Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
WAF - Web Application Firewall
What is a Rate-based Rule in AWS WAF?
What is the use of JavaScript SDK or Mobile SDK?
Last Updated: Mar 27, 2024


Author Yashesvinee V
0 upvote
Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @


Threats and attacks on web applications are a common problem many developer clients face today. Web Application Firewalls help secure the application from unnecessary exposure by forcing clients to pass through an in-depth inspection before they access the server. WAF essentially places a shield over your web-based apps and keeps them isolated from online dangers like malware infections, zero-day exploits, and other known and unknown system vulnerabilities.

WAF - Web Application Firewall

AWS WAF is a web application firewall that helps protect your web applications or APIs against web exploits and bots that may affect availability, compromise security, or consume excessive resources. This AWS service gives you control over your application’s traffic by enabling security rules that control bot traffic and block common attack patterns. These rules can be customised to filter out specific traffic patterns. Managed Rules for AWS WAF are a pre-configured set of rules governed by AWS or AWS Marketplace Sellers to address issues like the OWASP Top 10 security risks and bots. These rules are automatically updated as new problems emerge. AWS WAF includes a full-featured API that can be used to automate the creation, deployment, and maintenance of security rules.

AWS WAF allows monitoring of HTTP and HTTPS requests forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. Amazon WAF consists of three main components – Access control lists (ACL), Rules and Rule Group.

  • A web access control list (web ACL) gives us complete control over all HTTP(S) web requests that a protected resource responds to. They help define the protection strategies by creating rules.
  • A rule group is a  set of rules that can be added to a web ACL for security. They are reusable.
  • An AWS WAF rule defines how to inspect HTTP(S) web requests and the action to be performed when it matches the inspection criteria. Rules are defined only in the context of a rule group or web ACL
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job


AWS WAF is mainly used to control the way Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, or the AWS AppSync GraphQL API responds to HTTP web requests.

Web ACLs can be associated with one or more AWS resources. AWS WAF is available in the Regions listed at AWS service endpoints. We can set default action for the web ACL to indicate whether to block or allow requests that pass the rules inspections.

Each rule contains a statement to define the inspection criteria, and an action to be performed if a web request meets the criteria. If there is a match, predefined actions can be taken. Rules can be configured to block matching requests or run CAPTCHA controls against them.

AWS WAF uses web ACL capacity units to calculate and control the resources required for the rules, rule groups, and web ACLs. AWS WAF enforces WCU limits when you configure your rule groups and web ACLs. Web ACL capacity units or WCUs don't affect the inspection of web traffic.

AWS WAF manages capacity for rules, rule groups, and web ACLs:

  • Rule capacity – AWS WAF calculates rule capacity to create or update a rule. The console displays the capacity units used as one adds the rules.
  • Rule group capacity – When a rule group is modified, the changes must keep the rule group's WCU within its capacity. This ensures that web ACLs using the rule group remain within their maximum capacity.
  • Web ACL capacity – The maximum capacity for a web ACL is 1,500.


Web traffic filtering - AWS WAF helps create rules to filter web traffic based on IP addresses, HTTP headers and body, or custom URIs. This provides an additional layer of protection from web attacks that exploit vulnerabilities in custom or third party web applications. We can create a centralised set of rules to deploy across multiple websites. In an environment with many websites and applications, a single set of rules can be reused for all.

AWS WAF Bot Control - AWS WAF Bot Control is a managed rule group that provides visibility and control over pervasive bot traffic. Unidentified boots can consume excess resources, skew metrics, cause downtime, or perform undesirable activities. Using Bot-control, one can block or rate-limit bots like scrapers, scanners, and crawlers.

AWS WAF Fraud Control - Account Takeover Prevention is a managed rule group that monitors the application’s login page for unauthorised access to user accounts using compromised credentials. This rule protects against brute force login attempts and other anomalous login activities. Using JavaScript and iOS/Android SDKs, you can receive additional telemetry on user devices and bots that attempt to log in to the application. 

Full feature API - AWS WAF can be administered via APIs. This allows organisations to create and maintain rules to incorporate them into the development and design process. Security rules can be made as part of the deployment process. 

Real-time visibility - AWS WAF provides real-time metrics and captures raw requests that include details about IP addresses, geo-locations, URIs, User-Agent and Referrers. It is fully integrated with Amazon CloudWatch, making it easy to set up custom alarms during an attack. This information can be used to create new rules to protect applications better.

Integration with AWS Firewall Manager - AWS WAF deployments can be configured across multiple AWS accounts using AWS Firewall Manager. The firewall Manager automatically audits and informs the security team of an attack or a policy violation.


Agile Protection against web attacks - Web Application Firewall rule propagation and updates are fast, thus enabling us to change the security settings of the environment when needed quickly. WAF protects web applications from attacks by filtering traffic as per the specified rules. It supports various rules to inspect any part of the web request with minimum latency.

Time-saving - The Managed rules of AWS WAF help protect the web application against common threats quickly. These rules are automatically updated as new issues emerge. Hence, there is no need to monitor them once applied. This allows developers to spend more time building the application rather than assessing threats.

Improved web traffic visibility - AWS WAF provides real-time visibility of web traffic that can be used to set new rules and alerts in Amazon CloudWatch. The developer can control the metrics used and monitor the total inbound traffic. WAF captures each web request’s header data for security analytics and auditing purposes.

Deployment and Maintenance - AWS WAF is easy to deploy and maintain. We can centrally define, manage and reuse the rules across multiple web applications that require protection. There is no need for additional software or a proxy setup for deployment, DNS configuration, and SSL/TLS certificate management.

Bot-Control - WAF provides complete visibility and control over the bot traffic of the web application. Developers can block or rate-limit the traffic from scrappers, scanners and crawlers. The AWS WAF console provides facilities to monitor bots in real-time and shows other information related to bot-traffic.

Application Security - Developers can define application-specific rules to improve web security while building applications. They can install security at multiple points in the development process, starting from the initial coding to deploying the software.


AWS WAF charges are based on the number of web access control lists (web ACLs) created, the number of rules added per web ACL, and the number of web requests received. There are no upfront commitments. Every rule of every web ACL is charged. In addition to that, the number of web requests processed by the web ACL is also charged. 


Pricing is the same across all AWS Regions. Optional security features that can be enabled on the web ACL. These charges are in addition to the AWS WAF fees. A subscription fee (prorated hourly), request fee, and analysis fee are to be paid where applicable.

Bot Control's free usage tier includes the first 10 million requests inspected per month. Fraud Control – Account Takeover Prevention free usage tier includes the first 10,000 attempts analysed per month. 


What is a Rate-based Rule in AWS WAF?

Rate-based rules are rules that can be configured in AWS WAF. It allows developers to specify the number of web requests a client IP allows. If an IP address breaches the configured limit, new requests will be blocked until the request rate falls below the set threshold.

What is the use of JavaScript SDK or Mobile SDK?

JavaScript and Mobile SDKs provide additional information on user devices and bots that attempt to log in to the web application. It improves the web application's security against automated and unauthorised login attempts.


This article extensively discusses AWS Web Application Firewall. We hope that this blog has helped you enhance your knowledge of the features and working of AWS WAF for protection and security against web attacks. If you want to learn more, check out our articles on Cloud Computing Infrastructure and Cloud Architecture. Learn more about Big DataMicrosoft AzureAWS and Google Cloud. Refer to Important AWS Interview Questions to ace your Amazon Interviews.

Explore our Coding Ninjas Library and upvote our blog to help other ninjas grow. Happy Coding!

Previous article
AWS Secrets Manager vs Systems Manager Parameter
Next article
AWS Identity and Access Management (IAM) Fundamentals
Live masterclass