This chapter covers AWS WAF (Web Application Firewall), a core service for protecting web applications from common web exploits. For the CLF-C02 exam, this topic falls under Domain 2: Security and Compliance, Objective 2.3: 'Explain the security services and features of AWS.' This objective carries approximately 15% of the exam, and AWS WAF is a frequently tested service. You will need to understand what AWS WAF is, how it works, its key features like web ACLs, rules, and rule groups, and how it integrates with other services like CloudFront, Application Load Balancer, and API Gateway. This chapter provides the depth needed to answer exam questions confidently.
Jump to a section
Imagine you own a popular nightclub. Your club has a main entrance (your web application) and you want to let in legitimate guests while keeping out troublemakers. A simple firewall is like a basic doorman who checks IDs against a static list of banned individuals. But troublemakers are clever: they might try to sneak in by pretending to be VIPs (SQL injection), overwhelm the bouncer with fake crowd surges (DDoS), or use tricks like 'I know the owner' (cross-site scripting). AWS WAF is like hiring a highly trained bouncer who doesn't just check a static list but uses dynamic rules. This bouncer can inspect the content of each guest's conversation (HTTP request), check for patterns that match known troublemaker behavior (like shouting 'I'm the owner!' repeatedly), and even rate-limit guests who try to push through too fast. The bouncer can adapt: if a new trick is discovered (e.g., a new type of SQL injection), you can add a new rule instantly without changing the door. Moreover, AWS WAF works with AWS Shield (a bouncer for massive crowds) and AWS Firewall Manager (a security manager for multiple clubs) to provide layered defense. Just as a good bouncer keeps the club safe without slowing down legitimate guests, AWS WAF inspects traffic at high speed with low latency, only blocking malicious requests.
What is AWS WAF and What Problem Does It Solve?
AWS WAF is a managed web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. The primary problems it solves include:
SQL Injection: Attackers insert malicious SQL code into input fields to manipulate your database.
Cross-Site Scripting (XSS): Attackers inject client-side scripts into web pages viewed by other users.
Cross-Site Request Forgery (CSRF): Attackers trick users into performing actions they did not intend.
HTTP Floods (Layer 7 DDoS): Attackers send a large volume of seemingly legitimate HTTP requests to overwhelm your application.
Bad Bots: Automated scripts that scrape content, perform credential stuffing, or execute other malicious activities.
Known Vulnerabilities: Exploits targeting specific CVEs (Common Vulnerabilities and Exposures) like Log4j.
Before AWS WAF, developers had to build custom filtering logic into their application code or use third-party WAF appliances. This was time-consuming, error-prone, and difficult to scale. AWS WAF provides a fully managed, scalable, and cost-effective solution that integrates natively with AWS services.
How AWS WAF Works – The Mechanism
AWS WAF operates at the application layer (Layer 7) of the OSI model. It inspects HTTP(S) requests and decides whether to allow, block, or monitor (count) them based on rules you define. The core components are:
Web ACL (Access Control List): A container for rules. You associate a web ACL with one or more AWS resources (CloudFront distribution, Application Load Balancer, API Gateway, or AWS AppSync). Each web ACL has a default action (allow or block) for requests that don't match any rule.
Rules: Each rule consists of a statement (what to inspect) and an action (allow, block, count, or CAPTCHA). Rules can be based on conditions like IP addresses, HTTP headers, URI path, query string parameters, body content, or size constraints.
Rule Groups: A collection of rules that you can reuse across multiple web ACLs. AWS provides managed rule groups (e.g., AWS Core Rule Set, AWS SQL Database rule group) and you can create your own.
Match Conditions: Define what to look for. For example, a SQL injection match condition looks for patterns like ' OR 1=1 -- or UNION SELECT.
IP Sets: A collection of IP addresses and CIDR ranges that you can reference in rules (e.g., block a list of known malicious IPs).
Regex Pattern Sets: Use regular expressions to define complex matching patterns.
When a request arrives at the protected resource (e.g., an ALB), the resource forwards the request to AWS WAF for evaluation. The evaluation process:
Request arrives at the AWS resource (e.g., CloudFront).
Resource forwards the request to AWS WAF for inspection.
AWS WAF evaluates the request against the rules in the associated web ACL in order (priority order).
First match wins: If a rule matches, the specified action (allow, block, count, or CAPTCHA) is taken. If no rule matches, the default action is applied.
Action taken: Allowed requests continue to the origin; blocked requests receive a 403 Forbidden response; counted requests are logged but allowed; CAPTCHA challenges the user to prove they are human.
Key Tiers, Configurations, and Pricing Models
AWS WAF offers two pricing models: on-demand and AWS WAF Security Automations. The on-demand model charges based on:
Web ACLs: $5.00 per month per web ACL (prorated hourly).
Rules: $1.00 per month per rule (prorated hourly). Managed rule group rules have additional costs.
Requests: $0.60 per million requests for the first 1 billion requests, then tiered pricing.
Bot Control: Additional fee for the managed bot control rule group (e.g., $10 per month per web ACL plus $1 per million requests).
CAPTCHA: $0.40 per 1,000 CAPTCHA attempts.
Important: AWS WAF pricing is region-specific. You pay for each region where you deploy web ACLs. For CloudFront, you pay only in one region (US East - N. Virginia) but the rules apply globally.
Comparison to On-Premises or Competing Approaches
On-premises WAF: Requires hardware or virtual appliances, manual updates, capacity planning, and high upfront costs. AWS WAF is fully managed, auto-scales, and integrates with AWS services.
