AWS WAF Expert

AWS WAF Architecture

CloudFront / ALB / API Gateway / AppSync / Cognito
            ↓
        WebACL (associated to resource)
            ├── Rule 1 (Priority 0, highest)
            ├── Rule 2 (Priority 1)
            ├── Rule 3 ...
            └── Default Action (Allow or Block)

WebACL evaluation: Rules are evaluated in priority order (0 = first evaluated, highest priority). The first rule that matches determines the action. If no rule matches, the default action applies.

Scopes:

• CLOUDFRONT — WebACL must be created in us-east-1, associated to CloudFront distribution
• REGIONAL — WebACL in the same region as ALB/API Gateway/AppSync/Cognito

WebACL Creation

Console

AWS Console → WAF & Shield → Web ACLs → Create web ACL

Terraform

resource "aws_wafv2_web_acl" "main" {
  name        = "my-app-waf"
  scope       = "REGIONAL"  # or "CLOUDFRONT"
  description = "WAF for My Application"

  default_action {
    allow {}  # Allow traffic not matching any rule
    # block {} # Alternatively, block by default (allowlist model)
  }

  # AWS Managed Rules - Common Rule Set
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 10

    override_action {
      none {}   # Use rule group's configured actions
      # count {} # Override to count (monitoring mode)
    }

    statement {
      managed_rule_group_statement {
        vendor_name = "AWS"
        name        = "AWSManagedRulesCommonRuleSet"

        # Override specific rules within the group
        rule_action_override {
          name          = "SizeRestrictions_BODY"
          action_to_use {
            count {}   # Monitor, don't block
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "AWSManagedRulesCommonRuleSet"
      sampled_requests_enabled   = true
    }
  }

  # Custom rate-based rule
  rule {
    name     = "LoginRateLimit"
    priority = 5

    action {
      block {}
    }

    statement {
      rate_based_statement {
        limit              = 300   # Requests per 5-minute window (100/min effective)
        aggregate_key_type = "IP"

        scope_down_statement {
          byte_match_statement {
            search_string         = "/api/auth/login"
            field_to_match {
              uri_path {}
            }
            text_transformation {
              priority = 0
              type     = "LOWERCASE"
            }
            positional_constraint = "STARTS_WITH"
          }
        }
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "LoginRateLimit"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "MyAppWAF"
    sampled_requests_enabled   = true
  }

  tags = {
    Environment = "production"
    Team        = "security"
  }
}

# Associate with ALB
resource "aws_wafv2_web_acl_association" "alb" {
  resource_arn = aws_lb.main.arn
  web_acl_arn  = aws_wafv2_web_acl.main.arn
}

AWS Managed Rule Groups

AWS provides maintained rule groups covering common attack patterns.

Free Managed Rule Groups (AWS)

WCU (Web ACL Capacity Units): Each rule consumes WCU. WebACL default limit: 5,000 WCU.

Paid Managed Rule Groups

Bot Control (additional charges):

• AWSManagedRulesBotControlRuleSet
• Classifies bots by type (search engine, scraper, tool, etc.)
• Common mode vs. Targeted mode (uses JavaScript fingerprinting, CAPTCHA)

Fraud Control - ATP (Account Takeover Prevention):

• AWSManagedRulesATPRuleSet
• Detects credential stuffing on login pages
• Compares credentials against known-breached credential databases
• Requires JavaScript integration on the login page

Fraud Control - ACFP (Account Creation Fraud Prevention):

• AWSManagedRulesACFPRuleSet
• Detects fraudulent account creation
• Identifies fake accounts, referral fraud

Marketplace Managed Rule Groups

Third-party providers offer specialized rule groups:

• Fortinet: FortiWeb managed rules
• F5: F5 Rules for AWS WAF
• Trend Micro: Cloud One Application Security
• Cyber Security Cloud: WafCharm automatic tuning

Rule Components

Rule Statement Types

Byte match:

statement {
  byte_match_statement {
    search_string         = "sqlmap"
    field_to_match {
      single_header {
        name = "user-agent"
      }
    }
    text_transformation {
      priority = 0
      type     = "LOWERCASE"
    }
    positional_constraint = "CONTAINS"  # EXACTLY, STARTS_WITH, ENDS_WITH, CONTAINS, CONTAINS_WORD
  }
}

Geo match:

statement {
  geo_match_statement {
    country_codes = ["CN", "RU", "KP"]
  }
}

IP set reference:

resource "aws_wafv2_ip_set" "trusted_ips" {
  name               = "trusted-ips"
  scope              = "REGIONAL"
  ip_address_version = "IPV4"
  addresses          = ["10.0.0.0/8", "192.168.1.100/32"]
}

statement {
  ip_set_reference_statement {
    arn = aws_wafv2_ip_set.trusted_ips.arn
  }
}

Regex pattern set:

resource "aws_wafv2_regex_pattern_set" "sql_patterns" {
  name  = "sql-injection-patterns"
  scope = "REGIONAL"

  regular_expression {
    regex_string = "(?i)(union.*select|select.*from|insert.*into|delete.*from|drop.*table)"
  }
}

statement {
  regex_pattern_set_reference_statement {
    arn = aws_wafv2_regex_pattern_set.sql_patterns.arn
    field_to_match {
      body {}
    }
    text_transformation {
      priority = 0
      type     = "URL_DECODE"
    }
    text_transformation {
      priority = 1
      type     = "HTML_ENTITY_DECODE"
    }
  }
}

Rate-based rule with custom key:

statement {
  rate_based_statement {
    limit              = 100
    aggregate_key_type = "CUSTOM_KEYS"
    
    custom_key {
      header {
        name = "X-API-Key"
        text_transformation {
          priority = 0
          type     = "NONE"
        }
      }
    }
    
    scope_down_statement {
      byte_match_statement {
        search_string         = "/api/"
        field_to_match { uri_path {} }
        text_transformation { priority = 0; type = "NONE" }
        positional_constraint = "STARTS_WITH"
      }
    }
  }
}

AND/OR/NOT compound statements:

statement {
  and_statement {
    statement {
      geo_match_statement {
        country_codes = ["CN"]
      }
    }
    statement {
      not_statement {
        statement {
          ip_set_reference_statement {
            arn = aws_wafv2_ip_set.trusted_cn_ips.arn
          }
        }
      }
    }
  }
}

Rule Actions

Custom block response:

action {
  block {
    custom_response {
      response_code = 403
      custom_response_body_key = "block-response"
    }
  }
}

custom_response_body {
  key          = "block-response"
  content      = "{\"error\": \"Request blocked by security policy\"}"
  content_type = "APPLICATION_JSON"
}

Bot Control

Bot Control classifies bot traffic into categories and allows action per category.

Common Mode vs. Targeted Mode

Bot Control Rule Labels

AWS WAF Bot Control adds labels to requests for use in downstream rules: