AWS Security & Identity
WAF
Web application firewall protecting against OWASP top 10 and custom rules
AWS WAF (Web Application Firewall) protects web applications from common exploits like SQL injection, cross-site scripting (XSS), and DDoS at Layer 7. It lets you define rules to allow, block, or rate-limit HTTP/S requests based on IP, geolocation, request headers, body content, and managed rule groups maintained by AWS or third parties. WAF attaches to CloudFront, ALB, API Gateway, and AppSync.
WAF Architecture: WebACLs, Rules, and Rule Groups
WAF is organized in a hierarchy from WebACL (the container) down to individual rules that evaluate each request.
| Component | Description |
|---|---|
| WebACL | The top-level container. Contains ordered rules. Attached to one or more AWS resources. |
| Rule | A condition (statement) plus an action (Allow, Block, Count, CAPTCHA). Rules have priorities. |
| Rule Group | Reusable collection of rules. Can be AWS Managed, third-party (from Marketplace), or custom. |
| Statement | The matching logic inside a rule: IP set, geo match, string match, regex, size constraint, rate-based, etc. |
| Action | What happens when a rule matches: Allow (pass through), Block (return 403), Count (log but don't block), CAPTCHA |
Rules are evaluated in order of priority (lower number = evaluated first). The first matching rule that returns an Allow or Block terminates evaluation for that request. Use Count mode to test new rules before enabling Block mode.
AWS Managed Rule Groups
AWS provides pre-built rule groups that cover common attack patterns. They are maintained by the AWS Threat Intelligence team and updated without requiring changes to your WebACL.
| Rule group | What it blocks | WCU cost |
|---|---|---|
| AWSManagedRulesCommonRuleSet | OWASP Top 10: SQLi, XSS, LFI, RFI, SSRF, protocol attacks | 700 WCUs |
| AWSManagedRulesKnownBadInputsRuleSet | Log4J exploits, SSRF, bad user agents | 200 WCUs |
| AWSManagedRulesSQLiRuleSet | SQL injection patterns specifically | 200 WCUs |
| AWSManagedRulesLinuxRuleSet | Linux-specific exploits, path traversal | 200 WCUs |
| AWSManagedRulesAmazonIpReputationList | AWS threat intel: bots, scanners, malicious IPs | 25 WCUs |
| AWSManagedRulesBotControlRuleSet | Verified bots (Google, Bing) allowed; scraper bots blocked | 50 WCUs (basic), 50+ WCUs (targeted) |
Each WebACL has a default capacity of 1,500 WCUs (Web ACL Capacity Units). AWSManagedRulesCommonRuleSet alone uses 700 WCUs. Plan your rule budget carefully - combining multiple managed groups plus custom rules can exceed the limit, requiring a capacity increase request.
Rate-Based Rules for DDoS and Abuse Prevention
Rate-based rules count requests matching a condition over a 5-minute window and block when the threshold is exceeded. They are the primary defense against L7 DDoS and credential stuffing.
# Create a rate-based rule via CLI
aws wafv2 create-web-acl \
--name my-waf \
--scope REGIONAL \
--default-action Allow={} \
--rules '
[
{
"Name": "RateLimitAll",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 2000,
"AggregateKeyType": "IP"
}
},
"Action": {"Block": {}},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateLimitAll"
}
}
]' \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyWAF| Aggregate key | Limits by | Use case |
|---|---|---|
| IP | Source IP address | General rate limiting |
| FORWARDED_IP | X-Forwarded-For header | When behind a proxy/CDN |
| HTTP_HEADER | Value of a specific header | API key rate limiting |
| QUERY_ARGUMENT | Value of a query param | Rate limit by user ID in query string |
| LABEL | WAF label applied by previous rule | Compound rate limiting (e.g., only requests that matched another rule) |
WAF Logging, Metrics, and Testing
WAF can send full request logs to Kinesis Data Firehose (which can deliver to S3, Splunk, or Datadog), CloudWatch Logs, or S3 directly. Metrics per rule are available in CloudWatch.
# Enable WAF logging to S3 via Firehose
aws wafv2 put-logging-configuration \
--logging-configuration ResourceArn=arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-waf/xxx,\
LogDestinationConfigs=arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-my-stream
# Note: Firehose stream name MUST start with aws-waf-logs-
# Get a sample of the last 100 requests inspected by a rule
aws wafv2 get-sampled-requests \
--web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/my-waf/xxx \
--rule-metric-name AWSManagedRulesCommonRuleSet \
--scope REGIONAL \
--time-window StartTime=2024-01-01T00:00:00Z,EndTime=2024-01-01T01:00:00Z \
--max-items 100Always put new rules in Count mode first and monitor the sampled requests for 24-48 hours before switching to Block. Managed rule groups are particularly prone to false positives on custom applications with unusual request patterns.
Interview Focus Points
- 1What is the difference between a WebACL, a Rule, and a Rule Group in WAF?
- 2How do rate-based rules work in WAF? What are the available aggregation keys?
- 3Why would you put a new WAF rule in Count mode before Block mode?
- 4What are WCUs and why do they matter when designing your WAF rule set?
- 5How would you use WAF to protect an API Gateway endpoint from credential stuffing attacks?
- 6How does WAF Bot Control work and when would you enable it?
- 7What is the difference between WAF attached to CloudFront vs WAF attached to an ALB?
- 8How do you enable WAF logging and where can the logs be delivered?
- 9A WAF rule is blocking legitimate traffic. Walk me through how you would investigate and fix it.