such as Allow<\/strong>, Block<\/strong>, Count<\/strong>, and (for specific use cases) CAPTCHA<\/strong> or Challenge<\/strong>. AWS WAF emits Amazon CloudWatch metrics<\/strong>, supports sampled requests<\/strong> for investigation, and can send detailed WAF logs<\/strong> to Amazon Kinesis Data Firehose<\/strong> for storage and analysis.<\/p>\n\n\n\n

The main problem AWS WAF solves is reducing application-layer attack surface<\/strong> (L7) and abuse (bots, scraping, credential stuffing patterns, and request floods that are not necessarily volumetric DDoS) while giving teams operational control, visibility, and a pay-as-you-go security layer integrated with AWS services.<\/p>\n\n\n\n

\n

Service status and naming note: AWS WAF<\/strong> is the current service. AWS WAF Classic<\/strong> is the legacy version and should generally be avoided for new deployments. This tutorial focuses on the current AWS WAF (often referenced in APIs\/CLI as wafv2<\/code>). Verify any legacy references in older blogs before following them.<\/p>\n<\/blockquote>\n\n\n\n

2. What is AWS WAF?<\/h2>\n\n\n\n

Official purpose (what it is):<\/strong>\nAWS WAF is a managed web application firewall that helps protect web applications and APIs against common web exploits that can affect availability, compromise security, or consume excessive resources.<\/p>\n\n\n\n

Core capabilities:<\/strong>\n– Create and manage web ACLs<\/strong> that evaluate web requests.\n– Use AWS Managed Rules<\/strong> and third-party managed rule groups (via AWS Marketplace, where available) to detect common threats.\n– Build custom rules<\/strong> (e.g., match IPs, headers, URI paths, query strings, request body patterns).\n– Apply rate-based rules<\/strong> to limit repeated requests from the same source.\n– Improve bot defense using features like AWS WAF CAPTCHA<\/strong>, Challenge<\/strong>, and Bot Control<\/strong> (Bot Control is a paid managed rule group\u2014verify current availability and pricing in official docs).\n– Monitor via CloudWatch metrics<\/strong> and investigate via sampled requests<\/strong> and WAF logs<\/strong>.<\/p>\n\n\n\n

Major components (mental model):<\/strong>\n– Web ACL<\/strong>: A container for rules, with a default action (allow\/block).\n– Rules<\/strong>: The logic that inspects requests and decides an action.\n– Rule groups<\/strong>: Reusable collections of rules (your own or managed).\n– Managed rule groups<\/strong>: Curated rules maintained by AWS or sellers.\n– IP sets<\/strong>: Lists of IP addresses\/CIDRs to allow\/block.\n– Regex pattern sets<\/strong>: Reusable regular expressions for matching.\n– Logging configuration<\/strong>: Sends request records to Kinesis Data Firehose.<\/p>\n\n\n\n

Service type:<\/strong>\nA fully managed Layer 7 (HTTP\/S)<\/strong> firewall and traffic filtering service (not a Layer 3\/4 firewall).<\/p>\n\n\n\n

Scope (regional vs global):<\/strong>\n– AWS WAF supports different scopes depending on what you protect:\n – CloudFront<\/strong>: global edge entry point; AWS WAF uses a CloudFront scope<\/strong> web ACL (created\/managed in a specific way; commonly requires using the US East (N. Virginia)<\/strong> control plane region for CloudFront associations\u2014verify in official docs for current behavior).\n – Regional resources<\/strong>: such as ALB<\/strong> and API Gateway REST APIs<\/strong>, where the web ACL is regional<\/strong>.<\/p>\n\n\n\n

How it fits into the AWS ecosystem (Security, identity, and compliance):<\/strong>\n– Complements AWS Shield<\/strong> (DDoS protection) by focusing on application-layer filtering<\/strong> rather than volumetric network floods.\n– Works well with Amazon CloudFront<\/strong> (edge delivery), Elastic Load Balancing (ALB)<\/strong>, and Amazon API Gateway<\/strong> (API front door).\n– Central governance can be done using AWS Firewall Manager<\/strong> (especially in AWS Organizations environments) to deploy policies consistently across accounts.\n– Visibility and investigation integrate with Amazon CloudWatch<\/strong> (metrics) and Kinesis Data Firehose<\/strong> destinations (S3\/OpenSearch\/CloudWatch Logs via Firehose capabilities).<\/p>\n\n\n\n

3. Why use AWS WAF?<\/h2>\n\n\n\n

Business reasons<\/h3>\n\n\n\n
    \n
  • Reduce risk of breaches and downtime<\/strong> from common web exploits (e.g., SQL injection, XSS attempts).<\/li>\n
  • Protect revenue and brand<\/strong> by reducing abusive traffic and application unavailability due to request floods.<\/li>\n
  • Improve security posture<\/strong> without operating your own WAF appliances or patching WAF software.<\/li>\n<\/ul>\n\n\n\n

    Technical reasons<\/h3>\n\n\n\n
      \n
    • Tight integration<\/strong> with AWS entry points (CloudFront, ALB, API Gateway) where TLS is terminated and HTTP requests can be inspected.<\/li>\n
    • Managed rule groups<\/strong> help you start quickly with baseline protections.<\/li>\n
    • Granular match conditions<\/strong> (headers, cookies, query strings, URI path, request body) for custom logic.<\/li>\n
    • Rate limiting<\/strong> to protect login endpoints, search endpoints, or expensive API operations.<\/li>\n<\/ul>\n\n\n\n

      Operational reasons<\/h3>\n\n\n\n
        \n
      • CloudWatch metrics<\/strong> per rule for quick insight into what is being blocked or counted.<\/li>\n
      • Logging via Firehose<\/strong> enables investigations, dashboards, and alerting pipelines.<\/li>\n
      • Rule testing approach<\/strong> using Count<\/code> action before enforcing Block<\/code> reduces the risk of false positives.<\/li>\n<\/ul>\n\n\n\n

        Security\/compliance reasons<\/h3>\n\n\n\n
          \n
        • Helps implement layered controls aligned with common security frameworks (e.g., OWASP Top 10 categories).\n It does not<\/strong> guarantee compliance by itself\u2014compliance depends on your full system and processes.<\/li>\n<\/ul>\n\n\n\n

          Scalability\/performance reasons<\/h3>\n\n\n\n
            \n
          • Managed service that scales with request volume at supported front doors.<\/li>\n
          • Works well for high-traffic sites when paired with CloudFront caching and origin protection.<\/li>\n<\/ul>\n\n\n\n

            When teams should choose AWS WAF<\/h3>\n\n\n\n

            Choose AWS WAF when:\n– You host web applications or APIs behind CloudFront<\/strong>, ALB<\/strong>, or API Gateway<\/strong> and want managed L7 protections.\n– You need managed rules<\/strong> plus the ability to add custom application-specific filters<\/strong>.\n– You want centralized governance<\/strong> (Firewall Manager) for multi-account environments.\n– You need to mitigate abuse such as scraping, bad bots, and request floods at the app layer.<\/p>\n\n\n\n

            When teams should not choose AWS WAF<\/h3>\n\n\n\n

            AWS WAF may not be the best fit when:\n– You need Layer 3\/4 network firewalling<\/strong> (use AWS Network Firewall<\/strong>, security groups, NACLs, or third-party network firewalls).\n– Your workload is not HTTP\/S (e.g., raw TCP services).\n– You need an inline proxy with full traffic decryption outside of supported AWS front doors<\/strong>\u2014AWS WAF works where AWS terminates TLS and provides request context to WAF.\n– You require WAF protections for an on-prem endpoint without putting it behind a supported AWS service (you might front it with CloudFront\/ALB or use another approach).<\/p>\n\n\n\n

            4. Where is AWS WAF used?<\/h2>\n\n\n\n

            Industries<\/h3>\n\n\n\n
              \n
            • E-commerce and retail (protect checkout\/login, reduce scraping and carding-like patterns)<\/li>\n
            • SaaS and B2B platforms (API protection, tenant isolation patterns)<\/li>\n
            • Media and content (protect against scraping and abusive requests)<\/li>\n
            • Financial services (login protection, compliance-driven controls)<\/li>\n
            • Healthcare (web portals, API endpoints with strict access patterns)<\/li>\n
            • Education and public sector (protect public portals from common attacks)<\/li>\n<\/ul>\n\n\n\n

              Team types<\/h3>\n\n\n\n
                \n
              • Security engineering and AppSec teams defining controls and baselines<\/li>\n
              • Platform\/infra teams owning edge and ingress<\/li>\n
              • DevOps\/SRE teams operating metrics, logs, and incident response<\/li>\n
              • Developers adding application-aware allow\/deny logic (e.g., admin portal restrictions)<\/li>\n<\/ul>\n\n\n\n

                Workloads and architectures<\/h3>\n\n\n\n
                  \n
                • Static + dynamic websites behind CloudFront<\/li>\n
                • Microservices behind ALB ingress<\/li>\n
                • Public APIs exposed via API Gateway<\/li>\n
                • Multi-account organizations that need consistent WAF policies<\/li>\n<\/ul>\n\n\n\n

                  Real-world deployment contexts<\/h3>\n\n\n\n
                    \n
                  • \u201cBaseline protections\u201d using AWS Managed Rules for new apps<\/li>\n
                  • Strict allowlists for admin endpoints<\/li>\n
                  • Rate limiting for authentication endpoints<\/li>\n
                  • Geo restrictions for region-locked services (with careful consideration for VPNs and travelers)<\/li>\n<\/ul>\n\n\n\n

                    Production vs dev\/test usage<\/h3>\n\n\n\n
                      \n
                    • Dev\/test<\/strong>: run rules in Count<\/strong> mode, validate false positives, test new rule groups, and tune before enforcement.<\/li>\n
                    • Production<\/strong>: enforce Block<\/code>\/CAPTCHA<\/code>\/Challenge<\/code> where appropriate; centralize logs; alert on spikes and anomalous patterns.<\/li>\n<\/ul>\n\n\n\n

                      5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                      Below are realistic scenarios where AWS WAF is commonly used. Each use case includes the problem, why AWS WAF fits, and a short example.<\/p>\n\n\n\n

                      1) Baseline OWASP protections with managed rules<\/strong>\n– Problem:<\/strong> New applications ship quickly, often without hardened input validation everywhere.\n– Why AWS WAF fits:<\/strong> AWS Managed Rules can detect common exploit patterns (SQLi\/XSS\/etc.) with minimal setup.\n– Example:<\/strong> A team launches a new marketing site with dynamic forms behind CloudFront and enables AWS Managed Rules to reduce common injection attempts.<\/p>\n\n\n\n

                      2) Protect login endpoints from brute force and abuse (rate limiting)<\/strong>\n– Problem:<\/strong> Attackers repeatedly try credentials, increasing load and lockouts.\n– Why AWS WAF fits:<\/strong> Rate-based rules can throttle repeated requests per source IP (and other aggregation keys in supported configurations\u2014verify in official docs).\n– Example:<\/strong> \/login<\/code> requests over a threshold trigger a block for a period.<\/p>\n\n\n\n

