セキュリティ

AWS WAF

A managed web application firewall that protects applications from common web attacks such as SQL injection and cross-site scripting

About 4 min read

Overview

AWS WAF (Web Application Firewall) is a managed firewall service that protects web applications and APIs from common web attacks. It integrates with CloudFront, ALB, API Gateway, and AppSync, blocking threats such as SQL injection, cross-site scripting (XSS), and HTTP flood attacks in real time. You define rules in a Web ACL (Access Control List) and configure actions such as allow, block, count, and CAPTCHA challenge. AWS Managed Rule Groups let you enable defenses against OWASP Top 10 threats in minutes, providing baseline protection without requiring security expertise. The Bot Control feature also detects and blocks scraping bots and credential stuffing attacks.

Layered Defense with Managed Rules and Custom Rules

Effective WAF rule design combines managed rule groups as the foundation with application-specific custom rules layered on top. AWS Managed Rule Groups include Core Rule Set (SQL injection, XSS, path traversal, and other common attacks), SQL Database (detailed SQL injection patterns), and Known Bad Inputs (known malicious payloads). Simply adding these to a Web ACL enables baseline protection against OWASP Top 10 threats. Custom rules let you define IP address sets for blocking or allowing specific IPs, regex pattern sets for detecting application-specific attack patterns, and geographic conditions for country-level access control. While Azure WAF centers on predefined rule sets based on the OWASP Core Rule Set, AWS WAF offers finer-grained custom rule capabilities with regex patterns and complex condition combinations.

Bot Control and Rate-Based Rules

The Bot Control feature automatically classifies request sources as bots and lets you set different actions per category. You can allow search engine crawlers and social media bots while detecting and blocking scraping bots and credential stuffing attacks. Rate-based rules automatically block excessive requests from a single IP address (for example, more than 2,000 requests in five minutes), mitigating DDoS and brute-force attacks. Combining CAPTCHA actions with suspicious requests lets you challenge users to prove they are human, maintaining access for legitimate users while filtering out bots. To deepen your knowledge of AWS WAF, specialized books on Amazon are also a useful resource.

Gradual Rollout with Count Mode and Log Analysis

The most important operational practice when deploying WAF rules is to avoid applying them in Block mode from the start. First, enable rules in Count mode and analyze WAF logs to confirm that legitimate traffic is not being falsely blocked, then switch to Block mode. This gradual approach strengthens security while minimizing business impact. WAF logs can be sent to S3, CloudWatch Logs, or Kinesis Data Firehose. Storing logs in S3 and querying them with Athena enables efficient pattern analysis of blocked requests and false positive investigation. When a specific rule produces frequent false positives, you can add scope-down statements (exclusion conditions) to exempt certain URL paths or header patterns from inspection. WAF integrates with CloudFront, ALB, API Gateway, and AppSync, though note that certain WAF features are only available when integrated with ALB.

共有するXB!

Related Terms

Amazon CloudFrontAWS IAMAmazon GuardDuty

Related Services

Amazon CloudFrontElastic Load BalancingAmazon API Gateway

Related Articles

Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Amazon Route 53 DNS Design - Routing Policies and Health Checks in PracticeAchieve advanced traffic control with alias records and seven routing policies. This article covers multi-region failover design using health checks.AWS WAF Bot Control and Fraud Prevention - Implementing Bot Mitigation and Account Takeover ProtectionDetect scrapers and automation tools with Bot Control, and prevent credential stuffing with ATP. Includes user experience design for challenges and CAPTCHA.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Amazon.com Is AWS's Biggest Customer - How Internal Dogfooding Drives Service QualityStarting from the fact that Amazon.com's e-commerce site, Prime Video, and Alexa all run on AWS, this article explores how internal dogfooding elevates service quality and how Prime Day's traffic demands have shaped AWS's architecture.

Similar Terms and Articles

AWS WAFA firewall service that protects web applications from malicious trafficAWS Firewall ManagerA security management service that centrally applies and manages WAF, Shield Advanced, Security Group, and Network Firewall rules across multiple accounts and resources under OrganizationsAWS WAF Bot Control and Fraud Prevention - Implementing Bot Mitigation and Account Takeover ProtectionDetect scrapers and automation tools with Bot Control, and prevent credential stuffing with ATP. Includes user experience design for challenges and CAPTCHA.Network Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.Centralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.