How AWS WAF works
You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the web ACL.
In your web ACL, you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following:
-
Allow the requests to go to the protected resource for processing and response.
-
Block the requests.
-
Count the requests.
-
Run CAPTCHA or challenge checks against requests to verify human users and standard browser use.
AWS WAF components
The following are the central components of AWS WAF:
-
Web ACLs – You use a web access control list (ACL) to protect a set of AWS resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about web ACLs, see Using web ACLs in AWS WAF.
A web ACL is an AWS WAF resource.
-
Rules – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges. For more information about rules, see AWS WAF rules.
A rule is not an AWS WAF resource. It only exists in the context of a web ACL or rule group.
-
Rule groups – You can define rules directly inside a web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see AWS WAF rule groups.
A rule group is an AWS WAF resource.
-
Web ACL capacity units (WCUs) – AWS WAF uses WCUs to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs.
A WCU is not an AWS WAF resource. It only exists in the context of a web ACL, rule, or rule group.