                      3) Block known-bad IPs and allow trusted IPs<\/strong>\n– Problem:<\/strong> Persistent attacks originate from known IP ranges; admins need limited access.\n– Why AWS WAF fits:<\/strong> IP sets allow allowlist\/denylist controls and quick incident response updates.\n– Example:<\/strong> Only corporate VPN IP ranges can access \/admin<\/code>.<\/p>\n\n\n\n

                      4) Geographic restrictions (geo match)<\/strong>\n– Problem:<\/strong> A service is legally available only in certain countries.\n– Why AWS WAF fits:<\/strong> Geo match rules can block or allow based on country.\n– Example:<\/strong> Block traffic outside permitted regions, with documented exceptions for business travelers via VPN.<\/p>\n\n\n\n

                      5) Block malicious user agents and scanners<\/strong>\n– Problem:<\/strong> Automated scanners probe endpoints and waste resources.\n– Why AWS WAF fits:<\/strong> Header inspection and regex pattern sets can match suspicious User-Agent<\/code> strings.\n– Example:<\/strong> Block requests with user agents matching common scanner signatures (careful: user agents are spoofable).<\/p>\n\n\n\n

                      6) Reduce impact of scraping and content harvesting<\/strong>\n– Problem:<\/strong> Scrapers overload search\/product pages and copy content.\n– Why AWS WAF fits:<\/strong> Combine rate limits, bot control (if used), and header\/cookie patterns.\n– Example:<\/strong> High request frequency with missing session cookies triggers Challenge<\/code>.<\/p>\n\n\n\n

                      7) Protect expensive endpoints (search, reports, exports)<\/strong>\n– Problem:<\/strong> Certain endpoints are costly, and abuse spikes costs.\n– Why AWS WAF fits:<\/strong> Rate limits, size constraints, and pattern matches reduce abusive traffic.\n– Example:<\/strong> Block requests with extremely large query strings and rate-limit \/export<\/code>.<\/p>\n\n\n\n

                      8) Virtual patching for urgent vulnerabilities<\/strong>\n– Problem:<\/strong> A new web framework vulnerability emerges; patching app code takes time.\n– Why AWS WAF fits:<\/strong> Temporary rules can block exploit patterns at the edge\/ingress.\n– Example:<\/strong> Block a specific malicious URI\/query pattern associated with the CVE while application teams patch and roll out.<\/p>\n\n\n\n

                      9) API abuse control for public APIs<\/strong>\n– Problem:<\/strong> Public APIs get hammered by clients or abusive automation.\n– Why AWS WAF fits:<\/strong> Attach WAF to API Gateway REST APIs and enforce request filters and rate-based rules.\n– Example:<\/strong> Rate-limit \/v1\/search<\/code> and block malformed JSON (within WAF inspection capabilities\u2014verify exact behavior in docs).<\/p>\n\n\n\n

                      10) Tenant\/partner isolation controls at the edge<\/strong>\n– Problem:<\/strong> Partners should only access specific paths or hostnames.\n– Why AWS WAF fits:<\/strong> Match Host<\/code> header and URI path patterns to restrict access.\n– Example:<\/strong> Only requests with Host: partner.example.com<\/code> can access \/partner\/*<\/code>.<\/p>\n\n\n\n

                      11) Staged deployment of security controls using Count<\/strong>\n– Problem:<\/strong> Enabling strict WAF rules can break legitimate traffic.\n– Why AWS WAF fits:<\/strong> Use Count<\/code> for observability first, then enforce Block<\/code> after tuning.\n– Example:<\/strong> Run managed rules in Count for a week, review sampled requests\/logs, then convert high-confidence detections to Block.<\/p>\n\n\n\n

                      6. Core Features<\/h2>\n\n\n\n

                      This section focuses on current, commonly used AWS WAF capabilities. If you need a capability not listed here, verify in official docs because AWS WAF evolves frequently.<\/p>\n\n\n\n

                      Web ACLs (Access Control Lists)<\/h3>\n\n\n\n
                        \n
                      • What it does:<\/strong> Defines a set of rules and a default action to apply to web requests for a protected resource. <\/li>\n
                      • Why it matters:<\/strong> It\u2019s the unit you attach to CloudFront\/ALB\/API Gateway. <\/li>\n
                      • Practical benefit:<\/strong> Central place to manage \u201callow\/block\/count\u201d logic. <\/li>\n
                      • Caveats:<\/strong> CloudFront and regional resources use different scopes; ensure you create the correct web ACL type.<\/li>\n<\/ul>\n\n\n\n

                        Rules and rule priority (ordered evaluation)<\/h3>\n\n\n\n
                          \n
                        • What it does:<\/strong> Evaluates rules in order of priority. A terminating action (e.g., Block\/Allow\/CAPTCHA\/Challenge) stops evaluation. <\/li>\n
                        • Why it matters:<\/strong> Rule order determines outcomes when multiple rules could match. <\/li>\n
                        • Practical benefit:<\/strong> Put high-confidence allow\/deny rules early; use Count rules for investigation without disruption. <\/li>\n
                        • Caveats:<\/strong> Misordered rules can cause unexpected blocks or allow bypasses.<\/li>\n<\/ul>\n\n\n\n

                          AWS Managed Rules<\/h3>\n\n\n\n
                            \n
                          • What it does:<\/strong> Provides curated rule groups maintained by AWS for common threats. <\/li>\n
                          • Why it matters:<\/strong> Faster time-to-protection than writing everything yourself. <\/li>\n
                          • Practical benefit:<\/strong> Standard baseline protection aligned with common exploit classes. <\/li>\n
                          • Caveats:<\/strong> Managed rules can have false positives; start in Count mode and tune (e.g., rule exclusions) where supported.<\/li>\n<\/ul>\n\n\n\n

                            Custom rules (match statements)<\/h3>\n\n\n\n
                              \n
                            • What it does:<\/strong> Allows matching on parts of HTTP requests (IP, headers, URI path, query string, body, etc.). <\/li>\n
                            • Why it matters:<\/strong> You can encode application-specific policy. <\/li>\n
                            • Practical benefit:<\/strong> Protect admin paths, block known attack patterns specific to your app. <\/li>\n
                            • Caveats:<\/strong> Avoid overly broad regex; it can increase false positives and operational overhead.<\/li>\n<\/ul>\n\n\n\n

                              IP sets<\/h3>\n\n\n\n
                                \n
                              • What it does:<\/strong> Stores lists of IP addresses\/CIDRs used in rules. <\/li>\n
                              • Why it matters:<\/strong> Enables quick response to abuse and structured allowlists. <\/li>\n
                              • Practical benefit:<\/strong> Central, reusable list of trusted corporate IP ranges. <\/li>\n
                              • Caveats:<\/strong> IP-based controls are less effective against distributed attacks, NATed clients, and botnets.<\/li>\n<\/ul>\n\n\n\n

                                Regex pattern sets<\/h3>\n\n\n\n
                                  \n
                                • What it does:<\/strong> Lets you define reusable regex patterns for request matching. <\/li>\n
                                • Why it matters:<\/strong> Useful for consistent matching across multiple rules. <\/li>\n
                                • Practical benefit:<\/strong> Maintain one set for admin path patterns used by multiple web ACLs. <\/li>\n
                                • Caveats:<\/strong> Regex can be complex and error-prone; test and keep patterns maintainable.<\/li>\n<\/ul>\n\n\n\n

                                  Rate-based rules (rate limiting)<\/h3>\n\n\n\n
                                    \n
                                  • What it does:<\/strong> Detects and optionally blocks requests that exceed a defined rate threshold. <\/li>\n
                                  • Why it matters:<\/strong> Helps mitigate brute force, scraping, and abusive clients. <\/li>\n
                                  • Practical benefit:<\/strong> Reduce load on authentication and search endpoints. <\/li>\n
                                  • Caveats:<\/strong> Rate limiting by IP can impact shared NATs (e.g., corporate networks). Also, attackers can distribute traffic across many IPs.<\/li>\n<\/ul>\n\n\n\n

                                    CAPTCHA and Challenge<\/h3>\n\n\n\n
                                      \n
                                    • What it does:<\/strong> Presents CAPTCHA or a challenge to help confirm a request is from a legitimate client rather than automation (implementation details vary\u2014verify in official docs). <\/li>\n
                                    • Why it matters:<\/strong> Offers a middle ground between allow and block. <\/li>\n
                                    • Practical benefit:<\/strong> Let humans through while slowing bots. <\/li>\n
                                    • Caveats:<\/strong> Adds UX friction and may affect accessibility; carefully scope where used (e.g., suspicious traffic only).<\/li>\n<\/ul>\n\n\n\n

                                      Bot Control (managed)<\/h3>\n\n\n\n
                                        \n
                                      • What it does:<\/strong> A managed rule group aimed at detecting and managing bot traffic. <\/li>\n
                                      • Why it matters:<\/strong> Bots are a major source of application abuse. <\/li>\n
                                      • Practical benefit:<\/strong> Better bot signals than simple user-agent blocking. <\/li>\n
                                      • Caveats:<\/strong> Typically incurs additional cost and may require tuning. Verify current pricing and capabilities.<\/li>\n<\/ul>\n\n\n\n

                                        Custom responses<\/h3>\n\n\n\n
                                          \n
                                        • What it does:<\/strong> Customize the HTTP status code and response body for blocked requests (supported contexts vary; verify in official docs). <\/li>\n
                                        • Why it matters:<\/strong> Improves UX and troubleshooting for legitimate users. <\/li>\n
                                        • Practical benefit:<\/strong> Show \u201cRequest blocked\u201d with a support code or link. <\/li>\n
                                        • Caveats:<\/strong> Be careful not to leak security details.<\/li>\n<\/ul>\n\n\n\n

                                          CloudWatch metrics and sampled requests<\/h3>\n\n\n\n
                                            \n
                                          • What it does:<\/strong> Exposes per-rule metrics and sample request details for investigation. <\/li>\n
                                          • Why it matters:<\/strong> You need visibility to tune and operate WAF. <\/li>\n
                                          • Practical benefit:<\/strong> Quickly identify which rule blocks traffic and why. <\/li>\n
                                          • Caveats:<\/strong> Sampled requests are limited; for full-fidelity analysis enable WAF logging.<\/li>\n<\/ul>\n\n\n\n

                                            Logging via Kinesis Data Firehose<\/h3>\n\n\n\n
                                              \n
                                            • What it does:<\/strong> Sends detailed WAF request logs to a Firehose delivery stream for storage\/analysis. <\/li>\n
                                            • Why it matters:<\/strong> Enables forensics, dashboards, and detection engineering. <\/li>\n
                                            • Practical benefit:<\/strong> Store logs in S3 and query via Athena, or stream to analytics. <\/li>\n
                                            • Caveats:<\/strong> Additional costs for Firehose, storage, and queries; ensure data retention and access control.<\/li>\n<\/ul>\n\n\n\n

