Sunday, October 26, 2025

AWS WAF (Web Application Firewall) | Overview & Hands-On.

AWS WAF (Web Application Firewall) - Overview & Hands-On.

Focus:

The Concept of AWS WAF,
Core Components & Description,
How AWS WAF Works (Flow),
Types of Rules and Statements,
Advanced Concepts,
Logging and Monitoring,
Deployment Patterns Table (Use cases, Integration Point & Note),
Automation with IaC (Infrastructure as Code) & Tools
Sample Terraform snippet,
Automation,
Integration with Other AWS Security Services,
Table of Use Cases & Recommandations (deep dive)
Sample Architecture,
Final thoughts,
Project: Hands-On.

The Concept of AWS WAF

AWS Web Application Firewall (WAF) is a managed service that protects web applications and APIs from common web exploits and bots that could affect:

Availability,
Compromise Security,
Consume excessive resources.

AWS WAF operates at Layer 7 (Application Layer) and integrates directly with:

Amazon CloudFront Content Delivery Network (CDN)
AWS ALB (Application Load Balancer) Not to NLB.
Amazon API Gateway
AWS AppSync
AWS Verified Access

Core Components & Description

Component	Description
Web ACL (Access Control List)	A container for rules that define allowed, blocked, or counted requests. Attached to CloudFront, ALB, API Gateway, etc.
Rule	Logic to inspect web requests (e.g., IP match, string match, size constraint).
Rule Group	A reusable collection of rules (can be AWS Managed, AWS Marketplace, or custom).
Conditions / Statement	Criteria within a rule (e.g., IP sets, regex, geo-match, SQLi/XSS detection).
Action	What happens when a rule matches: ALLOW, BLOCK, or COUNT.
Labels	Metadata attached to requests to pass state between rules (useful in complex logic).
Rate-based Rule	Automatically blocks or throttles IPs exceeding a defined request threshold.

How AWS WAF Works (Flow)

A request hits twtech CloudFront distribution, ALB, or API Gateway.
The associated Web ACL evaluates the request against its rules (in priority order).
Rules may:

Inspect HTTP headers, body, URI, query string, cookies, etc.
Match IPs, country, or rate.
Detect signatures like SQLi or XSS.

The action is taken (allow/block/count), and metrics are emitted to Amazon CloudWatch.

Types of Rules and Statements

1. Managed Rule Groups

Predefined by AWS or third-party vendors.
Sample:

AWSManagedRulesCommonRuleSet → Protects against OWASP Top 10.
AWSManagedRulesKnownBadInputsRuleSet
AWSManagedRulesBotControlRuleSet
AWSManagedRulesSQLiRuleSet

Pros: Quick protection, continuously updated by AWS.
Cons: Less granular control.

2. Custom Rules

Created by twtech for fine-grained control.

Common rule types & Sample:

Rule Type	Sample
IP Set Match	Block specific IPs or CIDRs.
String Match	Block requests with certain strings in URI, headers, or body.
Regex Match	Match against complex patterns.
Geo Match	Block/allow countries.
Size Constraint	Restrict unusually large payloads.
Rate-Based	Block IPs exceeding X requests per 5 minutes.

Advanced Concepts

Labels and Rule Logic

Labels enable stateful logic across rules:

Sample:

Rule 1: Label login-attempt
Rule 2: Count if login-attempt from same IP > 5 in 1 minute → block.

CAPTCHA and Challenge

CAPTCHA: Presents a challenge to verify if the user is human.
Challenge: Uses invisible browser verification; less intrusive.

NB:

These are ideal for bot mitigation, login abuse protection, or spam form protection.

Bot Control

Detects and mitigates automated traffic.
Classifies bots as “common good bots” (e.g., Googlebot) or “bad bots”.
Provides request header analysis, behavioral patterns, and managed responses.

Logging and Monitoring

AWS WAF logs can be sent to:

Amazon Kinesis Data Firehose → S3 / CloudWatch / OpenSearch
Each log record includes:

Request metadata (URI, IP, headers)
Rule match data
Action taken
Label data

Metrics:

Available in Amazon CloudWatch per rule and per Web ACL:

AllowedRequests,
BlockedRequests,
CountedRequests.

Sample use:

Visualize top offending IPs or common blocked paths using CloudWatch Logs Insights or Athena.

Deployment Patterns Table (Use cases, Integration Point & Note)

Use Case	Integration Point	Notes
Global Web App	CloudFront	Global edge protection, lowest latency.
Regional App / Internal App	Application Load Balancer	Protects apps behind ALB.
API / Microservices	API Gateway	Layer 7 inspection for REST/GraphQL APIs.
Private APIs	AppSync / Verified Access	Protect private workloads.

NB:

twtech can share a single Web ACL across multiple resources.

Automation with IaC (Infrastructure as Code) & Tools

twtech can define AWS WAF via:

AWS CloudFormation,
Terraform,
AWS CDK.

# Sample Terraform snippet:

#Deploy.WAF.yaml

resource "aws_wafv2_web_acl" "twtechresource" {
name        = "twtechweb-acl"
description = "Protect twtech webapp"
scope       = "REGIONAL"
default_action {
    allow {}
}
rule {
    name     = "twtechlimit-requests"
    priority = 1
    action {
      block {}
    }
    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }
    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "twtechlimit-requests"
      sampled_requests_enabled   = true
    }
}
}

# Automation

AWS WAF Security Automations (official solution) deploys:

Reputation list IPs
Bad bot detection
SQLi/XSS filters
Custom response pages

Deployable via AWS Solutions Library (CloudFormation).

Table of Use Cases & Recommandations (deep dive)

Scenario	Recommended Rule
DDoS / Brute Force	Rate-based rules, AWS Shield Advanced
SQL Injection	AWSManagedRulesSQLiRuleSet
Cross-site Scripting	AWSManagedRulesCommonRuleSet
Bots / Scraping	AWS Bot Control
Geographic blocking	Geo match
Custom app patterns	Regex/String match
Login protection	CAPTCHA + rate-based rules

Integration with Other AWS Security Services

Service	Integration
AWS Shield Advanced	DDoS protection at network & transport layer; integrates with WAF for app layer protection.
AWS Firewall Manager	Centralized WAF management across multiple accounts.
AWS Security Hub	Aggregates findings from WAF logs.
CloudWatch / SNS / Lambda	Real-time alerting or automated blocking.

Best Practices

Start with “COUNT” mode to analyze before blocking.
Layer rules — managed rules + custom rules + rate limits.
Use logging and metrics to tune thresholds.
Whitelist trusted services/IPs to prevent false positives.
Use Labels for multi-stage detection logic.
Enable Bot Control and CAPTCHA for login or form endpoints.
Automate via IaC and CI/CD pipelines.
Test with AWS WAF Classic migration tools if coming from legacy setups.

Sample Architecture

NB:

AWS WAF evaluates at CloudFront edge or regional entry points, reducing attack surface before traffic reaches twtech application.

Final thoughts:

Layer	Tool
Network (L3/L4)	AWS Shield / VPC Security Groups / NACLs
Application (L7)	AWS WAF
Monitoring	CloudWatch, Kinesis, Security Hub
Management	Firewall Manager, AWS Organizations

Project: Hands-On

How twtech uses AWS WAF/AWSShield services to protect DDoS (Distributed Denial of Service) Attacks & Malicious Traffic within its environment at Layer 7 of the application (place for application logic)

Search for aws service: WAF & Shield

AWS WAF, Shield & Firewall manager

How it works

Benefits & features

Related services

Pricing: $5/month

More resources Links: AWS documentation.

https://docs.aws.amazon.com/waf/
https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf/

Create a web ACL (Access Control List) Protection Pack.

Create protection pack (web ACL)

Choose initial protections

AWS WAF offers various protection packages of WAF rules. AWS WAF rule configurations are based on security best practices.
twtech should validate the rule configurations that are best for its environment.
twtech can also choose individual rules instead of packages.

Add rules: AWS-managed rule groups

Categories of rules: Free & Paid

Add rule: AntiDDoS Protection for layer 7 attacks.

Available labels

NB:

Subscription can be made for: SNS notification about new version

Name and describe: twtechWAFrule

Customize protection pack (web ACL) - optional

Create Protection Pack: web ACL

NB:

twtech can at this point, associate the WAF-rule created (twtechWAFrul) to its ALB, API Gateway, Global Accelerator, Application, and many more.
This make twtech backend resources free from DDoS Attacks and Malicious Traffic within its environment at Layer 7.