AWSGlossary

AWS WAF: What It Is and When to Use It

Definition

AWS WAF (Web Application Firewall) is a managed Layer 7 firewall that inspects HTTP/HTTPS requests before they reach your application and allows, blocks, counts, or CAPTCHA-challenges them based on rules you define. It attaches to public-facing AWS endpoints — Amazon CloudFront distributions, Application Load Balancers, Amazon API Gateway stages, AWS AppSync GraphQL APIs, AWS App Runner services, Amazon Cognito User Pools, and AWS Verified Access — and evaluates requests against a web ACL (Access Control List) composed of rules and managed rule groups.

WAF is the standard AWS answer for protecting web apps and APIs from SQL injection, cross-site scripting, bad-bot traffic, credential stuffing, scrapers, and application-layer DDoS. The current "WAFv2" service (which replaced Classic WAF in 2019) is what everyone uses today.

How It Works

A web ACL is a container of rules. Each rule has:

  • A statement describing what to match — e.g., SQL-injection match, geo-match, IP-set match, rate-based statement, regex, byte-match, or a managed rule group from AWS or the AWS Marketplace.
  • An actionAllow, Block, Count (log but don't block, used for tuning), or CAPTCHA / Challenge (serve a silent JavaScript challenge or a user-visible CAPTCHA).
  • A priority — lower numbers evaluated first; the first terminal action wins.
  • Optional labels that downstream rules can match on, enabling multi-step logic.

Every request is evaluated against the web ACL in priority order. If no rule matches, the default action (Allow or Block) is taken.

Rule Group Types

  • AWS Managed Rules — maintained by AWS; include the Core rule set (OWASP-like), Known Bad Inputs, SQL Database, Linux/Unix/Windows OS, Admin Protection, Anonymous IP list, Amazon IP reputation list, Bot Control, Account Takeover Prevention (ATP), and Account Creation Fraud Prevention (ACFP).
  • AWS Marketplace managed rules — authored by third-party security vendors (F5, Fortinet, Imperva, GeoGuard, Cyber Security Cloud, etc.) and billed through AWS Marketplace.
  • Customer-managed rule groups — your own reusable groups, reducing duplication across many web ACLs.
  • Rate-based rules — track requests per 5-minute window per IP (or per custom aggregation key like JA3 TLS fingerprint, HTTP header, cookie, or forwarded IP) and take action when a threshold is exceeded.

Attaching and Regions

A web ACL lives in one of two scopes: CloudFront (global, managed from us-east-1) or Regional (per-Region for ALB, API Gateway, AppSync, App Runner, Cognito, Verified Access). A single web ACL can be attached to multiple resources within its scope.

Key Features and Limits

  • WCUs (Web ACL Capacity Units) — rules consume WCUs; each web ACL has a default budget of 1,500 WCUs (raisable to 5,000 via Service Quotas).
  • Default rule groups per web ACL — up to 100 rule groups (soft limit).
  • Request body inspection — up to 8 KB by default for CloudFront and 64 KB for ALB/API Gateway/AppSync (higher via association config, with additional WCU cost).
  • Rate-based rules — threshold counts requests over a rolling 5-minute window; aggregate by IP, forwarded IP (X-Forwarded-For), custom keys, or combinations.
  • Geo-match — match by ISO country code; pairs well with VPN/proxy detection from the Anonymous IP list.
  • CAPTCHA and Challenge actions — Challenge serves a silent JavaScript proof-of-work; CAPTCHA serves a visible puzzle for suspicious traffic.
  • Logging — send full sampled or complete logs to Amazon S3, Amazon CloudWatch Logs, or Amazon Kinesis Data Firehose (the latter for near-real-time fan-out to SIEMs).
  • Integration with AWS Firewall Manager — centralize web ACL deployment and policy enforcement across an AWS Organization.
  • Sampled requests — the console shows a sample of recent matches per rule for tuning.
  • Bot Control and Fraud Control (ATP/ACFP) — priced separately; use ML and signals like device fingerprints and behavior analytics to detect bots and credential stuffing.

Common Use Cases

  1. OWASP Top 10 protection — start with the AWS Managed Common Rule Set + Known Bad Inputs + SQL Database + the relevant OS rule set to cover the bulk of Top 10 risks.
  2. Rate limiting / brute-force protection — a rate-based rule capping login endpoint requests at, say, 100 per IP per 5 minutes to blunt credential stuffing.
  3. Geo-blocking — block traffic from countries your business doesn't serve or apply stricter scrutiny to high-risk regions.
  4. Bot mitigation — AWS WAF Bot Control distinguishes verified good bots (Google, Bing), known bad bots, and unclassified bots using request fingerprints and behavior.
  5. Credential stuffing and account-takeover prevention — ATP rule group watches auth endpoints, flags compromised credentials, and challenges suspicious IPs.
  6. API-specific rules — combine URI-path match with custom body inspection and labels to enforce different policies on different API routes.

Pricing Model

AWS WAF pricing has three dimensions:

  1. Web ACL — $5.00 per web ACL per month (prorated hourly).
  2. Rule (including rule group) — $1.00 per rule or rule group per month attached to a web ACL (prorated hourly).
  3. Requests — $0.60 per 1 million requests evaluated.

On top of base pricing, the Bot Control managed rule group adds approximately $10/month + $1.00 per million requests (Common) and more for Targeted inspection. Account Takeover Prevention (ATP) and Account Creation Fraud Prevention (ACFP) are each priced per million login or registration attempts.

AWS Managed Rules not labeled as "add-on" (Bot Control, ATP, ACFP, Fraud Control) are included at the standard $1/rule-group/month fee. AWS Marketplace rule groups have their own subscription prices set by the vendor.