                                              Central management via AWS Firewall Manager<\/h3>\n\n\n\n
                                                \n
                                              • What it does:<\/strong> Lets you define and apply WAF policies across multiple accounts\/resources in AWS Organizations. <\/li>\n
                                              • Why it matters:<\/strong> Standardization and governance at scale. <\/li>\n
                                              • Practical benefit:<\/strong> Apply baseline managed rules across all ALBs in all accounts. <\/li>\n
                                              • Caveats:<\/strong> Requires Organizations setup; changes affect many apps\u2014use change control.<\/li>\n<\/ul>\n\n\n\n

                                                7. Architecture and How It Works<\/h2>\n\n\n\n

                                                High-level architecture<\/h3>\n\n\n\n

                                                AWS WAF works by attaching a web ACL to a supported resource. Incoming HTTP(S) requests are evaluated against the web ACL rules. Depending on the first matching terminating rule action (or the default action), requests are allowed to reach your origin or are blocked\/challenged.<\/p>\n\n\n\n

                                                Request\/data\/control flow<\/h3>\n\n\n\n
                                                  \n
                                                • Control plane (configuration):<\/strong>\n 1. You create a web ACL<\/strong> and add rules\/rule groups.\n 2. You associate<\/strong> the web ACL with CloudFront\/ALB\/API Gateway.\n 3. Optionally configure logging<\/strong> to a Kinesis Data Firehose<\/strong> stream.<\/li>\n
                                                • Data plane (traffic):<\/strong>\n 1. Client sends HTTP(S) request to CloudFront\/ALB\/API Gateway.\n 2. AWS WAF evaluates the request against rules (in priority order).\n 3. If allowed, request proceeds to the origin (ALB target\/ECS\/EKS\/EC2\/Lambda\/API backend).\n 4. Metrics are emitted to CloudWatch; sampled requests and\/or logs are recorded.<\/li>\n<\/ul>\n\n\n\n

                                                  Integrations with related services<\/h3>\n\n\n\n

                                                  Common integrations include:\n– Amazon CloudFront<\/strong>: Edge distribution + WAF web ACL for global web properties.\n– Elastic Load Balancing (Application Load Balancer)<\/strong>: Regional ingress for apps in VPC.\n– Amazon API Gateway (REST APIs)<\/strong>: Protect public API endpoints (verify exact API types supported in your region).\n– Amazon CloudWatch<\/strong>: Metrics and alarms.\n– Amazon Kinesis Data Firehose<\/strong>: WAF logging delivery to destinations like S3\/OpenSearch (destination support depends on Firehose features in your region).\n– AWS Firewall Manager<\/strong>: Central policy management across accounts.\n– AWS Shield<\/strong>: Complementary DDoS protection (Shield Standard is enabled by default on some AWS services; Shield Advanced is optional and paid).<\/p>\n\n\n\n

                                                  Dependency services<\/h3>\n\n\n\n
                                                    \n
                                                  • For CloudFront protection, you\u2019ll have a CloudFront distribution<\/strong>.<\/li>\n
                                                  • For ALB protection, an ALB<\/strong> in a VPC and targets.<\/li>\n
                                                  • For logging, Kinesis Data Firehose<\/strong> and a destination like S3<\/strong>.<\/li>\n<\/ul>\n\n\n\n

                                                    Security\/authentication model<\/h3>\n\n\n\n
                                                      \n
                                                    • AWS WAF uses AWS IAM<\/strong> for management actions (create\/update web ACLs, rule groups, logging config).<\/li>\n
                                                    • Use least privilege and separate roles for:<\/li>\n
                                                    • WAF administrators (policy management)<\/li>\n
                                                    • Security operations (read-only + log access)<\/li>\n
                                                    • CI\/CD automation (scoped update permissions)<\/li>\n<\/ul>\n\n\n\n

                                                      Networking model<\/h3>\n\n\n\n
                                                        \n
                                                      • AWS WAF is not deployed into your VPC as a traditional appliance.<\/li>\n
                                                      • It evaluates requests at the supported service boundary (CloudFront edge locations or regional front doors like ALB\/API Gateway).<\/li>\n
                                                      • TLS is typically terminated at CloudFront\/ALB\/API Gateway; WAF inspects the HTTP request after termination in that flow.<\/li>\n<\/ul>\n\n\n\n

                                                        Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                          \n
                                                        • Use CloudWatch metrics<\/strong> for:<\/li>\n
                                                        • Allowed vs blocked requests<\/li>\n
                                                        • Rule match counts<\/li>\n
                                                        • Sudden spikes (possible attacks)<\/li>\n
                                                        • Use WAF logs<\/strong> for:<\/li>\n
                                                        • Root cause analysis<\/li>\n
                                                        • False positive tuning<\/li>\n
                                                        • Security analytics and threat hunting<\/li>\n
                                                        • Use tagging<\/strong> for web ACLs, IP sets, and Firehose\/S3 resources to track cost and ownership.<\/li>\n
                                                        • In multi-account setups, consider Firewall Manager<\/strong> and centralized logging to a security account.<\/li>\n<\/ul>\n\n\n\n

