Amazon WAF FAQs

Amazon WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.

As the underlying service receives requests for your web sites, it forwards those requests to Amazon WAF for inspection against your rules. Once a request meets a condition defined in your rules, Amazon WAF instructs the underlying service to either block or allow the request based on the action you define.

Amazon WAF is tightly integrated with the Application Load Balancer (ALB), Amazon API Gateway, and Amazon AppSync – services that Amazon Web Services customers commonly use to deliver content for their websites and applications. When you use Amazon WAF on regional services, such as Application Load Balancer, Amazon API Gateway, and Amazon AppSync, your rules run in region and can be used to protect internet-facing resources as well as internal resources.

Amazon WAF helps protects your website from common attack techniques like SQL injection and Cross-Site Scripting (XSS). In addition, you can create rules that can block attacks from specific user-agents, bad bots, or content scrapers. See the Amazon WAF Developer Guide for examples.

Yes. To receive a history of all Amazon WAF API calls made on your account, you simply turn on Amazon CloudTrail.

Yes, support for IPv6 allows the Amazon WAF to inspect HTTP/S requests coming from both IPv6 and IPv4 addresses.

Yes, you can setup new IPv6 match condition(s) for new and existing WebACLs, as per the documentation.

Yes. The sampled requests will show the IPv6 address where applicable.

Yes. You will be able to use all the existing features for traffic both over IPv6 and IPv4 without any discernable changes to performance, scalability or availability of the service.

Amazon WAF can be deployed on the Application Load Balancer (ALB), Amazon API Gateway, and Amazon AppSync. As part of the Application Load Balancer it can protect your origin web servers running behind the ALBs. As part of Amazon API Gateway, it can help secure and protect your REST APIs. As part of Amazon AppSync, it can help secure and protect your GraphQL APIs.

Amazon WAF charges based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. Amazon WAF charges are in addition to Application Load Balancer (ALB) pricing , Amazon API Gateway pricing , and/or Amazon AppSync pricing .

Rate-based Rules are type of Rule that can be configured in Amazon WAF, allowing you to specify the number of web requests that are allowed by a client IP in a trailing, continuously updated, 5 minute period. If an IP address breaches the configured limit, new requests will be blocked until the request rate falls below the configured threshold.

Rate-based Rules are similar to regular Rules, with one addition: the ability to configure a rate-based threshold. If, for example, the threshold for the Rate-based Rule is set to (say) 2,000, the rule will block all IPs that have more than 2,000 requests in the last 5 minute interval. A Rate-based Rule can also contain any other Amazon WAF Condition that is available for a regular rule.

A Rate-based Rule costs the same as a regular Amazon WAF Rule.

Here are some popular use cases customers can address with Rate-based rules:

• I want to block or count an IP address when that IP address exceeds the configured threshold rate (configurable in web requests per trailing 5 minute period)
• I want to know which IP address are currently being blocked because they exceeded the configured threshold rate
• I want IP addresses that have been added to the block list to be automatically removed when they are no longer violating the configured threshold rate
• I want to exempt certain high-traffic source IP ranges from being blocked by my Rate-based rules
  

Yes. Rate-based rules are compatible with existing Amazon WAF match conditions. This allows you to further refine your match criteria and limit rate-based mitigations to specific URLs of your website or traffic coming from specific referrers (or user agents) or add other custom match criteria.

Yes. This new rules type is designed to protect you from use cases such web-layer DDoS attacks, brute force login attempts and bad bots.

Rate-based Rules support all the visibility features currently available on the regular Amazon WAF Rules. Additionally, they will get visibility into the IP addresses blocked as a result of the Rate-based Rule.

Yes. Here is an example. Suppose that you want to limit requests to the login page on your website. To do this, you could add the following string match condition to a rate-based rule:

• The Part of the request to filter on is “URI”.

• The Match Type is “Starts with”.

• A Value to match is “/login” (this need to be whatever identifies the login page in the URI portion of the web request)
  

Additionally, you would specify a Rate Limit of, say, 15,000 requests per 5 minutes. Adding this rate-based rule to a web ACL will limit requests to your login page per IP address without affecting the rest of your site.

Yes. You can do this by having a separate IP match condition that allows the request within the Rate-base Rule.

The accuracy of the IP Address to country lookup database varies by region. Based on recent tests, our overall accuracy for the IP address to country mapping is 99.8%. 

Managed Rules are an easy way to deploy pre-configured rules to protect your applications common threats like application vulnerabilities like OWASP. Managed Rules for Amazon WAF are managed by Amazon Web Services.

Yes, you can use Managed Rules along with your custom Amazon WAF rules. You can add Managed Rules to your existing Amazon WAF web ACL to which you might have already added your own rules.

The number of rules inside a Managed Rule does not count towards your limit. However, each Managed Rule added to your web ACL will count as 1 rule.

You can add a Managed Rule to a web ACL or remove it from the web ACL anytime. The Managed Rules are disabled once you disassociate a Managed Rule from any web ACLs.

Amazon WAF allows you to configure a “count” action for a Managed Rule, which counts the number of web requests that are matched by the rules inside the Managed Rule. You can look at the number of counted web requests to estimate how many of your web requests would be blocked if you enable the Managed Rule.

After an initial setup, adding or changing to rules typically takes around a minute to propagate worldwide.

Amazon WAF includes three different ways to see how your website is being protected: one-minute metrics are available in CloudWatch, Sampled Web Requests are available in the Amazon WAF API or management console, and logging through Amazon Kinesis Firehose. These allow you to see which requests were blocked, allowed, or counted and what rule was matched on a given request (i.e., this web request was blocked due to an IP address condition, etc.). For more information see the Amazon WAF Developer Guide .

Amazon WAF allows you to configure a “count” action for rules, which counts the number of web requests that meet your rule conditions. You can look at the number of counted web requests to estimate how many of your web requests would be blocked or allowed if you enable the rule.

Real-Time Metrics are stored in Amazon CloudWatch. Using Amazon CloudWatch you can configure the time period in which you want to expire events. Sampled Web Requests are stored for up to 2 hours.

Yes. Amazon WAF helps protect applications and can inspect web requests transmitted over HTTP or HTTPS.