AWS WAF (Web Application Firewall)

AWS WAF is a web application firewall that allows customers to write application specific rules that increase security and application availability by blocking common web attacks that attempt to exploit vulnerabilities.

Using customizable web security rules, customers can define which traffic should be allowed to access the web application and which ones should be blocked. According to AWS, WAF “makes it easy to create rules that block common web exploits like SQL injection and cross-site scripting.”

AWS has tightly integrated the firewall with its monitoring tool Amazon CloudWatch and content delivery network AmazonCloudfront. This allows users to monitor real-time metrics and get alerts when the system is under attack. Since Amazon CloudFront allows custom origins, AWS WAF can be used to protect sites hosted inside and outside of AWS.

Getting started on WAF is easy as there is no additional software to be deployed. Customers only have to enable AWS WAF on the right resource.


Do it once and use it many times: WAF allows IT teams to write a centralized set of rules and deploy them across multiple applications. You create one set of rules and use it on as many applications as you want, instead of writing rules for each individual application.

Reduce friction between development and security teams: Often there is a knowledge gap between teams that build the application and teams that secure the application. Handoffs can be time consuming. Since WAF can be deployed and manged through API’s, development teams can address security concerns before and during the deployment process. The ability to address security at the development stage will reduce the complexity of handoffs.

Keep a close eye: AWS WAF’s tight integration with AmazonCloudwatch gives users access to real-time metrics, ability to captures raw requests with details about IP addresses, geo locations, URIs, User-Agent and Referers. Customers can create alarms that get triggered when a particular threshold is exceeded or when a specific type of attack occurs. The logs can be used to analyze and improve security if a breach occurs.

Automatic Deployment: AWS customers can use CloudFormation templates to define security rules for their application, and to deploy and provision WAF automatically.

How does it work: “AWS CloudFormation template automatically launches and configures the AWS WAF settings and protective features you choose to include during initial deployment.” – AWS

AWF WAF: How to deploy quickly
AWF WAF: How to deploy quickly

Pre-configured protections: (From AWS WAF Getting Started)

You can use our preconfigured template to quickly get started with AWS WAF. The template includes a set of AWS WAF rules, which can be customized to best fit your needs, designed to block common web-based attacks. 

AWS WAF: Pricing

AWS WAF uses the pay for what you use pricing model. There will be no minimum fees or upfront commitments. Your monthly WAF charges will depend on how many rules you deploy and how many web requests are made to your application.

Charges will be based on the following:

  • number of web access control lists (web ACLs) 

  • number of rules added per web ACL,

  • the number of web requests received.

Current WAF charges for all available regions:

  • $5 per web ACL per month

  • $1 per rule per web ACL per month

  • $0.60 per million web requests

For up to date pricing please visit AWS WAF