                                                          Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                          flowchart LR\n  U[Users \/ Clients] --> CF[Amazon CloudFront]\n  CF --> WAF[AWS WAF Web ACL]\n  WAF --> ORIGIN[Origin: ALB or S3 or API]\n  WAF --> CW[Amazon CloudWatch Metrics]\n  WAF --> FH[Kinesis Data Firehose (optional logs)]\n  FH --> S3[Amazon S3 (log storage)]\n<\/code><\/pre>\n\n\n\n
                                                          Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                          flowchart TB\n  subgraph Internet\n    U[Users]\n    B[Bad Bots \/ Attackers]\n  end\n\n  U --> CF[CloudFront Distribution]\n  B --> CF\n\n  CF --> WAF[AWS WAF (CloudFront scope Web ACL)]\n  WAF -->|Allow| ALB[Application Load Balancer]\n  WAF -->|Block\/CAPTCHA\/Challenge| RESP[WAF Response]\n\n  ALB --> EKS[EKS\/ECS\/EC2 App Tier]\n  EKS --> DB[(Database)]\n  EKS --> CACHE[(Cache)]\n\n  WAF --> CW[CloudWatch Metrics + Alarms]\n  WAF --> FH[Kinesis Data Firehose (WAF Logs)]\n  FH --> S3[Central S3 Bucket (Security Account)]\n  S3 --> ATH[Athena Queries]\n  S3 --> SIEM[SIEM \/ Analytics (optional)]\n\n  subgraph Governance\n    FMS[AWS Firewall Manager (optional)]\n    ORG[AWS Organizations]\n  end\n\n  ORG --> FMS\n  FMS --> WAF\n<\/code><\/pre>\n\n\n\n
                                                          8. Prerequisites<\/h2>\n\n\n\n
                                                          Before starting the lab, ensure you have:<\/p>\n\n\n\n
                                                          Account and billing<\/h3>\n\n\n\n
                                                            \n
                                                          • An AWS account<\/strong> with billing enabled.<\/li>\n
                                                          • Awareness that CloudFront, AWS WAF, Firehose, and S3 may incur charges (even at low usage).<\/li>\n<\/ul>\n\n\n\n
                                                            Permissions \/ IAM<\/h3>\n\n\n\n
                                                            For a beginner lab, the simplest path is using an administrator-like role. For a least-privilege approach, you typically need permissions for:\n– wafv2:*<\/code> (or scoped create\/update for web ACLs, rule groups, IP sets, logging)\n– cloudfront:*<\/code> (create\/update distribution, associate WAF)\n– s3:*<\/code> (create bucket, store logs)\n– firehose:*<\/code> (create delivery stream)\n– iam:CreateRole<\/code>, iam:PassRole<\/code> (for Firehose to write to S3)<\/p>\n\n\n\n
                                                            In production, split duties:\n– Security team manages WAF policies.\n– Platform team manages CloudFront\/ALB\/API Gateway attachments.\n– Observability team manages log pipelines.<\/p>\n\n\n\n
                                                            Tools<\/h3>\n\n\n\n
                                                              \n
                                                            • AWS Management Console access<\/li>\n
                                                            • Optional: AWS CLI v2<\/strong> installed and configured:<\/li>\n
                                                            • https:\/\/docs.aws.amazon.com\/cli\/latest\/userguide\/getting-started-install.html<\/li>\n<\/ul>\n\n\n\n
                                                              Region availability<\/h3>\n\n\n\n
                                                                \n
                                                              • AWS WAF is available in many regions, but scope matters<\/strong>:<\/li>\n
                                                              • CloudFront scope<\/strong> web ACLs have specific association behavior (commonly controlled in us-east-1<\/strong>). Verify current requirement in official docs.<\/li>\n
                                                              • Regional web ACLs are created in the same region as your ALB\/API.<\/li>\n<\/ul>\n\n\n\n
                                                                Quotas \/ limits<\/h3>\n\n\n\n
                                                                  \n
                                                                • AWS WAF has quotas on web ACLs, rules, rule groups, IP set sizes, etc.<\/li>\n
                                                                • Check Service Quotas<\/strong>:<\/li>\n
                                                                • AWS Console \u2192 Service Quotas \u2192 AWS WAF\n  Quotas change over time; don\u2019t rely on old blog numbers.<\/li>\n<\/ul>\n\n\n\n
                                                                  Prerequisite services for this lab<\/h3>\n\n\n\n
                                                                    \n
                                                                  • Amazon S3 (for a simple origin and for logs)<\/li>\n
                                                                  • Amazon CloudFront (as the protected front door)<\/li>\n
                                                                  • Kinesis Data Firehose (for WAF logs)<\/li>\n<\/ul>\n\n\n\n
                                                                    9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                    AWS WAF pricing is usage-based<\/strong>. Exact amounts vary by region and can change, so always verify on the official pricing page.<\/p>\n\n\n\n
                                                                    Official pricing references<\/h3>\n\n\n\n
                                                                      \n
                                                                    • AWS WAF pricing: https:\/\/aws.amazon.com\/waf\/pricing\/  <\/li>\n
                                                                    • AWS Pricing Calculator: https:\/\/calculator.aws\/#\/<\/li>\n<\/ul>\n\n\n\n
                                                                      Pricing dimensions (typical model)<\/h3>\n\n\n\n
                                                                      AWS WAF commonly charges based on:\n– Number of web ACLs<\/strong> you create\/use\n– Number of rules<\/strong> (and\/or rule groups) in the web ACL\n– Number of web requests<\/strong> processed by the web ACL\n– Managed rule groups<\/strong>: some are included in the base model; others (e.g., advanced bot protections or marketplace rule groups) may have additional fees<\/strong>. Verify current pricing and which managed groups incur extra charges.<\/p>\n\n\n\n
                                                                      Free tier<\/h3>\n\n\n\n
                                                                      AWS WAF generally does not<\/strong> have a broad \u201calways-free\u201d tier comparable to some other AWS services. Some accounts may have promotional credits, but do not assume WAF is free. Verify in the pricing page and your account\u2019s free tier dashboard.<\/p>\n\n\n\n
                                                                      Cost drivers<\/h3>\n\n\n\n
                                                                      Direct cost drivers:\n– High request volume at CloudFront\/ALB\/API Gateway\n– Large number of enabled rules and managed rule groups\n– Paid managed rule groups (e.g., bot-related add-ons)<\/p>\n\n\n\n
                                                                      Indirect\/hidden cost drivers:\n– Kinesis Data Firehose<\/strong> costs for log ingestion and delivery\n– S3<\/strong> storage for logs and lifecycle retention\n– Athena<\/strong> query costs if you analyze logs frequently\n– CloudWatch<\/strong> costs if you export logs to CloudWatch Logs or create many alarms\/dashboards\n– CloudFront and origin costs (data transfer and requests)<\/p>\n\n\n\n
                                                                      Network\/data transfer implications<\/h3>\n\n\n\n
                                                                        \n
                                                                      • AWS WAF itself is applied at the front door; it doesn\u2019t add separate data transfer line items the way a proxy might.<\/li>\n
                                                                      • CloudFront<\/strong> and your origin services still incur their usual request\/data transfer costs.<\/li>\n
                                                                      • WAF logs delivered to S3 will increase storage and query traffic.<\/li>\n<\/ul>\n\n\n\n
                                                                        How to optimize cost<\/h3>\n\n\n\n
                                                                          \n
                                                                        • Start with a small number of high-value rules<\/strong> (managed baseline + one or two custom rules).<\/li>\n
                                                                        • Use Count mode<\/strong> strategically, but avoid leaving noisy Count rules indefinitely in production if they encourage unnecessary rule evaluations.<\/li>\n
                                                                        • Reduce log volume:<\/li>\n
                                                                        • Log only what you need (AWS WAF logging is typically \u201call requests evaluated by WAF\u201d; if you need sampling or filtering, do it downstream).<\/li>\n
                                                                        • Apply S3 lifecycle policies to move logs to cheaper storage or expire.<\/li>\n
                                                                        • Use CloudFront caching and origin protection to reduce expensive origin hits (separate from WAF cost, but improves overall cost posture).<\/li>\n<\/ul>\n\n\n\n
                                                                          Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n
                                                                          A small demo setup might include:\n– 1 CloudFront distribution with 1 web ACL\n– A small number of rules (e.g., one managed rule group + one custom rule + one rate-based rule)\n– Low traffic volume (developer testing)\n– Optional logging to S3 via Firehose for a limited period<\/p>\n\n\n\n
                                                                          To estimate:\n1. Use the AWS Pricing Calculator.\n2. Add AWS WAF usage: web ACL count, rule count, and request volume.\n3. Add CloudFront request\/data transfer, S3 storage, Firehose ingestion.<\/p>\n\n\n\n
                                                                          Because prices vary and change, do not copy numbers from blogs<\/strong>\u2014use the calculator for your region and expected volume.<\/p>\n\n\n\n
                                                                          Example production cost considerations<\/h3>\n\n\n\n
                                                                          In production, costs are typically driven by:\n– Large request volumes (especially on busy consumer sites)\n– Multiple web ACLs across environments\/accounts\n– Several managed rule groups (some may be paid add-ons)\n– Centralized logging at scale (Firehose + S3 + analytics)<\/p>\n\n\n\n
                                                                          A practical approach is to:\n– Baseline costs with WAF metrics and request volume.\n– Run a proof-of-value with logs for a few weeks.\n– Right-size rules and retention once you know typical attack patterns.<\/p>\n\n\n\n
                                                                          10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                          This lab builds a real, small setup: CloudFront + S3 origin protected by AWS WAF<\/strong>, including one custom block rule, one rate-based rule, and optional logging to S3 via Firehose.<\/p>\n\n\n\n
                                                                          Objective<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Create an AWS WAF web ACL (CloudFront scope)<\/strong>.<\/li>\n
                                                                          • Add:<\/li>\n
                                                                          • A custom rule<\/strong> that blocks a known test query string (bad=1<\/code>)<\/li>\n
                                                                          • A rate-based rule<\/strong> to mitigate bursts from a single IP<\/li>\n
                                                                          • (Optional but recommended) an AWS Managed Rule group<\/strong> in Count<\/code> mode for safe evaluation<\/li>\n
                                                                          • Associate the web ACL with a CloudFront distribution<\/strong> that serves content from S3<\/strong>.<\/li>\n
                                                                          • Validate that:<\/li>\n
                                                                          • Normal requests succeed<\/li>\n
                                                                          • Requests matching the rule are blocked<\/li>\n
                                                                          • Metrics\/logs show the activity<\/li>\n
                                                                          • Clean up all resources.<\/li>\n<\/ul>\n\n\n\n
                                                                            Lab Overview<\/h3>\n\n\n\n
                                                                            You will create:\n– 1 S3 bucket with a simple index.html<\/code>\n– 1 CloudFront distribution with the S3 bucket as origin\n– 1 AWS WAF web ACL (CloudFront scope) attached to the distribution\n– (Optional) 1 Kinesis Data Firehose stream + S3 bucket\/prefix for WAF logs<\/p>\n\n\n\n
                                                                            Estimated time: 45\u201390 minutes (CloudFront propagation and deletion can add time).\nCost: low for brief testing, but not free<\/strong>\u2014AWS WAF and CloudFront may incur charges.<\/p>\n\n\n\n
                                                                            \n\n\n\n
                                                                            Step 1: Create an S3 bucket with a simple page (origin)<\/h3>\n\n\n\n
                                                                            Goal:<\/strong> Create a stable origin for CloudFront.<\/p>\n\n\n\n
                                                                              \n
                                                                            1. Open the Amazon S3<\/strong> console.<\/li>\n
                                                                            2. Create a bucket (globally unique name), for example:\n   – my-waf-lab-origin-<random-suffix><\/code><\/li>\n
                                                                            3. Keep Block Public Access<\/strong> enabled (recommended).<\/li>\n
                                                                            4. Upload a simple index.html<\/code> file.<\/li>\n<\/ol>\n\n\n\n
                                                                              Example index.html<\/code>:<\/p>\n\n\n\n
                                                                              <!doctype html>\n<html>\n  <head><title>AWS WAF Lab<\/title><\/head>\n  <body>\n    <h1>AWS WAF Lab OK<\/h1>\n    <p>If you can see this, CloudFront is working.<\/p>\n  <\/body>\n<\/html>\n<\/code><\/pre>\n\n\n\n
                                                                              Expected outcome:<\/strong> Bucket exists with index.html<\/code> uploaded.<\/p>\n\n\n\n
                                                                              Verification:<\/strong>\n– In S3 console, confirm the object is present.<\/p>\n\n\n\n
                                                                              \n\n\n\n
                                                                              Step 2: Create a CloudFront distribution pointing to S3<\/h3>\n\n\n\n
                                                                              Goal:<\/strong> Create the HTTP(S) front door that AWS WAF will protect.<\/p>\n\n\n\n
                                                                                \n
                                                                              1. Open the Amazon CloudFront<\/strong> console \u2192 Create distribution<\/strong>.<\/li>\n
                                                                              2. Origin domain<\/strong>: select your S3 bucket (the REST endpoint origin, not \u201cS3 website hosting\u201d unless you intentionally need it).<\/li>\n
                                                                              3. Origin access<\/strong>:\n   – Use Origin Access Control (OAC)<\/strong> if the console offers it (recommended).\n   – If you choose OAC, allow CloudFront to access the bucket by applying the generated bucket policy.<\/li>\n
                                                                              4. Default root object<\/strong>: set to index.html<\/code>.<\/li>\n
                                                                              5. Leave other settings at defaults unless you have requirements.<\/li>\n<\/ol>\n\n\n\n
                                                                                Expected outcome:<\/strong> CloudFront distribution is created and begins deploying.<\/p>\n\n\n\n
                                                                                Verification:<\/strong>\n– Wait until the distribution status is Deployed<\/strong>.\n– Copy the distribution domain name (e.g., d123abcd.cloudfront.net<\/code>).\n– Test:<\/p>\n\n\n\n
                                                                                curl -I https:\/\/d123abcd.cloudfront.net\/\n<\/code><\/pre>\n\n\n\n
                                                                                You should see HTTP\/2 200<\/code> (or HTTP\/1.1 200<\/code> depending on curl\/TLS) after it is fully deployed.<\/p>\n\n\n\n
                                                                                \n\n\n\n
                                                                                Step 3: Create an AWS WAF web ACL (CloudFront scope)<\/h3>\n\n\n\n