There is no Free Tier for WAF, but if you also enable AWS Shield Advanced ($3,000/month per organization) you get WAF included at no additional charge on protected resources — a break-even consideration for high-traffic sites.

Pros and Cons

Pros

  • Deep AWS integration (CloudFront, ALB, API Gateway, AppSync, App Runner, Cognito, Verified Access).
  • Rich managed rule groups covering OWASP, bots, and fraud.
  • Rate-based rules, CAPTCHA/Challenge, and labels enable sophisticated multi-step logic without external tooling.
  • Centralized management via AWS Firewall Manager across an Organization.

Cons

  • Pricing can compound: web ACL + rules + requests + add-on rule groups (Bot Control, ATP, ACFP) together add up quickly at high traffic.
  • WCU budgeting is opaque — complex rule groups can exhaust the 1,500 WCU limit and require quota increases.
  • Tuning to avoid false positives typically requires weeks of Count-action monitoring before switching rules to Block.
  • Body inspection is capped (8 KB CloudFront default), so very large payloads may bypass content-based rules unless reconfigured.

Comparison with Alternatives

| Feature | AWS WAF | AWS Shield Advanced | AWS Network Firewall | | --- | --- | --- | --- | | Layer | L7 (HTTP/HTTPS) | L3/L4 + L7 (bundled WAF on CloudFront/ALB) | L3–L7 at VPC edge | | Attach points | CloudFront, ALB, API Gateway, AppSync, App Runner, Cognito, Verified Access | Same as WAF + EIPs, Accelerators, Route 53 | VPC subnets (stateful) | | Primary use | OWASP, bots, rate limiting | DDoS protection + WAF bundle | East-west / egress inspection | | Pricing | Per ACL + rule + request | Flat $3k/month + bundled WAF | Endpoint-hour + traffic GB |

Exam Relevance

WAF comes up on:

  • Solutions Architect Associate (SAA-C03) — attaching a WAF to CloudFront vs ALB, OWASP protection, rate-based rules.
  • Security Specialty (SCS-C02) — managed rule group selection, label-based rule chaining, logging to Kinesis Firehose, Firewall Manager policies.
  • Advanced Networking Specialty (ANS-C01) — WAF vs Shield vs Network Firewall placement and edge protection strategies.
  • SysOps Administrator (SOA-C02) — operational tuning with Count action, sampled requests, and CloudWatch logs.

Classic exam trap: confusing AWS WAF (application-layer, HTTP/HTTPS) with AWS Shield Advanced (network-layer DDoS). The correct framing: Shield Standard is always-on and free at L3/L4; Shield Advanced adds 24/7 SRT support, cost protection, and bundles WAF at no extra rule/request cost; WAF itself is the L7 engine. If a question emphasizes SQL injection, XSS, geo-blocking, or rate limiting, the answer is WAF. If it emphasizes volumetric DDoS, SYN floods, or cost protection during attacks, the answer is Shield Advanced.

Frequently Asked Questions

Q: Which services can I attach an AWS WAF web ACL to?

A: Amazon CloudFront (global), Application Load Balancer, Amazon API Gateway (REST APIs), AWS AppSync GraphQL APIs, AWS App Runner, Amazon Cognito User Pools, and AWS Verified Access. A single web ACL can be attached to multiple resources within its scope (CloudFront-global or Regional). For Network Load Balancers or raw EC2, use AWS Network Firewall or Shield instead — NLB operates at L4 and isn't a WAF attach point.

Q: How do AWS WAF rate-based rules work?

A: A rate-based rule counts requests from an aggregation key over a rolling 5-minute window and takes an action (Block, CAPTCHA, Count, Challenge) when the threshold is exceeded. The default aggregation key is client IP, but you can choose forwarded IP (X-Forwarded-For when behind CloudFront/ALB), HTTP header values, cookie values, query arguments, URI path components, or custom combinations. Rate-based rules are the standard AWS answer for brute-force, scraping, and application-layer floods.

Q: How is AWS WAF priced?

A: Three dimensions add up: $5/month per web ACL, $1/month per rule or rule group attached (prorated hourly), and $0.60 per million requests evaluated. Add-on managed rule groups — Bot Control, Account Takeover Prevention (ATP), Account Creation Fraud Prevention (ACFP), Fraud Control — carry their own per-request fees on top. AWS Marketplace rule groups have vendor-set prices. There is no Free Tier for WAF, though AWS Shield Advanced subscribers get WAF included at no extra charge on their protected resources.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS WAF documentation before making production decisions.

Published: 4/17/2026 / Updated: 4/24/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

AWS Shield: Standard vs Advanced DDoS Protection Compared

AWS Shield protects AWS workloads from DDoS attacks. Standard is free always-on; Advanced is $3,000/month with SRT support, cost protection, and bundled WAF.

AWS Secrets Manager: Rotation, Pricing & RDS Integration

AWS Secrets Manager stores and rotates passwords, API keys, and DB credentials. Learn Lambda rotation, RDS integration, versioning, cross-account sharing, pricing.

AWS KMS: Key Types, Envelope Encryption & Pricing Guide

AWS KMS is a managed service for cryptographic keys. Learn customer-managed vs AWS-managed vs AWS-owned keys, key policies, envelope encryption, and pricing.

AWS IAM: Users, Roles, Policies & How It Works

AWS IAM controls who can access what in AWS. Learn users, groups, roles, identity vs resource-based policies, evaluation logic, MFA, and least-privilege best practices.

AWS IAM Role: Temporary Credentials, Trust Policies, Uses

An IAM role is an AWS identity with temporary STS credentials assumed by services, users, or federated principals. Learn trust vs permissions policies and uses.

View all Securityterms →