What is AWS WAF
AWS Web Application Firewall (WAF) is a web application firewall service offered by Amazon Web Services (AWS), designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
AWS WAF protects applications against a wide array of attacks, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. You can create custom rules that control the traffic reaching your applications, which allows for tailored security measures that fit the specific needs and threat landscape of your applications.
AWS WAF offers real-time visibility into the traffic arriving at your application, including blocked requests. Integration with services like AWS CloudWatch enables detailed monitoring and alerting.
AWS WAF can be deployed in conjunction with other AWS services. It can be deployed to protect both globally distributed applications via CloudFront and region-specific applications behind an Application Load Balancer or within an Amazon API Gateway, allowing for centralized control over security settings across various parts of your application architecture.
WAF scales with your usage, meaning it can handle varying amounts of traffic without the need for manual intervention or reconfiguration.
How does AWS WAF work?
AWS Web Application Firewall is designed to protect web applications by filtering and monitoring HTTP/HTTPS traffic between a web application and the Internet. Here's how it operates:
Request Inspection: AWS WAF inspects all incoming requests to your application. This includes parameters, headers, and body content.
Rule Evaluation: Based on pre-configured rules, AWS WAF evaluates whether a request matches any unwanted patterns, such as SQL injections or cross-site scripting (XSS).
Action Decision: Depending on the rules matched, AWS WAF either allows, blocks, or counts the request.
Logging: Matched requests can be logged for further inspection and analysis.
Integration: AWS WAF is integrated with other AWS services, such as CloudWatch, to provide real-time metrics and monitoring.
Customization: You can write your own rules using a domain-specific language based on SQL or utilize managed rule sets from AWS or the AWS Marketplace.
AWS WAF's functionality extends to offer real-time protection against OWASP's top 10 security vulnerabilities and can be deployed in various AWS environments, offering flexibility and security customization.
AWS WAF Components
AWS WAF Web ACL
Web Access Control List (Web ACL) is the core resource in WAF. A Web ACL comprises rules that tell AWS WAF what to do with the web requests it inspects.
Rules: Define what to look for in web requests.
Actions: Specify what to do when a rule is matched.
Conditions: Define complex behaviors using logical conditions.
Logging Configuration: Log web requests that are inspected by the ACL.
AWS WAF Rules
There are several types of rules within AWS WAF:
Regular Rules: Use conditions to identify specific patterns or behaviors.
Rate-Based Rules: Block or allow requests based on the count from a particular IP address within a time frame.
Rule Groups: A collection of rules that can be reused across multiple Web ACLs.
Managed Rule Groups: Pre-configured rule sets provided by AWS or AWS Marketplace sellers.
Rule Actions: Define whether to allow, block, or count a request if it meets the conditions of a rule.
Master AWS with Real Solutions and Best Practices. Subscribe to the free newsletter Simple AWS. 3000 engineers and tech experts already have.
AWS WAF Pricing
AWS WAF has a rather complex pricing structure, which I'll explain in this section and exemplify in the following one.
Web ACLs: $5.00 per month per Web ACL (prorated hourly)
Rule Groups: $1.00 per month per Rule Group (prorated hourly)
Custom Rules: $1.00 per month per Rule (prorated hourly)
Requests: $0.60 per 1 million requests
AWS WAF Free Tier
The AWS WAF Free Tier allows users to explore its features without immediate costs. However, beyond a specific threshold, charges will apply. Understanding these thresholds is essential to minimizing how much you spend with WAF:
Web ACLs: One free Web ACL.
Rule Groups: One free rule group.
Custom Rules: Ten free custom rules.
Requests: 10 million free requests inspected per month.
Managed Rule Groups from AWS Marketplace
Managed Rule Groups are provided by AWS or third-party sellers on the AWS Marketplace. They're pre-configured for common threats and compliance requirements.
Pricing Variables: Vendor, complexity, and the number of rules within the group can affect the price.
Updates and Maintenance: Managed Rule Groups often include updates and maintenance, potentially offering long-term value.
Pricing Examples for AWS WAF
Example 1: No Managed Rule Group and 10 Rules Written by You
Web ACL Cost: $5.00 * 1 = $5.00
Rule Cost: $1.00 * 10 rules = $10.00
Request Cost: $0.60/million * 10 million = $6.00
Total Cost: $5.00 + $10.00 + $6.00 = $21.00
Example 2: One Managed Rule Group from AWS Marketplace and 5 Rules Written by You
Web ACL Cost: $5.00 * 1 = $5.00
Rule Cost: $1.00 * 5 rules = $5.00
Request Cost: $0.60/million * 10 million = $6.00
Managed Rule Group Cost: $20.00
Managed rule group request charges: $1.20/million * 10 million = $12.00
Total Cost: $5.00 + $5.00 + $6.00 + $20.00 + $12.00 = $48.00
Example 3: One Rule Group Containing 5 Rules and 3 Rules Written by You
Web ACL Cost: $5.00 * 1 = $5.00
Rule Cost: $1.00 * (1 rule group + 5 rules + 3 custom rules) = $9.00
Request Cost: $0.60/million * 10 million = $6.00
Total Cost: $5.00 + $9.00 + $6.00 = $20.00
Example 4: One WAF Web ACL with Captcha Enabled
Web ACL Cost: $5.00 * 1 = $5.00
Rule Cost: $1.00 * (4 rules) = $4.00
Request Cost: $0.60/million * (100 million requests + 1,000 retries) = $60.00
Captcha Cost: $0.40/thousand * 10,000 attempts = $4.00
Total Cost: $5.00 + $4.00 + $60.00 + $4.00 = $73.00
Using AWS WAF to Protect Applications From Common Security Exploits
Get started with WAF with a practical step-by-step guide and explanation, Using AWS WAF to Protect Applications From Common Security Exploits
Tips for AWS WAF
Understand Free Tier Limitations: Leverage free tier to explore, but be mindful of limits.
Choose Rules Wisely: Select or create rules that are most relevant to your application.
Monitor Costs Regularly: Use AWS CloudWatch and Cost Explorer to monitor and manage costs.
Consider Managed Rules: Assess the cost-effectiveness of Managed Rule Groups.
Use Metrics and Logging: Use logs for performance tuning and security insights.
Test Regularly: Regularly test your configuration to ensure its effectiveness.
AWS WAF is a robust web application firewall service that offers flexibility in rule configuration and integration with other AWS services. Understanding its components, including Web ACLs, various rules, and pricing models, can help organizations develop a more strategic approach to securing their web applications without unnecessary spending.
The goal of this guide was to highlight the key aspects of AWS WAF, from its functionality and components to pricing structures and optimization tips. The idea is for you to understand what is AWS WAF and how it's priced, so you can use it without getting a huge surprise in your AWS bill.
Master AWS with Real Solutions and Best Practices.
Join over 3000 devs, tech leads, and experts learning real AWS solutions with the Simple AWS newsletter.
Analyze real-world scenarios
Learn the why behind every solution
Get best practices to scale and secure them
Simple AWS is free. Start mastering AWS!
If you'd like to know more about me, you can find me on LinkedIn or at www.guilleojeda.com
Top comments (2)
Thanks for posting this blog post. I never looked at it WAF very closely in my organization but gonna look more in details after your post. Thanks
No problem! if you want to get started with WAF I recommend this issue of my newsletter: newsletter.simpleaws.dev/p/aws-waf...