                                                                                Goal:<\/strong> Define the firewall policy.<\/p>\n\n\n\n
                                                                                  \n
                                                                                1. Open the AWS WAF<\/strong> console.<\/li>\n
                                                                                2. Choose Web ACLs<\/strong> \u2192 Create web ACL<\/strong>.<\/li>\n
                                                                                3. Name<\/strong>: waf-lab-cloudfront-acl<\/code><\/li>\n
                                                                                4. Resource type<\/strong>: choose CloudFront distributions<\/strong> (CloudFront scope).\n   – Important: CloudFront-scope WAF configuration may require using a specific region for management (commonly N. Virginia \/ us-east-1<\/strong>). If the console prompts you, follow it. If unsure, verify in official docs<\/strong>.<\/li>\n
                                                                                5. Default action<\/strong>: Allow<\/strong> (we\u2019ll explicitly block only what we want).<\/li>\n<\/ol>\n\n\n\n
                                                                                  Expected outcome:<\/strong> A web ACL exists with default allow.<\/p>\n\n\n\n
                                                                                  \n\n\n\n
                                                                                  Step 4: Add a custom rule to block a test query string<\/h3>\n\n\n\n
                                                                                  Goal:<\/strong> Add a deterministic, easy-to-test rule.<\/p>\n\n\n\n
                                                                                    \n
                                                                                  1. In your web ACL, add a rule named: BlockBadQueryString<\/code><\/li>\n
                                                                                  2. Rule type: Rule builder<\/strong><\/li>\n
                                                                                  3. Statement:\n   – Match request Query string<\/strong> (or a specific query argument if you prefer)\n   – Condition: contains bad=1<\/code>\n   (Exact UI options differ; choose the closest match like \u201cQuery string contains\u201d.)<\/li>\n
                                                                                  4. Action: Block<\/strong><\/li>\n
                                                                                  5. (Optional) Configure a custom response<\/strong>:\n   – Response code: 403<\/code>\n   – Response body: \"Blocked by AWS WAF lab rule: bad query string\"<\/code>\n   – Add Content-Type: text\/plain<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                                    Expected outcome:<\/strong> Requests containing bad=1<\/code> in the query string will be blocked.<\/p>\n\n\n\n
                                                                                    Verification (later):<\/strong> You\u2019ll test with curl after association.<\/p>\n\n\n\n
                                                                                    \n\n\n\n
                                                                                    Step 5: Add a rate-based rule to mitigate bursts<\/h3>\n\n\n\n
                                                                                    Goal:<\/strong> Demonstrate a practical abuse control.<\/p>\n\n\n\n
                                                                                      \n
                                                                                    1. Add a rule named: RateLimitPerIP<\/code><\/li>\n
                                                                                    2. Rule type: Rate-based rule<\/strong><\/li>\n
                                                                                    3. Rate limit:\n   – Choose a small number suitable for a lab (for example, tens or low hundreds within the rule\u2019s evaluation window).\n   – Do not set it too low<\/strong> or you may block yourself while testing.<\/li>\n
                                                                                    4. Scope-down statement (optional but recommended):\n   – Apply only to a path like \/<\/code> for the lab, or to \/login<\/code> in a real app.<\/li>\n
                                                                                    5. Action: Block<\/strong> (or Count<\/code> first, if you want to test non-disruptively)<\/li>\n<\/ol>\n\n\n\n
                                                                                      Expected outcome:<\/strong> Bursty traffic from a single IP gets blocked once threshold is exceeded.<\/p>\n\n\n\n
                                                                                      Verification (later):<\/strong> You\u2019ll generate repeated requests and observe blocks\/metrics.<\/p>\n\n\n\n
                                                                                      \n\n\n\n
                                                                                      Step 6 (Optional): Add an AWS Managed Rule group in Count mode<\/h3>\n\n\n\n
                                                                                      Goal:<\/strong> Show safe evaluation and observability.<\/p>\n\n\n\n
                                                                                        \n
                                                                                      1. Add a rule: AWSManagedCommonRuleSetCount<\/code><\/li>\n
                                                                                      2. Select Add managed rule groups<\/strong> \u2192 choose an AWS Managed Rule group such as Core rule set \/ Common protections<\/strong> (names vary slightly in the console).<\/li>\n
                                                                                      3. Override action: Count<\/strong> (so it won\u2019t block; it will just record matches)<\/li>\n
                                                                                      4. Enable visibility (metrics) for this rule.<\/li>\n<\/ol>\n\n\n\n
                                                                                        Expected outcome:<\/strong> You\u2019ll see matches in metrics without blocking legitimate traffic.<\/p>\n\n\n\n
                                                                                        Why Count helps:<\/strong> You can observe how often your real traffic triggers managed rules before turning on blocking.<\/p>\n\n\n\n
                                                                                        \n\n\n\n
                                                                                        Step 7: Associate the web ACL with your CloudFront distribution<\/h3>\n\n\n\n
                                                                                        Goal:<\/strong> Put AWS WAF in the request path.<\/p>\n\n\n\n
                                                                                          \n
                                                                                        1. In the AWS WAF web ACL, go to Associations<\/strong> (or during creation, choose the resource).<\/li>\n
                                                                                        2. Select your CloudFront distribution and associate.<\/li>\n<\/ol>\n\n\n\n
                                                                                          Expected outcome:<\/strong> The web ACL is associated with CloudFront.<\/p>\n\n\n\n
                                                                                          Verification:<\/strong>\n– In WAF console, confirm the associated resource shows the CloudFront distribution.\n– Note: It may take several minutes for propagation.<\/p>\n\n\n\n
                                                                                          \n\n\n\n
                                                                                          Step 8 (Recommended): Enable AWS WAF logging to S3 via Kinesis Data Firehose<\/h3>\n\n\n\n
                                                                                          Goal:<\/strong> Capture detailed request records for investigation.<\/p>\n\n\n\n
                                                                                          High-level flow: AWS WAF \u2192 Kinesis Data Firehose \u2192 S3<\/p>\n\n\n\n
                                                                                            \n
                                                                                          1. Create an S3 bucket for logs, e.g.:\n   – my-waf-lab-logs-<random-suffix><\/code><\/li>\n
                                                                                          2. Open Kinesis Data Firehose<\/strong> console \u2192 create a delivery stream:\n   – Source: Direct PUT<\/strong> (WAF will deliver to Firehose)\n   – Destination: Amazon S3<\/strong>\n   – Choose your log bucket and a prefix like waf-logs\/<\/code>\n   – Configure buffering defaults (fine for lab)\n   – Create or select an IAM role that allows Firehose to write to the bucket<\/li>\n
                                                                                          3. Back in AWS WAF<\/strong> console:\n   – Web ACL \u2192 Logging and metrics<\/strong>\n   – Enable logging\n   – Select your Firehose delivery stream<\/li>\n<\/ol>\n\n\n\n
                                                                                            Expected outcome:<\/strong> WAF logs begin landing in S3 (often within minutes after traffic occurs).<\/p>\n\n\n\n
                                                                                            Verification:<\/strong>\n– Browse the S3 log bucket prefix and confirm objects are being written after you generate traffic.\n– If you don\u2019t see logs, check IAM role permissions and Firehose delivery errors.<\/p>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Step 9: Generate test traffic and confirm blocking works<\/h3>\n\n\n\n
                                                                                            Goal:<\/strong> Confirm the rules work as intended.<\/p>\n\n\n\n
                                                                                            Replace DISTRIBUTION_DOMAIN<\/code> with your CloudFront domain name.<\/p>\n\n\n\n
                                                                                            Test A: Normal request (should be allowed)<\/h4>\n\n\n\n
                                                                                            curl -i https:\/\/DISTRIBUTION_DOMAIN\/\n<\/code><\/pre>\n\n\n\n
                                                                                            Expected outcome:<\/strong> 200 OK<\/code> and the HTML content.<\/p>\n\n\n\n
                                                                                            Test B: Trigger the custom query-string block (should be blocked)<\/h4>\n\n\n\n
                                                                                            curl -i \"https:\/\/DISTRIBUTION_DOMAIN\/?bad=1\"\n<\/code><\/pre>\n\n\n\n
                                                                                            Expected outcome:<\/strong> 403 Forbidden<\/code> (or your configured custom response code\/body).<\/p>\n\n\n\n
                                                                                            Test C: Trigger the rate-based rule (may block after threshold)<\/h4>\n\n\n\n
                                                                                            Run a burst of requests (adjust counts so you don\u2019t accidentally lock yourself out too long):<\/p>\n\n\n\n
                                                                                            for i in $(seq 1 200); do\n  curl -s -o \/dev\/null -w \"%{http_code}\\n\" \"https:\/\/DISTRIBUTION_DOMAIN\/?test=$i\"\ndone\n<\/code><\/pre>\n\n\n\n
                                                                                            Expected outcome:<\/strong> Initially 200<\/code>, then some 403<\/code> once the threshold is exceeded (if your rate limit is low enough and propagation is complete).<\/p>\n\n\n\n
                                                                                            \n\n\n\n
                                                                                            Validation<\/h3>\n\n\n\n
                                                                                            Use multiple validation methods:<\/p>\n\n\n\n
                                                                                              \n
                                                                                            1. \n
                                                                                              Browser validation<\/strong>\n– Open https:\/\/DISTRIBUTION_DOMAIN\/<\/code> and confirm the page loads.\n– Open https:\/\/DISTRIBUTION_DOMAIN\/?bad=1<\/code> and confirm it is blocked.<\/p>\n<\/li>\n
                                                                                            2. \n
                                                                                              AWS WAF CloudWatch metrics<\/strong>\n– In the WAF web ACL view, check Metrics<\/strong>:\n  – Look for increases in BlockedRequests<\/code> for BlockBadQueryString<\/code>.\n  – Look for CountedRequests<\/code> for the managed rule group (if you enabled Count).<\/p>\n<\/li>\n
                                                                                            3. \n
                                                                                              Sampled requests<\/strong>\n– In the rule view, check Sampled requests<\/strong> (if available) to see example matching requests.<\/p>\n<\/li>\n
                                                                                            4. \n
                                                                                              Logs in S3 (if enabled)<\/strong>\n– Confirm log objects exist in s3:\/\/my-waf-lab-logs-...\/waf-logs\/<\/code>\n– Download one log file and inspect fields such as action, terminating rule, URI, query args, and client IP.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Troubleshooting<\/h3>\n\n\n\n
                                                                                              Common issues and practical fixes:<\/p>\n\n\n\n
                                                                                              1) CloudFront association doesn\u2019t appear \/ wrong region<\/strong>\n– Symptom: You can\u2019t find your web ACL for CloudFront or association fails.\n– Fix: CloudFront-scope web ACLs have special handling. Ensure you\u2019re in the correct console region\/view as required. Verify in AWS WAF docs<\/strong> for CloudFront scope behavior.<\/p>\n\n\n\n
                                                                                              2) You\u2019re not getting blocked even with ?bad=1<\/code><\/strong>\n– Check:\n  – Is the web ACL definitely associated with the distribution?\n  – Has CloudFront finished propagating changes? (Wait several minutes.)\n  – Is the rule priority correct (is there an Allow rule earlier that terminates evaluation)?\n  – Are you matching the correct request component (query string vs specific query parameter)?\n– Fix: Move the block rule to a higher priority (earlier) and re-test.<\/p>\n\n\n\n
                                                                                              3) Rate-based rule never triggers<\/strong>\n– Check:\n  – Is your threshold too high for your test volume?\n  – Did you scope-down to a path that your requests don\u2019t hit?\n– Fix: Lower the threshold for the lab or remove scope-down temporarily.<\/p>\n\n\n\n
                                                                                              4) Firehose logging not delivering<\/strong>\n– Symptom: No logs appear in S3.\n– Check:\n  – Firehose delivery stream status and error logs in the Firehose console.\n  – IAM role permissions for Firehose to write to S3 (s3:PutObject<\/code>, KMS permissions if bucket uses SSE-KMS).\n– Fix: Update the role policy, ensure bucket policy allows the role, and retry.<\/p>\n\n\n\n
                                                                                              5) AccessDenied errors during setup<\/strong>\n– Symptom: Console shows permission errors.\n– Fix: Use a role with sufficient permissions for the lab, or explicitly grant WAF\/CloudFront\/S3\/Firehose\/IAM permissions needed.<\/p>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              Cleanup<\/h3>\n\n\n\n
                                                                                              To avoid ongoing costs, delete resources in a safe order:<\/p>\n\n\n\n
                                                                                                \n
                                                                                              1. \n
                                                                                                Disassociate AWS WAF from CloudFront<\/strong>\n   – CloudFront distribution \u2192 Security\/WAF settings \u2192 remove web ACL association (exact UI varies).<\/p>\n<\/li>\n
                                                                                              2. \n
                                                                                                Delete WAF logging configuration<\/strong>\n   – AWS WAF web ACL \u2192 Logging and metrics \u2192 disable logging.<\/p>\n<\/li>\n
                                                                                              3. \n
                                                                                                Delete AWS WAF resources<\/strong>\n   – Delete the web ACL (and any IP sets\/regex sets you created).<\/p>\n<\/li>\n
                                                                                              4. \n
                                                                                                Delete Firehose delivery stream<\/strong>\n   – Kinesis Data Firehose \u2192 delete the stream.<\/p>\n<\/li>\n
                                                                                              5. \n
