Web Application Firewall

Web Application Firewall

Guarding Your Web Applications: Unveiling the Power of AWS WAF”

Web Application Firewall(WAF) is typically deployed as a reverse proxy, sitting between the internet and the web application, to inspect and filter incoming requests before they reach the web server. It enables you to control access to your web content and provides customizable security rules to filter traffic based on IP addresses, HTTP headers, HTTP body content, or URI (Uniform Resource Identifier) strings.



How WAF Works?

WAF works by analysing incoming HTTP and HTTPS requests to a web application and allows or blocks requests based on pre-defined security rules. Security rules can be based on IP addresses, headers, parameters, and other attributes of the request.



A WAF can take one of the following three approaches to analyse and filter the content contained in these HTTP requests:

  • Whitelisting: The WAF denies all requests by default and allows only requests that are known to be trusted. It provides a list of the IP addresses that are known to be safe. Whitelisting is less resource-intensive than blacklisting. The downside of whitelisting is that it could unintentionally block benign traffic. While it casts a wide net and can be efficient, it can also be imprecise.
  • Blacklisting: Blacklisting uses present signatures to block malicious web traffic and protect vulnerabilities of websites or web applications. It’s a list of rules that indicate malicious packets. Blacklisting is more appropriate for public websites and web apps because they receive a lot of traffic from unfamiliar IP addresses that aren’t known to be either malicious or benign. The downside of blacklisting is that it’s more resource-intensive and requires more information to filter packets based on specific characteristics, as opposed to defaulting to trusted IP addresses.
  • Hybrid Security: A hybrid security model uses elements of both blacklisting and whitelisting at the same time.


  • Allow all requests except the ones specified – blacklisting for e.g., all IP addresses except the ones specified.
  • Block allrequests except the ones specified – whitelisting for e.g., IP addresses the request originates from.
  • Monitor (Count) the requests that match the specified properties – allows counting of the requests that match the defined properties, which can be useful when configuring and testing allow or block requests using new properties. After confirming that the config did not accidentally block all the traffic to the website, the configuration can be applied to change the behaviour to allow or block requests.
  • CAPTCHA – runs a CAPTCHA check against the request.


AWS Web Application Firewall

AWS WAF (Web Application Firewall) is a managed web application firewall service provided by Amazon Web Services (AWS). It helps protect your web applications from a wide range of web-based threats, including common security vulnerabilities and DDoS (Distributed Denial of Service) attacks etc.

  • SQL Injection: Prevents attackers from executing malicious SQL queries.
  • Cross-Site Scripting (XSS): Blocks malicious scripts injected into web pages.
  • Cross-Site Request Forgery (CSRF): Helps protect against unauthorized actions initiated by attackers.
  • HTTP Floods: Mitigates large-scale HTTP requests designed to overwhelm your application.
  • IP Reputation Lists: Blocks traffic from known malicious IP addresses.

Main Components of AWS WAF

  1. Rules:AWS WAF allows you to create rules that define the types of traffic you want to allow or block from reaching your web applications. You can create rules based on various conditions such as IP addresses, HTTP headers, URI strings, and HTTP body content.
  2. Managed Rules Groups: AWS WAF provides pre-built managed rule groups that offer protection against common web attacks such as SQL injection, cross-site scripting (XSS), and more. These rule groups are created and maintained by AWS and updated regularly to ensure they provide up-to-date protection against the latest threats.
  3. Web ACLs: AWS WAF uses web ACLs (Web Access Control Lists) to group together rules that you can then apply to one or more web applications. Web ACLs allows you to apply a set of rules across multiple web applications, making it easier to manage and apply security policies consistently.

Benefits and features:

AWS WAF offers a wide range of benefits and features, empowering you to secure your web applications effectively. Here are some key advantages of using AWS WAF:

  • Agile protection against web attacks: AWS WAF rule propagation and updates take just under a minute, enabling you to react faster when you are under an attack or when security issues arise.
  • Ease of deployment and maintenance: AWS WAF is easy to deploy and protects application(s) deployed on either Amazon CloudFront, the Application Load Balancer, or Amazon API Gateway. There is no additional software to deploy, DNS configuration, or SSL/TLS certificate to manage.
  • Cost-effective: AWS WAF is a pay-as-you-go service, which means you only pay for the resources you use. This makes it a cost-effective solution for securing your web applications.
  • Improved web traffic visibility:AWS WAF gives near real-time visibility into your web traffic, which you can use to create new rules or alerts in Amazon CloudWatch.
  • Scalability: AWS WAF is designed to handle high volumes of traffic and can scale automatically to meet the demands of your web applications.
  • Flexibility:AWS WAF provides a wide range of options for creating custom rules to filter traffic, giving you greater flexibility in defining your security policies.

