Guidelines for Implementing AWS WAF

Publication date: January 19, 2022 (Document history)

AWS WAF is a web application firewall (WAF) that helps you protect your websites and web applications against various attack vectors at the application layer (OSI Layer 7). This whitepaper outlines recommendations for implementing AWS WAF to protect existing and new web applications. This whitepaper applies to anyone who is tasked with protecting web applications.

Overview

Security is a shared responsibility between AWS and the customer, with responsibility boundaries that vary depending on factors such as the AWS services used. For example, when you build your web application with AWS services such as Amazon CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync you are responsible of protecting your web application at Layer 7 of the OSI Model. AWS WAF is a tool that helps you protect web applications by filtering and monitoring HTTP(S) traffic, including traffic from the public internet. Web application firewalls (WAFs) protect applications at the application layer from common web exploits that can affect application availability, compromise security, and consume excessive resources. For example, you can use AWS WAF to protect against attacks such as cross-site request forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among other threats in the OWASP Top 10. This layer of security can be used together with a suite of tools to create a holistic defense-in-depth architecture.

AWS WAF is a managed web application firewall that can be used in conjunction with a wide variety of networking and security services such as Amazon Virtual Private Cloud (Amazon VPC), and AWS Shield Advanced.

AWS WAF integrations

AWS WAF can be natively enabled on CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync and is deployed alongside these services. AWS services terminate the TCP/TLS connection, process incoming HTTP requests, and then pass the request to AWS WAF for inspection and filtering. Unlike traditional appliance-based WAFs, there is no need to deploy and manage infrastructure, or plan for capacity. AWS WAF provides flexible options for implementing protections through managed rules, partner-provided rules, and custom rules that you can write yourself.

It’s important to understand that with AWS WAF, you are controlling ingress traffic to your application. To control egress traffic, refer to Security best practices for your VPC.

This whitepaper covers recommendations for protecting existing and new applications with AWS WAF, and outlines the following steps and options to consider when deploying AWS WAF:

Understanding threats and mitigations
Requirements for AWS WAF
Implementing AWS WAF
Deploying AWS WAF to production
Cost considerations

Note

AWS WAF provides two versions of the service: WAFv2 and WAFClassic. AWS recommends using AWS WAFv2 to stay up to date with the latest features. AWS WAF Classic no longer receives new features. AWSWAFv2 includes features that are not available in WAF classic, including a separate API and Console. This paper focuses on implementation with AWSWAFv2.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Understanding threats and mitigations