                                                                                                Delete S3 log bucket<\/strong>\n   – Empty bucket first, then delete.<\/p>\n<\/li>\n
                                                                                              6. \n
                                                                                                Delete CloudFront distribution<\/strong>\n   – Disable distribution first, wait for status to deploy, then delete.\n   – This can take time.<\/p>\n<\/li>\n
                                                                                              7. \n
                                                                                                Delete S3 origin bucket<\/strong>\n   – Empty and delete the bucket.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                Expected outcome:<\/strong> No WAF, CloudFront, Firehose, or S3 buckets remain from the lab.<\/p>\n\n\n\n
                                                                                                11. Best Practices<\/h2>\n\n\n\n
                                                                                                Architecture best practices<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Put AWS WAF at the earliest practical HTTP entry point<\/strong>:<\/li>\n
                                                                                                • Use CloudFront + WAF for global sites.<\/li>\n
                                                                                                • Use ALB + WAF for regional apps.<\/li>\n
                                                                                                • Use defense in depth<\/strong>:<\/li>\n
                                                                                                • Combine WAF with secure coding, authentication\/authorization, Shield for DDoS, and least-privilege IAM.<\/li>\n
                                                                                                • Protect origins:<\/li>\n
                                                                                                • Use CloudFront OAC\/OAI for S3 origins.<\/li>\n
                                                                                                • Restrict ALB origins to CloudFront where appropriate (origin protection patterns).<\/li>\n<\/ul>\n\n\n\n
                                                                                                  IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Use least privilege IAM policies for WAF management:<\/li>\n
                                                                                                  • Separate \u201cWAF policy admin\u201d from \u201cWAF read-only investigator\u201d.<\/li>\n
                                                                                                  • Control who can:<\/li>\n
                                                                                                  • Associate\/disassociate web ACLs (high impact)<\/li>\n
                                                                                                  • Change managed rules from Count \u2192 Block<\/li>\n
                                                                                                  • In organizations, consider Firewall Manager<\/strong> to prevent drift.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Cost best practices<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Avoid enabling many expensive managed protections without a plan.<\/li>\n
                                                                                                    • Use Count<\/code> for evaluation, then disable noisy rules.<\/li>\n
                                                                                                    • Enable logging thoughtfully; apply S3 lifecycle policies and limit query frequency.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Performance best practices<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Keep rule sets maintainable:<\/li>\n
                                                                                                      • Use reusable IP sets and regex pattern sets.<\/li>\n
                                                                                                      • Minimize overly complex regex and broad matches.<\/li>\n
                                                                                                      • Prefer managed rules for common threats; add targeted custom rules for app-specific risks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Reliability best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Use a staged rollout:<\/li>\n
                                                                                                        • Dev\/test with Count \u2192 production with Block.<\/li>\n
                                                                                                        • Maintain a break-glass process:<\/li>\n
                                                                                                        • How to quickly relax a rule during an outage caused by false positives.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Operations best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Set CloudWatch alarms on:<\/li>\n
                                                                                                          • Sudden spikes in blocked requests<\/li>\n
                                                                                                          • Spikes in allowed requests with suspicious patterns (if you have metrics for that)<\/li>\n
                                                                                                          • Use dashboards to track:<\/li>\n
                                                                                                          • Top rules by matches<\/li>\n
                                                                                                          • Block rate over time<\/li>\n
                                                                                                          • Establish an incident playbook:<\/li>\n
                                                                                                          • Review logs, identify rule, apply temporary exception, follow up with root cause.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Tag WAF resources with:<\/li>\n
                                                                                                            • Owner<\/code>, Environment<\/code>, Application<\/code>, CostCenter<\/code>, DataClassification<\/code><\/li>\n
                                                                                                            • Use consistent naming:<\/li>\n
                                                                                                            • app-env-entrypoint-waf-acl<\/code> (e.g., payments-prod-cloudfront-waf-acl<\/code>)<\/li>\n<\/ul>\n\n\n\n
                                                                                                              12. Security Considerations<\/h2>\n\n\n\n
                                                                                                              Identity and access model<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • All configuration is IAM-controlled.<\/li>\n
                                                                                                              • Use:<\/li>\n
                                                                                                              • MFA for privileged roles<\/li>\n
                                                                                                              • Approval workflows for policy changes (especially in production)<\/li>\n
                                                                                                              • Read-only roles for auditors and investigators<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Encryption<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • AWS WAF configuration is managed by AWS and stored by AWS.<\/li>\n
                                                                                                                • For logs:<\/li>\n
                                                                                                                • S3 supports SSE-S3 or SSE-KMS.<\/li>\n
                                                                                                                • If using SSE-KMS, ensure Firehose has KMS permissions and key policy allows usage.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Network exposure<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • AWS WAF protects only HTTP\/S<\/strong> traffic at integrated entry points.<\/li>\n
                                                                                                                  • It does not replace:<\/li>\n
                                                                                                                  • Security groups\/NACLs<\/li>\n
                                                                                                                  • Network firewalls<\/li>\n
                                                                                                                  • Private networking patterns for internal services<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Secrets handling<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Avoid writing secrets into WAF custom responses or logs.<\/li>\n
                                                                                                                    • Treat WAF logs as potentially sensitive (they can include URIs, headers, and other request metadata; redact downstream if required).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      Audit\/logging<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Use AWS CloudTrail<\/strong> to audit WAF configuration changes.<\/li>\n
                                                                                                                      • Store CloudTrail logs centrally (separate security account) in production.<\/li>\n
                                                                                                                      • Use WAF logs for request-level investigations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Compliance considerations<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • AWS WAF helps implement controls for application security and monitoring, but:<\/li>\n
                                                                                                                        • Compliance requires end-to-end controls (secure SDLC, access controls, logging, incident response).<\/li>\n
                                                                                                                        • For compliance documentation, use AWS Artifact<\/strong> and service-specific compliance docs (verify in official sources).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Common security mistakes<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Turning on strict managed rules in Block mode without testing (false positives causing outages).<\/li>\n
                                                                                                                          • Not protecting the origin (e.g., leaving ALB public and bypassable when CloudFront is intended).<\/li>\n
                                                                                                                          • Overreliance on IP allowlists\/denylists without additional controls.<\/li>\n
                                                                                                                          • Storing WAF logs without proper access controls (PII\/credential leakage risk if apps place sensitive data into URLs\/headers).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Start with managed rules in Count<\/strong>, tune, then enforce gradually.<\/li>\n
                                                                                                                            • Protect origins against bypass.<\/li>\n
                                                                                                                            • Centralize logs with strict access controls and retention policies.<\/li>\n
                                                                                                                            • Implement change management and automated deployment (IaC) where possible.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                              AWS WAF is effective, but there are important boundaries.<\/p>\n\n\n\n
                                                                                                                              Known limitations (conceptual)<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Only protects supported HTTP\/S entry points<\/strong> (CloudFront, ALB, API Gateway REST APIs, and other supported services per current docs).<\/li>\n
                                                                                                                              • Not a network firewall (no raw TCP\/UDP inspection).<\/li>\n
                                                                                                                              • Rule evaluation and inspection have size and complexity limits<\/strong> (e.g., request body inspection limits; oversize handling). Verify exact limits in official docs<\/strong> because they can differ by integration and change over time.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Quotas<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Quotas exist for:<\/li>\n
                                                                                                                                • Web ACLs per account\/region<\/li>\n
                                                                                                                                • Rules per web ACL<\/li>\n
                                                                                                                                • Rule groups and IP set sizes<\/li>\n
                                                                                                                                • Always check Service Quotas<\/strong> for current numbers.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Regional constraints<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • CloudFront-scope web ACL management has special regional behavior (commonly associated with us-east-1 control plane). Verify before automating.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • High request volume can make WAF request processing a major cost line.<\/li>\n
                                                                                                                                    • Logging everything at scale can be expensive (Firehose + S3 + analytics).<\/li>\n
                                                                                                                                    • Paid managed rule groups (e.g., bot-related) can add significant recurring costs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Some advanced behaviors depend on the protected service (CloudFront vs ALB vs API Gateway).<\/li>\n
                                                                                                                                      • Custom response support and certain actions may vary\u2014verify for your integration.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • WAF changes can take time to propagate, especially for CloudFront.<\/li>\n
                                                                                                                                        • Rule order matters; misordered allow rules can bypass intended blocks.<\/li>\n
                                                                                                                                        • Rate-based rules can block legitimate NATed user populations if thresholds are too low.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Migration challenges<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Migrating from AWS WAF Classic<\/strong> to the current AWS WAF requires careful mapping of rules and scopes. Follow AWS migration guidance and test thoroughly. Verify in official docs for the recommended migration path.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                            AWS WAF fits a specific role: managed L7 protections at AWS-supported entry points. Here\u2019s how it compares to common alternatives.<\/p>\n\n\n\n
                                                                                                                                            Comparison table<\/h3>\n\n\n\n
                                                                                                                                            \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                            Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                            AWS WAF<\/strong><\/td>\nL7 filtering for CloudFront\/ALB\/API Gateway<\/td>\nNative AWS integration, managed rules, CloudWatch metrics, Firehose logging, scalable<\/td>\nCosts scale with requests; limited to supported entry points; not L3\/4<\/td>\nYou run apps on AWS and need managed web protections<\/td>\n<\/tr>\n
                                                                                                                                            AWS Shield (Standard\/Advanced)<\/strong><\/td>\nDDoS protection<\/td>\nDesigned for DDoS, integrates with CloudFront\/Route 53\/ALB<\/td>\nNot a full WAF; doesn\u2019t replace app-layer filtering<\/td>\nUse alongside WAF for DDoS + L7 protections<\/td>\n<\/tr>\n
                                                                                                                                            AWS Firewall Manager<\/strong><\/td>\nMulti-account governance<\/td>\nCentral policy management across org<\/td>\nRequires AWS Organizations; adds governance complexity<\/td>\nYou need consistent WAF policies across many accounts<\/td>\n<\/tr>\n
