AWS WAF のアイコン

AWS WAF Popular2015年〜

A firewall service that protects web applications from malicious traffic

About 2 min read

What It Does

AWS WAF (Web Application Firewall) protects web applications from common attacks like SQL injection, cross-site scripting (XSS), and DDoS. It sits in front of CloudFront, API Gateway, and Application Load Balancer to block malicious requests. Custom rules let you filter by IP address, request headers, request body, and more.

Use Cases

Defending web applications against vulnerability exploits, blocking bot traffic, restricting access from specific countries or IP addresses, rate-based DDoS mitigation, and preventing API abuse.

Everyday Analogy

Think of a building security guard. The guard (WAF) checks visitors (requests) at the entrance, denying entry to suspicious individuals (malicious requests). People on the blacklist (IP block) are immediately turned away, and those carrying dangerous items (attack code) found during inspection (request content inspection) are also blocked.

What Is WAF?

AWS WAF is a managed firewall service that detects and blocks attacks against web applications. While traditional network firewalls control traffic by IP address and port number, WAF inspects HTTP request content (URL, headers, body) to defend against application-layer attacks. It integrates with AWS services and can be deployed in minutes.

Rules and Rule Groups

WAF rules combine inspection conditions with actions (allow, block, count). AWS-provided managed rule groups include rules for OWASP Top 10 vulnerabilities, known malicious IP address lists, and bot mitigation - enabling basic protection without security expertise. You can also create custom rules for application-specific requirements.

Rate-Based Rules

Rate-based rules automatically block IP addresses that exceed a request threshold. For example, you can block IPs that send more than 2,000 requests in 5 minutes. This mitigates DDoS attacks and brute-force password attacks. For technical background on rate-based rules, related books on Amazon are a useful resource.

Getting Started

Create a Web ACL (Access Control List) in the WAF console. Select the resource to protect (CloudFront, ALB, API Gateway) and add managed rule groups. Simply adding the AWS Managed Rules Core Rule Set enables basic protection against common web attacks.

Things to Watch Out For

  • WAF rules are billed per Web ACL, so costs increase as you add more rules
  • Managed rules are updated regularly but may cause false positives (blocking legitimate requests). Use count mode initially to verify behavior
  • WAF alone doesn't provide complete protection - also implement application-level security measures (input validation, parameterized queries, etc.)
共有するXB!

Related Services

Amazon CloudFront iconAmazon CloudFrontA CDN service that delivers content at high speed from edge locations around the worldAmazon API Gateway iconAmazon API GatewayA fully managed service for creating, publishing, managing, and monitoring APIsElastic Load Balancing iconElastic Load BalancingA service that automatically distributes traffic across multiple servers for high availability and fault toleranceAWS IAM iconAWS IAMAn authentication and authorization service for securely managing access to AWS resources

Related Articles

DDoS Protection - Multi-Layer Defense Design and Operations with AWS ShieldLearn about DDoS protection with AWS Shield Standard and Shield Advanced. This guide covers integration with CloudFront, Route 53, and ALB, combining with WAF, and cost protection features.Centralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.Network Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.DDoS Protection with AWS Shield - Choosing Between Standard and AdvancedUnderstand the differences between Standard's free L3/L4 protection and Advanced's L7 support with SRT assistance. Learn about cost protection and proactive engagement.AWS WAF Bot Control and Fraud Prevention - Implementing Bot Mitigation and Account Takeover ProtectionDetect scrapers and automation tools with Bot Control, and prevent credential stuffing with ATP. Includes user experience design for challenges and CAPTCHA.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

AWS WAFA managed web application firewall that protects applications from common web attacks such as SQL injection and cross-site scriptingAWS Firewall ManagerA security management service that centrally applies and manages WAF, Shield Advanced, Security Group, and Network Firewall rules across multiple accounts and resources under OrganizationsNetwork Traffic Filtering - Advanced Network Defense with AWS Network FirewallLearn how to build multi-layered defense by combining stateful network traffic filtering with AWS Network Firewall and AWS WAF. Explore practical approaches to VPC-level traffic control and threat protection.DDoS Protection - Multi-Layer Defense Design and Operations with AWS ShieldLearn about DDoS protection with AWS Shield Standard and Shield Advanced. This guide covers integration with CloudFront, Route 53, and ALB, combining with WAF, and cost protection features.AWS Firewall ManagerA service for centrally managing firewall rules across your entire AWS Organization