3.1.3. AWS WAF (Web Application Firewall)

First Principle: AWS WAF protects web applications and APIs from common web exploits and bots by inspecting HTTP/S traffic at the application layer (Layer 7), ensuring security and availability.

For security specialists, protecting web applications from common web-based attacks (e.g., SQL injection, Cross-Site Scripting (XSS)) is crucial. AWS WAF provides this protection at the application layer.

AWS WAF (Web Application Firewall) is a web application firewall that helps protect your web applications or APIs from common web exploits that may affect availability, compromise security, or consume excessive resources.

Key Features of AWS WAF:

• Application-Layer Protection (Layer 7): Inspects HTTP/S traffic specifically.
• Common Web Exploits: Protects against common attacks defined by the OWASP Top 10.
• Integration Points: You deploy AWS WAF with:
  • Amazon CloudFront: For global web applications and CDNs.
  • Application Load Balancer (ALB): For regional web applications.
  • Amazon API Gateway: For securing REST and WebSocket APIs.
  • AWS AppSync: For GraphQL APIs.
• Rules: Define custom rules to allow, block, or count web requests based on conditions such as:
  • IP addresses (e.g., geo-blocking).
  • HTTP headers, body, or query strings.
  • SQL injection patterns.
  • XSS attacks.
  • Size constraints.
• Managed Rules: Predefined, AWS-managed rule groups. Provide protection against common threats without requiring you to write custom rules.
• Rate-based Rules: Automatically block or limit traffic from IP addresses that are generating an unusually high number of requests (e.g., for DDoS mitigation).

Scenario: You need to protect a public-facing web application from common web exploits like SQL injection and Cross-Site Scripting (XSS), and also block traffic from specific malicious IP addresses.

Reflection Question: How does AWS WAF, by inspecting HTTP/S traffic at the application layer (Layer 7) and allowing custom rules, fundamentally protect web applications and APIs from common web exploits and bots, ensuring their security and availability?