AWS WAF

What Is This Service?

AWS WAF (Web Application Firewall) is AWS’s managed Layer 7 (HTTP/HTTPS) firewall that protects applications from malicious web requests and application-layer attacks.

Protects against:

• SQL Injection (SQLi)
• Cross-Site Scripting (XSS)
• Credential stuffing
• Bot attacks
• Application-layer DDoS
• Abuse patterns
• Fraud attacks

Mental model:
AWS WAF = request inspection engine + application protection + traffic decision platform.

WAF protects:

HTTP
HTTPS

Not:

SSH
TCP
UDP
Operating Systems

---

Why It Matters for Security

Most internet attacks target:

Application Layer

Security goals:

• Filter malicious traffic
• Stop automated abuse
• Protect login endpoints
• Prevent account takeover
• Reduce application exposure

Security outcomes:

• Lower attack surface
• Reduced credential compromise
• Better application resilience
• Centralized web protection

Typical use cases:

• API protection
• Login protection
• Bot mitigation
• Geo blocking
• Credential stuffing defense
• Multi-account governance

---

Architecture Example

flowchart LR

Users

Shield[Shield]

WAF[AWS WAF]

CF[CloudFront]

ALB[ALB]

APIGW[API Gateway]

Cognito[Cognito User Pool]

Rules[Managed Rules]

ATP[Fraud Control ATP]

App[Application]

Users --> Shield

Shield --> WAF

Rules --> WAF

ATP --> WAF

WAF --> CF

WAF --> ALB

WAF --> APIGW

WAF --> Cognito

CF --> App

ALB --> App

APIGW --> App

Cognito --> App

Core architecture:

Request
 ↓
WAF Inspection
 ↓
Allow / Block / Count
 ↓
Application

---

Workflow(s)

Request Evaluation

sequenceDiagram

participant User
participant WAF
participant App

User->>WAF: HTTP Request

WAF->>WAF: Evaluate Web ACL

alt Allow
WAF->>App: Forward
App-->>User: Response
else Block
WAF-->>User: HTTP 403
end

---

Credential Stuffing Protection

sequenceDiagram

participant User
participant WAF
participant ATP
participant Cognito

User->>WAF: Login

WAF->>ATP: Evaluate risk

ATP-->>WAF: Risk decision

alt Suspicious
WAF-->>User: CAPTCHA / Block
else Valid
WAF->>Cognito: Authenticate
end

---

Oversize Inspection Workflow

sequenceDiagram

participant Client
participant WAF
participant App

Client->>WAF: Large request body

WAF->>WAF: Inspect first body segment

alt Oversize Action = Block
WAF-->>Client: Reject
else Continue
WAF->>App: Forward
end

---

Core Concepts

Web ACL (MOST TESTED)

Primary WAF object.

Contains:

• Rules
• Actions
• Scope

Applied to:

• CloudFront
• ALB
• API Gateway
• AppSync
• Cognito

Exam trap:

Rules do nothing until attached.

---

Web ACL Capacity Units (WCUs) (VERY HIGH VALUE)

Every rule consumes:

WCU

Default Web ACL capacity:

1,500 WCUs

Examples:

Managed rule groups consume large amounts.

Exam scenario:

Cannot save Web ACL

Likely cause:

Exceeded WCU capacity

Solutions:

• Remove rules
• Increase quota

Massive exam trap.

---

Rules

Inspection logic.

Examples:

• IP match
• Header match
• Geo
• Regex
• Rate
• Labels

Actions:

Allow
Block
Count
CAPTCHA
Challenge

---

Rule Groups

Reusable rules.

Types:

AWS Managed

---

Marketplace

---

Custom

---

Scope

Regional

Protects:

• ALB
• API Gateway
• Cognito

---

Global

Protects:

CloudFront

CloudFront WAF:

us-east-1

Classic trap.

---

Labels

Attach metadata.

Used for:

• Chained detection
• Rule coordination

---

Important Integrations

Amazon CloudFront (VERY HIGH VALUE)

Most common integration.

Pattern:

Internet
 ↓
CloudFront
 ↓
WAF
 ↓
Origin

---

Application Load Balancer

Protects:

• Web applications

---

API Gateway

Protects:

• APIs

---

Amazon Cognito (HIGH VALUE)

Protects:

• Login
• Registration

Exam update.