                                                                                                                                            AWS Network Firewall<\/strong><\/td>\nL3\/4 + some L7 network controls in VPC<\/td>\nVPC-level controls, network segmentation<\/td>\nNot a web app firewall; different threat model<\/td>\nYou need VPC network firewalling, not just HTTP filtering<\/td>\n<\/tr>\n
                                                                                                                                            Cloudflare WAF<\/strong><\/td>\nEdge WAF\/CDN<\/td>\nStrong edge network, bot features, broad integrations<\/td>\nNon-AWS native; different ops model; potential vendor lock-in<\/td>\nYou want CDN+WAF outside AWS or multi-cloud edge<\/td>\n<\/tr>\n
                                                                                                                                            Google Cloud Armor<\/strong><\/td>\nGCP L7 protections<\/td>\nIntegrates with Google\u2019s load balancing\/CDN<\/td>\nNot AWS-native<\/td>\nYour workloads are primarily on GCP<\/td>\n<\/tr>\n
                                                                                                                                            Azure Web Application Firewall<\/strong><\/td>\nAzure L7 protections<\/td>\nIntegrates with Application Gateway\/Front Door<\/td>\nNot AWS-native<\/td>\nYour workloads are primarily on Azure<\/td>\n<\/tr>\n
                                                                                                                                            Self-managed ModSecurity (Nginx\/Apache)<\/strong><\/td>\nFull control, custom environments<\/td>\nMaximum control, can run anywhere<\/td>\nOps overhead, patching, scaling, tuning effort<\/td>\nYou need custom inline control and accept operational burden<\/td>\n<\/tr>\n
                                                                                                                                            F5 \/ enterprise WAF appliances<\/strong><\/td>\nEnterprise feature depth<\/td>\nMature feature set, enterprise support<\/td>\nCost, complexity, appliance lifecycle<\/td>\nYou require specialized enterprise WAF features and have budget\/ops maturity<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                            15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                            Enterprise example (multi-account organization)<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Problem:<\/strong> A large enterprise runs dozens of web apps across multiple AWS accounts and regions. Security wants baseline protections and consistent policy enforcement, while app teams need flexibility and minimal false positives.<\/li>\n
                                                                                                                                            • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                            • CloudFront in front of public web apps; ALB for regional ingress.<\/li>\n
                                                                                                                                            • AWS WAF web ACLs with:
                                                                                                                                                \n
                                                                                                                                              • AWS Managed Rules baseline<\/li>\n
                                                                                                                                              • Rate limits on login and search endpoints<\/li>\n
                                                                                                                                              • IP allowlists for admin endpoints<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                              • Central policy deployment via AWS Firewall Manager<\/strong> across AWS Organizations.<\/li>\n
                                                                                                                                              • Centralized logging: AWS WAF logs \u2192 Firehose \u2192 S3 in a dedicated security account; analysis via Athena\/SIEM.<\/li>\n
                                                                                                                                              • CloudWatch alarms for spikes in blocked requests.<\/li>\n
                                                                                                                                              • Why AWS WAF was chosen:<\/strong><\/li>\n
                                                                                                                                              • Native integration with CloudFront\/ALB at scale.<\/li>\n
                                                                                                                                              • Managed rules reduce time-to-baseline.<\/li>\n
                                                                                                                                              • Firewall Manager supports governance across accounts.<\/li>\n
                                                                                                                                              • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                              • Reduced exposure to common web attacks.<\/li>\n
                                                                                                                                              • Faster incident response due to consistent metrics\/logging.<\/li>\n
                                                                                                                                              • Reduced configuration drift across accounts.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Startup\/small-team example (single product, lean ops)<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Problem:<\/strong> A startup exposes a public website and API and starts seeing scraping and credential-stuffing attempts. The team has limited time to manage security infrastructure.<\/li>\n
                                                                                                                                                • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                • CloudFront + AWS WAF in front of the site.<\/li>\n
                                                                                                                                                • ALB behind CloudFront for application servers.<\/li>\n
                                                                                                                                                • WAF rules:
                                                                                                                                                    \n
                                                                                                                                                  • Managed baseline rules (Count \u2192 Block after review)<\/li>\n
                                                                                                                                                  • Rate-based rules on \/login<\/code> and \/api\/search<\/code><\/li>\n
                                                                                                                                                  • Simple allowlist for admin paths<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                  • Optional lightweight logging to S3 for 7\u201330 days during tuning.<\/li>\n
                                                                                                                                                  • Why AWS WAF was chosen:<\/strong><\/li>\n
                                                                                                                                                  • Low operational overhead and quick setup.<\/li>\n
                                                                                                                                                  • Integrates cleanly with CloudFront without deploying appliances.<\/li>\n
                                                                                                                                                  • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                  • Reduced abusive traffic and origin load.<\/li>\n
                                                                                                                                                  • Better visibility into attacks without building a full security platform.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                    1) Is AWS WAF the same as AWS WAF Classic?<\/strong>\nNo. AWS WAF Classic is the legacy version. AWS WAF (current) uses the newer model (often called wafv2<\/code> in APIs). Prefer AWS WAF for new deployments.<\/p>\n\n\n\n
                                                                                                                                                    2) What AWS services can I attach AWS WAF to?<\/strong>\nCommonly CloudFront, Application Load Balancers, and API Gateway REST APIs. AWS adds integrations over time\u2014verify the current supported resources in official docs.<\/p>\n\n\n\n
                                                                                                                                                    3) Does AWS WAF stop DDoS attacks?<\/strong>\nIt helps with some application-layer request floods and abusive patterns, but dedicated DDoS protection is handled by AWS Shield. In practice, teams often use Shield + WAF<\/strong> together.<\/p>\n\n\n\n
                                                                                                                                                    4) Can AWS WAF block SQL injection and XSS?<\/strong>\nIt can detect many common patterns using managed rules and rule statements, but it\u2019s not a substitute for secure coding. Use WAF as a compensating and layered control.<\/p>\n\n\n\n
                                                                                                                                                    5) What is a web ACL?<\/strong>\nA web ACL is the policy container in AWS WAF that holds ordered rules and defines a default action for requests.<\/p>\n\n\n\n
                                                                                                                                                    6) What\u2019s the difference between \u201cAllow,\u201d \u201cBlock,\u201d and \u201cCount\u201d?<\/strong>\n– Allow:<\/strong> permit the request.\n– Block:<\/strong> deny the request (optionally with a custom response).\n– Count:<\/strong> record that the request matched (metrics\/logs) but do not block\u2014useful for testing.<\/p>\n\n\n\n
                                                                                                                                                    7) How do I reduce false positives with managed rules?<\/strong>\nStart in Count<\/strong> mode, review sampled requests\/logs, then tune by excluding specific rules or adding scope-down statements (capabilities vary by managed group). Finally switch to Block.<\/p>\n\n\n\n
                                                                                                                                                    8) Can AWS WAF protect internal-only applications?<\/strong>\nOnly if requests flow through a supported integration point. Many internal apps use internal ALBs; WAF can be associated with ALBs depending on configuration, but ensure the traffic path is correct.<\/p>\n\n\n\n
                                                                                                                                                    9) Can attackers bypass AWS WAF by hitting my origin directly?<\/strong>\nYes, if your origin is directly reachable (public ALB, public API endpoint). Use origin protection patterns (restrict ALB access, use private origins, or enforce headers\/certs\u2014implementation depends on your architecture).<\/p>\n\n\n\n
                                                                                                                                                    10) Does AWS WAF inspect HTTPS traffic?<\/strong>\nIt inspects HTTP request data after TLS termination at CloudFront\/ALB\/API Gateway in the integrated flow. It does not decrypt traffic independently like a man-in-the-middle proxy.<\/p>\n\n\n\n
                                                                                                                                                    11) Where do AWS WAF logs go?<\/strong>\nAWS WAF delivers logs to Kinesis Data Firehose<\/strong>. From Firehose you typically deliver to S3 (common), and optionally to other supported destinations. Verify current Firehose destination options in your region.<\/p>\n\n\n\n
                                                                                                                                                    12) Can I use Infrastructure as Code (IaC) for AWS WAF?<\/strong>\nYes\u2014AWS WAF can be managed using tools like AWS CloudFormation\/Terraform\/CDK. Verify the exact resource types and properties in your IaC tool\u2019s current documentation.<\/p>\n\n\n\n
                                                                                                                                                    13) How quickly do rule changes take effect?<\/strong>\nIt depends on integration and propagation (CloudFront changes can take longer). Plan for minutes of propagation; verify expectations in official docs for your use case.<\/p>\n\n\n\n
                                                                                                                                                    14) Is AWS WAF good for bot protection?<\/strong>\nIt can help via rate limits, CAPTCHA\/Challenge, and Bot Control managed rules. Effectiveness depends on tuning and your threat model.<\/p>\n\n\n\n
                                                                                                                                                    15) What\u2019s the best way to operate AWS WAF day-to-day?<\/strong>\nMonitor metrics, alert on anomalies, review logs during incidents, and maintain a change process for rule updates. Use Count mode for testing changes.<\/p>\n\n\n\n
                                                                                                                                                    16) Should I enable logging for all web ACLs?<\/strong>\nNot always. Logging is valuable but can be expensive at high volume. Many teams enable full logging during tuning or incidents, and otherwise rely on metrics plus sampled requests.<\/p>\n\n\n\n
                                                                                                                                                    17) Can AWS WAF block by country?<\/strong>\nYes, via geo match rules. Use carefully\u2014geo blocking can affect legitimate travelers and VPN traffic.<\/p>\n\n\n\n
                                                                                                                                                    17. Top Online Resources to Learn AWS WAF<\/h2>\n\n\n\n
                                                                                                                                                    \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                    Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                    Official documentation<\/td>\nAWS WAF Developer Guide<\/td>\nPrimary, authoritative reference for concepts, rules, logging, and integrations: https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/what-is-aws-waf.html<\/td>\n<\/tr>\n
                                                                                                                                                    Official pricing<\/td>\nAWS WAF Pricing<\/td>\nCurrent pricing dimensions and examples: https:\/\/aws.amazon.com\/waf\/pricing\/<\/td>\n<\/tr>\n
                                                                                                                                                    Pricing tool<\/td>\nAWS Pricing Calculator<\/td>\nBuild estimates for WAF + CloudFront + logging stack: https:\/\/calculator.aws\/#\/<\/td>\n<\/tr>\n
                                                                                                                                                    CloudFront + WAF docs<\/td>\nCloudFront + AWS WAF docs (official)<\/td>\nHow to associate web ACLs and understand scope\/propagation. Start from CloudFront\/WAF sections in AWS docs (verify the latest links via docs navigation).<\/td>\n<\/tr>\n
                                                                                                                                                    Logging docs<\/td>\nAWS WAF logging (Firehose) docs<\/td>\nExact logging configuration, fields, and delivery considerations (verify current page from AWS WAF guide).<\/td>\n<\/tr>\n
                                                                                                                                                    Governance<\/td>\nAWS Firewall Manager docs<\/td>\nCentral policy management across AWS Organizations: https:\/\/docs.aws.amazon.com\/waf\/latest\/developerguide\/fms-chapter.html (verify current URL in docs if it changes)<\/td>\n<\/tr>\n
                                                                                                                                                    Observability<\/td>\nAmazon CloudWatch metrics for AWS WAF<\/td>\nUnderstanding metric names\/dimensions and alarms (navigate from WAF docs to monitoring section).<\/td>\n<\/tr>\n
                                                                                                                                                    Reference architecture<\/td>\nAWS Architecture Center<\/td>\nBrowse patterns combining CloudFront, WAF, Shield, and centralized logging: https:\/\/aws.amazon.com\/architecture\/<\/td>\n<\/tr>\n