How to use AWS WAF?

First, you must know that AWS WAF is a regional service. However, it seems a global service when you access it, but you must change between regions using this option:



    1. Step 1:Describe web ACL and associate it to AWS resources.



2. Step 2: Add rules and rulesgroups.

    • A rule can evaluate the URL, header, body, or method of an HTTP(S) request along with its Source IP and Country of Origin.



Evaluation can mean a string comparison, regex, size match(in bytes), or one of the built-in specialized operators for detecting SQL injection and Cross-Site Scripting attacks.


    • Arule allows you to apply multiple transformations to your text before itis evaluated such as removing whitespace or decoding a URL.
    • You can use a Rate limit rule to throttle the number of requests from a single IP Address within a 5-minute period, and that can combine with any other condition.
    • If a rule matches a request, three actions can be taken; allow, block, or count. The count action is a kind of debug mode that will enable you to evaluate a rule without affecting your real traffic.



  • If the request matches the conditions of a rule with a “count” action, additional rules will continue to be evaluated.
  • If an allow or block rule is matched, the action will be applied, and additional rules will not be evaluated.
  1. Step 4: Configure metrics.

Choose the Name and CloudWatch metric name of your Web ACL. Both fields cannot be changed later, so choose wisely.



CloudWatch allows you to track high-level metrics for the number of blocked, counted, and allowed requests. You can enable or disable CloudWatch metrics on a per rule or rule group basis. You can also combine multiple rules under the same metric name.


  1. Step 5: Review and create a Web ACL.

Enabling Logs: Logs are disabled by default, so we must enable it. After enabling CloudWatch logs, we can access the CloudWatch Log Insights tab and execute sample queries or create custom queries to analyse the logs.

Turn on AWS WAF logs.

After you decide the destination where you want to send your AWS WAF logs, turn on AWS WAF logging by doing the following:

  1. Open the AWS WAF console.
  2. For Region, select the AWS Region where you created your web ACL.
    Note:Select Global if your web ACL is set up for Amazon CloudFront.
  3. Select your web ACL.
  4. Choose Logging and Metrics, then choose Enable.
  5. Choose the Destinationof where you want to store the AWS WAF logs from the supported destinations.
  6. For Redacted fields, select the fields you want to omit from the logs.
  7. For Filter logs, add the filter to control which requests you want to store.
  8. Choose

Usually, it is recommended to create some alarms which can help you in providing timely notificationin case ofmalicious request blocked by WAF rule.

Hence, we configure a CloudWatch Alarm for blocked requests. The easy way to create the alarm is through the AWS WAF Metric for blockedrequests. We can create this by clicking on create alarm button the associated metric in this case blockedrequestson the `Graphed Metrics` page and select the indicated icon in red colour as shown below.



In conclusion, AWS WAF is a powerful tool that plays a crucial role in securing your web applications and APIs from a wide range of threats. Its flexible rule engine, integration with AWS services, real-time monitoring, and extensive customization options make it an asset for any organization serious about protecting their online assets. By using AWS WAF, you not only enhance the security of your web applications but also gain valuable insights into your traffic patterns and potential threats through the power of Amazon CloudWatch integration. This enables you to respond quickly to security incidents and maintain the integrity of your applications.

At Hitachi Systems India we leverage AWS WAF as a cornerstone of our comprehensive security solutions. By incorporating AWS WAF into our clients’ environments, we add a crucial layer of protection against web application threats. By continuously monitoring traffic and security events, we can swiftly respond to emerging threats, ensuring that our clients’ web applications remain resilient. AWS WAF, in conjunction with our expertise, not only safeguards against malicious activity but also enhances overall performance and uptime. It’s all part of our commitment to delivering holistic, secure, and high-performing cloud solutions for our valued customers.”

Add A Comment

Your email address will not be published. Required fields are marked *