---

AWS WAF Fraud Control (ATP)

Account Takeover Prevention.

Protects against:

• Credential stuffing
• Leaked passwords
• Login abuse

Uses:

• Behavioral signals
• Threat intelligence

Exam scenario:

Protect login pages

Answer:

WAF ATP

---

AWS Shield

Relationship:

Shield:

DDoS

WAF:

HTTP filtering

---

Firewall Manager

Centralized WAF deployment.

---

CloudWatch

Monitoring.

---

Kinesis Data Firehose

WAF logs export.

---

Security Features

Managed Rules

Examples:

• SQLi
• XSS
• Bot Control
• ATP

Fast deployment.

---

Rate-Based Rules (HIGH VALUE)

Blocks:

Requests per IP

Used for:

• Abuse
• Credential stuffing

---

X-Forwarded-For Handling (HIGH VALUE)

When proxies exist:

Client
 ↓
Proxy/CDN
 ↓
WAF

True client IP may exist in:

X-Forwarded-For

Risk:

Spoofing

Mitigation:

• Validate proxy chain
• Configure fallback IP behavior

Exam trap:

Blindly trusting XFF.

---

Bot Control

Detects:

• Automation
• Crawlers

---

CAPTCHA vs Challenge

CAPTCHA:

User interaction

Challenge:

Silent validation

---

Oversize Handling (VERY HIGH VALUE)

WAF does not inspect unlimited bodies.

Default inspection:

First 8 KB

Can be increased for supported services.

Options:

Continue
Match
No Match
Block

Security recommendation:

Block

if full inspection required.

Massive exam trap.

---

Geo Match

Filters:

• Countries

---

Custom Responses

Returns:

• Custom HTTP status

---

Logging

Supports:

• Full request visibility

---

Advanced Security and Operational Concepts

WAF Is Layer 7 Only (MOST TESTED)

Protects:

HTTP
HTTPS

Not:

TCP
UDP
SSH

Use:

• SG
• NACL
• Shield

---

Evaluation Order

Flow:

Web ACL
 ↓
Rule Priority
 ↓
Action
 ↓
Default Action

Stops on match.

---

Count Mode Deployment (HIGH VALUE)

Safe rollout:

Count
 ↓
Observe
 ↓
Block

Prevents outages.

---

Credential Stuffing Architecture

Pattern:

CloudFront
 ↓
WAF
 ↓
ATP
 ↓
CAPTCHA
 ↓
Cognito

---

WAF vs Shield

WAF:

Application filtering

Shield:

Network DDoS

---

Firewall Manager Pattern

Organizations
 ↓
Firewall Manager
 ↓
Deploy WAF

---

Logging Cost Trap

Logging:

• Request-based
• Not free

---

Label-Based Detection

Pattern:

Rule
 ↓
Label
 ↓
Secondary Rule
 ↓
Decision

---

Comparisons

Service	Layer	Purpose	Scope
AWS WAF	L7	App protection	HTTP
Shield Standard	L3/L4	DDoS	AWS
Shield Advanced	L3/L4	Enterprise DDoS	AWS
Security Groups	L3/L4	Instance filtering	VPC
Network Firewall	L3–L7	Network filtering	VPC

---

Common Exam Traps

1. WAF only protects Layer 7.

2. Web ACL required.

3. CloudFront WAF uses us-east-1.

4. WCU limit can block deployment.

5. Count mode before Block.

6. ATP protects login endpoints.

7. Oversize bodies may bypass inspection.

8. XFF can be spoofed.

9. Shield ≠ WAF.

10. Rate rules stop credential stuffing.

11. Firewall Manager centralizes deployment.

12. Logging incurs cost.

---

5-Second Recall

• WAF = Layer 7 firewall
• Web ACL = enforcement
• 1,500 WCU limit
• CloudFront → us-east-1
• ATP protects logins
• Oversize → Block
• Count before Block

---

Quick Revision Notes

• Managed application firewall
• Protects HTTP/HTTPS only
• Web ACL controls behavior
• Managed rules accelerate deployment
• WCU capacity matters
• ATP prevents account takeover
• Oversize inspection is limited
• XFF requires validation
• Firewall Manager centralizes control
• Count → Observe → Block