Amazon WAF - Web Application Firewall

Protect your web applications from common web exploits

Amazon WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. Amazon WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns, such as SQL injection or cross-site scripting. You can also customize rules that filter out specific traffic patterns. You can get started quickly using Managed Rules for Amazon WAF, a pre-configured set of rules managed by Amazon Web Services. The Managed Rules for Amazon WAF address issues like the OWASP Top 10 security risks and automated bots that consume excess resources, skew metrics, or can cause downtime. These rules are regularly updated as new issues emerge. Amazon WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

You can deploy Amazon WAF on the Application Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST APIs, or Amazon AppSync for your GraphQL APIs. With Amazon WAF, you pay only for what you use and the pricing is based on how many rules you deploy and how many web requests your application receives.


Agile protection against web attacks

Amazon WAF rule propagation and updates take under a minute, enabling you to quickly update security across your environment when issues arise. WAF supports hundreds of rules that can inspect any part of the web request with minimal latency impact to incoming traffic. Amazon WAF protects web applications from attacks by filtering traffic based on rules that you create. For example, you can filter any part of the web request, such as IP addresses, HTTP headers, HTTP body, or URI strings. This allows you to block common attack patterns, such as SQL injection or cross-site scripting.

Save time with managed rules

With Managed Rules for Amazon WAF, you can quickly get started and protect your web application or APIs against common threats. You can select from many rule types, such as ones that address issues like the Open Web Application Security Project (OWASP) Top 10 security risks, threats specific to Content Management Systems (CMS), or emerging Common Vulnerabilities and Exposures (CVE). Managed rules are automatically updated as new issues emerge, so that you can spend more time building applications.

Improved web traffic visibility

Amazon WAF gives near real-time visibility into your web traffic, which you can use to create new rules or alerts in Amazon CloudWatch. You have granular control over how the metrics are emitted, allowing you to monitor from the rule level to the entire inbound traffic. In addition, Amazon WAF offers comprehensive logging by capturing each inspected web request’s full header data for use in security automation, analytics, or auditing purposes.

Ease of deployment & maintenance

Amazon WAF is easy to deploy and protect applications deployed on either the Application Load Balancer that fronts all your origin servers, Amazon API Gateway for your REST APIs, or Amazon AppSync for your GraphQL APIs. There is no additional software to deploy, DNS configuration, SSL/TLS certificate to manage, or need for a reverse proxy setup.

Easily monitor, block, or rate-limit bots

With Amazon WAF Bot Control, you get visibility and control over common and pervasive bot traffic to your applications. Within the Amazon WAF console, you can monitor common bots, such as status monitors and search engines, and get detailed, real-time visibility into the category, identity, and other details of bot traffic. You can also block, or rate-limit, traffic from pervasive bots, such as scrapers, scanners, and crawlers.

Security integrated with how you develop applications

Every feature in Amazon WAF can be configured using either the Amazon WAF API or the management console. This allows your DevOps team to define application-specific rules that increase web security as they develop applications. This lets you put web security at multiple points in the development process chain, from the hands of the developer initially writing code, to the DevOps engineer deploying software, to the security administrators enforcing a set of rules across the organization.

How it works

How Amazon WAF works

Learn more about Amazon WAF

Visit the features page
Ready to build?
Get started with Amazon WAF
Have more questions?
Contact us