                                                                                                                                                    Official solution<\/td>\nAWS WAF Security Automations (Solution)<\/td>\nAWS Solution that helps automate WAF protections (verify current solution name and repo from AWS Solutions Library). Start here: https:\/\/aws.amazon.com\/solutions\/<\/td>\n<\/tr>\n
                                                                                                                                                    Videos<\/td>\nAWS YouTube (official)<\/td>\nRecorded sessions and demos for WAF, Shield, and edge security: https:\/\/www.youtube.com\/@amazonwebservices<\/td>\n<\/tr>\n
                                                                                                                                                    CLI reference<\/td>\nAWS CLI wafv2<\/code> command reference<\/td>\nUseful for scripting and automation; verify exact commands\/parameters: https:\/\/docs.aws.amazon.com\/cli\/latest\/reference\/wafv2\/<\/td>\n<\/tr>\n
                                                                                                                                                    Community (reputable)<\/td>\nAWS re:Post discussions on AWS WAF<\/td>\nPractical troubleshooting and edge cases; validate against official docs: https:\/\/repost.aws\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                    18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                    The following training providers are listed as requested. Evaluate current course outlines, instructors, and reviews on each site.<\/p>\n\n\n\n
                                                                                                                                                    \n\n\n\n\n\n\n\n\n
                                                                                                                                                    Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                    DevOpsSchool.com<\/td>\nDevOps engineers, SREs, cloud engineers<\/td>\nAWS security fundamentals, WAF\/edge security patterns, DevSecOps practices<\/td>\ncheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                    ScmGalaxy.com<\/td>\nBeginners to intermediate DevOps learners<\/td>\nCI\/CD + cloud basics; may include security modules<\/td>\ncheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                    CLoudOpsNow.in<\/td>\nCloud operations teams<\/td>\nCloud operations, monitoring, security operations basics<\/td>\ncheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                    SreSchool.com<\/td>\nSREs, platform teams<\/td>\nReliability engineering, production operations, security\/observability integration<\/td>\ncheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                    AiOpsSchool.com<\/td>\nOps and platform teams exploring AIOps<\/td>\nOperational analytics, incident response concepts, automation<\/td>\ncheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                    19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                    These sites are provided as training resources\/platforms. Review current content and offerings directly on each site.<\/p>\n\n\n\n
                                                                                                                                                    \n\n\n\n\n\n\n\n
                                                                                                                                                    Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                    RajeshKumar.xyz<\/td>\nDevOps\/cloud training content (verify current scope)<\/td>\nStudents, engineers seeking guided learning<\/td>\nhttps:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                    devopstrainer.in<\/td>\nDevOps training and coaching (verify current scope)<\/td>\nDevOps engineers, freshers, teams<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                    devopsfreelancer.com<\/td>\nFreelance DevOps services\/training (verify offerings)<\/td>\nTeams needing short-term expert help<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                    devopssupport.in<\/td>\nDevOps support\/training resources (verify offerings)<\/td>\nOps teams needing practical support<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                    20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                    These companies are listed as requested. Confirm service details, engagement models, and references directly with each provider.<\/p>\n\n\n\n
                                                                                                                                                    \n\n\n\n\n\n\n
                                                                                                                                                    Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                    cotocus.com<\/td>\nCloud\/DevOps consulting (verify exact catalog)<\/td>\nArchitecture reviews, cloud operations, security hardening<\/td>\nWAF policy rollout, CloudFront\/ALB ingress design, logging pipeline setup<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                    DevOpsSchool.com<\/td>\nDevOps\/cloud consulting & training<\/td>\nPlatform engineering, DevSecOps practices<\/td>\nWAF + Shield architecture, IaC implementation, SOC observability enablement<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                    DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify exact services)<\/td>\nCI\/CD, cloud migration, security practices<\/td>\nSecure ingress standardization, WAF rule tuning, cost optimization for logging<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                    21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                    What to learn before AWS WAF<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • HTTP fundamentals<\/strong>: headers, methods, status codes, cookies, query strings<\/li>\n
                                                                                                                                                    • TLS basics<\/strong>: termination, certificates, where decryption happens<\/li>\n
                                                                                                                                                    • AWS networking basics<\/strong>: VPC, ALB, security groups, CloudFront origins<\/li>\n
                                                                                                                                                    • Identity and access<\/strong>: IAM users\/roles\/policies, least privilege<\/li>\n
                                                                                                                                                    • Logging\/monitoring<\/strong>: CloudWatch metrics\/alarms, S3 log storage<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      What to learn after AWS WAF<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • AWS Shield Advanced<\/strong> for DDoS incident response (if your risk profile requires it)<\/li>\n
                                                                                                                                                      • AWS Firewall Manager<\/strong> for multi-account governance<\/li>\n
                                                                                                                                                      • Threat modeling and AppSec<\/strong>: OWASP Top 10, secure SDLC<\/li>\n
                                                                                                                                                      • SIEM\/SOAR integrations<\/strong> for alerting and response<\/li>\n
                                                                                                                                                      • IaC and policy-as-code<\/strong> for repeatable deployments<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Job roles that use AWS WAF<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Cloud security engineer<\/li>\n
                                                                                                                                                        • Application security engineer (AppSec)<\/li>\n
                                                                                                                                                        • DevOps engineer \/ platform engineer<\/li>\n
                                                                                                                                                        • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                        • Security operations analyst (with WAF log analytics)<\/li>\n
                                                                                                                                                        • Solutions architect (designing edge\/ingress patterns)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Certification path (AWS)<\/h3>\n\n\n\n
                                                                                                                                                          AWS certifications change over time, but relevant tracks commonly include:\n– AWS Certified Solutions Architect (Associate\/Professional)\n– AWS Certified Security \u2013 Specialty (if available; verify current AWS certification catalog)\n– AWS Certified Advanced Networking (for broader networking context)<\/p>\n\n\n\n
                                                                                                                                                          Always verify current certification names and availability: https:\/\/aws.amazon.com\/certification\/<\/p>\n\n\n\n
                                                                                                                                                          Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Build a multi-environment WAF baseline (dev\/stage\/prod) with:<\/li>\n
                                                                                                                                                          • Managed rules in Count for dev<\/li>\n
                                                                                                                                                          • Managed rules in Block for prod<\/li>\n
                                                                                                                                                          • Automated deployment via IaC<\/li>\n
                                                                                                                                                          • Create a log analytics pipeline:<\/li>\n
                                                                                                                                                          • WAF logs \u2192 S3 \u2192 Athena \u2192 dashboards and alerts<\/li>\n
                                                                                                                                                          • Implement origin protection:<\/li>\n
                                                                                                                                                          • CloudFront + WAF in front of ALB, restrict ALB to CloudFront (pattern depends on your design\u2014verify best practice options)<\/li>\n
                                                                                                                                                          • Design an incident playbook:<\/li>\n
                                                                                                                                                          • How to respond to a scraping attack using rate limits and temporary IP blocks<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • AWS WAF<\/strong>: AWS managed web application firewall for HTTP(S) traffic filtering.<\/li>\n
                                                                                                                                                            • WAF Classic<\/strong>: Legacy AWS WAF version; generally not recommended for new deployments.<\/li>\n
                                                                                                                                                            • Web ACL<\/strong>: A set of ordered rules plus a default action attached to a protected resource.<\/li>\n
                                                                                                                                                            • Rule<\/strong>: A condition (statement) and an action (allow\/block\/count\/captcha\/challenge).<\/li>\n
                                                                                                                                                            • Rule group<\/strong>: A reusable collection of rules (custom or managed).<\/li>\n
                                                                                                                                                            • Managed rule group<\/strong>: A curated rule group maintained by AWS or a third party.<\/li>\n
                                                                                                                                                            • IP set<\/strong>: A named list of IP addresses\/CIDRs used in WAF rules.<\/li>\n
                                                                                                                                                            • Regex pattern set<\/strong>: A reusable set of regex patterns for matching request components.<\/li>\n
                                                                                                                                                            • Rate-based rule<\/strong>: A rule that matches when request rate exceeds a defined threshold over a time window.<\/li>\n
                                                                                                                                                            • Count<\/strong>: Action that records matches without blocking, used for safe testing and tuning.<\/li>\n
                                                                                                                                                            • CloudFront scope \/ Regional scope<\/strong>: The scope of a WAF web ACL depending on the protected resource type.<\/li>\n
                                                                                                                                                            • Kinesis Data Firehose<\/strong>: Managed service used by AWS WAF to deliver logs to destinations like S3.<\/li>\n
                                                                                                                                                            • CloudWatch metrics<\/strong>: Time-series metrics emitted for rules\/web ACLs, used for monitoring and alarms.<\/li>\n
                                                                                                                                                            • Sampled requests<\/strong>: A limited set of matching requests shown for investigation in the console.<\/li>\n
                                                                                                                                                            • Origin<\/strong>: The backend destination CloudFront fetches content from (S3, ALB, custom origin).<\/li>\n
                                                                                                                                                            • OWASP Top 10<\/strong>: Common classes of web application security risks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              23. Summary<\/h2>\n\n\n\n
                                                                                                                                                              AWS WAF is AWS\u2019s managed web application firewall<\/strong> in the Security, identity, and compliance<\/strong> category, designed to filter and control HTTP(S)<\/strong> requests at key AWS entry points like CloudFront<\/strong>, ALB<\/strong>, and API Gateway<\/strong>. It matters because it reduces application-layer risk from common exploits and abuse, while providing operational visibility through CloudWatch metrics<\/strong>, sampled requests, and optional full logging via Kinesis Data Firehose<\/strong>.<\/p>\n\n\n\n
                                                                                                                                                              From an architecture perspective, AWS WAF fits best as part of a layered edge\/ingress strategy\u2014often paired with CloudFront caching, origin protection, and (when needed) AWS Shield for DDoS. Cost is driven primarily by request volume<\/strong>, number of rules<\/strong>, and any paid managed rule groups<\/strong>, plus indirect costs for log delivery and storage.<\/p>\n\n\n\n
                                                                                                                                                              Use AWS WAF when you need managed L7 protections tightly integrated with AWS front doors and you want to balance fast baseline security (managed rules) with app-specific controls (custom rules and rate limits). Next steps: implement IaC for repeatability, enable logging with a cost-aware retention strategy, and develop a tuning\/incident-response playbook based on real traffic.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                              Security, identity, and compliance<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,39],"tags":[],"class_list":["post-326","post","type-post","status-publish","format-standard","hentry","category-aws","category-security-identity-and-compliance"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=326"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/326\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}