AWS WAF Cheat Sheet

• AWS WAF is a web application firewall that protects web applications and APIs from common web exploits by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions you define.
• Conditions can include IP addresses, HTTP headers, request body, URI strings, SQL injection attempts, and cross-site scripting (XSS).

Features

Flexible Rule-Based Filtering

• Create rules using conditions based on IPs, headers, body, URI paths, geographic location, and more.

• Detect and block common exploits such as SQL injection and XSS.

• JSON body inspection allows validating keys/values for secure API protection.

Rule Types

• Regular Rules – Target specific patterns/conditions.

• Rate-Based Rules – Automatically block or rate-limit IPs exceeding a request threshold within a 5-minute window.

• Managed Rules – Pre-configured, automatically updated rulesets from AWS and AWS Marketplace partners.

Web ACLs (Access Control Lists)

• Combine multiple rules into a Web ACL.

• Assign actions per rule: allow, block, or count.

• Define a default action for unmatched requests.

Visibility and Monitoring

• Real-time metrics in Amazon CloudWatch.

• Full logging with request details: IP, geo-location, URI, User-Agent, Referer, etc.

• Supports AWS WAF Security Automations solution for auto-deployed rule sets + log analysis via Amazon Athena.

HTTP Header Injection

• Insert custom headers into allowed requests to ensure requests passed through WAF.

• Useful for application validation, logging, or different handling paths.

Custom Response Control

• Configure custom HTTP status code & response body for blocked requests.

Use Cases

• Protecting web applications from SQL injection, XSS, and common OWASP threats.

• Enforcing API request validation using JSON inspection.

• Rate-limiting abusive or bot-origin traffic.

• Using Managed Rules to automatically mitigate known vulnerabilities.

• Adding custom headers for downstream verification or analytics.

• Automating incident response and traffic filtering using WAF Security Automations.

Security

• Blocks or filters malicious traffic using customizable rules.

• Managed rules continuously updated by AWS and security vendors.

• Provides full logging for forensic analysis and investigation.

• Can be used alongside AWS Shield for DDoS mitigation.

• Supports secure handling of HTTP body and JSON content with size constraints.

• Integrates with CloudFront, ALB, API Gateway, and AWS AppSync for global and regional protection.

AWS WAF Pricing

• AWS WAF charges based on:

  1. Number of Web ACLs you deploy.

  2. Number of rules per Web ACL (managed or custom).

  3. Number of web requests processed monthly.

  Costs vary by region and by traffic volume.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS WAF Cheat Sheet References:

https://docs.aws.amazon.com/waf/latest/developerguide
https://aws.amazon.com/waf/features/
https://aws.amazon.com/waf/pricing/
https://aws.amazon.com/waf/faqs/