Third-party cloud WAFs: Services like Cloudflare or Akamai offer similar functionality but require routing traffic through their network. AWS WAF is native to AWS, has lower latency when used with CloudFront or ALB, and integrates with AWS Firewall Manager and AWS Shield for centralized management and DDoS protection.
AWS Shield: Provides DDoS protection at Layer 3/4 (network and transport layers) automatically (Standard) or with additional features (Advanced). AWS WAF handles Layer 7 application-level attacks. They work together: Shield Advanced includes AWS WAF at no extra cost.
When to Use AWS WAF vs Alternatives
Use AWS WAF when: You need to protect web applications running on CloudFront, ALB, API Gateway, or AppSync from common web exploits, SQL injection, XSS, or Layer 7 DDoS. It's ideal when you need custom rules, managed rules, bot control, or rate-based rules.
Use AWS Shield Advanced when: You need enhanced DDoS protection for high-value applications, financial compensation for DDoS-related scaling costs, and access to the DDoS Response Team (DRT). Shield Advanced includes AWS WAF.
Use AWS Firewall Manager when: You need to centrally configure and manage AWS WAF rules across multiple accounts and resources in an AWS Organization.
Use AWS Network Firewall when: You need a managed firewall for VPC-to-VPC traffic, outbound filtering, or intrusion prevention (Layer 3-7) – not specifically for web applications.
Create a Web ACL
Navigate to the AWS WAF console, choose 'Create web ACL'. Specify a name (e.g., 'MyWebACL') and select the resource type: CloudFront distributions (global) or regional resources (ALB, API Gateway, AppSync). For CloudFront, you must create the web ACL in US East (N. Virginia) region. For regional resources, choose the region where your resource resides. Set a default action: 'Allow' or 'Block'. For most applications, default allow is used, and you block specific malicious traffic. AWS automatically associates the web ACL with the chosen resource type; you can later associate it with specific resources.
Add Rules to the Web ACL
Inside the web ACL, you add rules. You can add managed rule groups (e.g., AWS Core Rule Set, which includes rules for SQL injection, XSS, etc.), your own custom rules, or rule groups from AWS Marketplace. Each rule has a priority number (lower numbers evaluated first). For example, add a rate-based rule to block IPs that exceed 2,000 requests in 5 minutes. Or add a rule to block requests from a specific IP set. You can also add rules that inspect the body of POST requests for SQL injection patterns. AWS WAF supports up to 100 rules per web ACL (default limit, can be increased).
Associate the Web ACL with Resources
After creating the web ACL and rules, associate it with your AWS resources. For CloudFront, you associate the web ACL with a distribution in the CloudFront console or via the AWS WAF console. For ALB or API Gateway, you select the specific resource from a dropdown. You can associate one web ACL with multiple resources, but each resource can only be associated with one web ACL at a time. When you associate, AWS WAF begins inspecting all incoming requests to that resource. The association is near-instantaneous.
Monitor and Analyze Traffic
AWS WAF provides real-time metrics via Amazon CloudWatch, including AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. You can set up CloudWatch alarms to notify you of spikes in blocked requests. AWS WAF also integrates with AWS CloudTrail to log API calls (e.g., creating rules). For detailed request logging, enable logging to Amazon S3, CloudWatch Logs, or Amazon Kinesis Data Firehose. Logs include request details like source IP, URI, and which rule matched. Use this data to fine-tune your rules and reduce false positives.
Iterate and Optimize Rules
Based on monitoring and logs, adjust your rules. For example, if legitimate traffic is being blocked, you might modify a rule to be less aggressive or add exceptions. Use the 'Count' action during testing to see how many requests would be blocked without actually blocking them. AWS WAF also supports 'Sampled Requests' – a sample of the last 3 hours of requests that matched a rule. Use this to identify patterns. You can also use AWS WAF Security Automations to automatically deploy and update rules based on threat intelligence feeds.
Scenario 1: E-commerce Website Protection Against SQL Injection
A mid-sized e-commerce company runs its website on Amazon EC2 behind an Application Load Balancer. They process credit card payments and store user data. After a security audit, they discover that their application is vulnerable to SQL injection. The development team would need weeks to fix all input validation. Instead, they deploy AWS WAF with the AWS Core Rule Set (managed rule group) that includes SQL injection detection. They also add a custom rule to block requests containing patterns like 'DROP TABLE' or 'UNION SELECT' in the query string. Cost: approximately $5/month for the web ACL, $1/month for custom rules, and $0.60 per million requests. For their traffic (10 million requests/month), total cost is around $12/month. This immediately blocks SQL injection attempts without code changes. Misconfiguration risk: if they set default action to 'Block' without testing, they might block legitimate form submissions that contain apostrophes (e.g., O'Brien). They mitigate by using 'Count' action first and reviewing logs for false positives.
Scenario 2: Media Website Mitigating HTTP Floods
A news website experiences periodic DDoS attacks that flood the site with HTTP GET requests. They use CloudFront for content delivery. They deploy AWS WAF with a rate-based rule that blocks an IP if it sends more than 1,000 requests in 5 minutes. They also enable AWS Shield Advanced for additional DDoS protection (though Shield Standard is free). The rate-based rule automatically mitigates the flood, allowing legitimate users to access the site. Cost: AWS WAF costs are minimal; Shield Advanced costs $3,000/month for one consolidated billing account, but includes AWS WAF at no extra cost. Without AWS WAF, they would have to scale up infrastructure to handle the flood, costing more. A common mistake: setting the rate limit too low (e.g., 100 requests/5 minutes) which blocks legitimate users who load many images. They tune the limit based on normal traffic patterns.
Scenario 3: SaaS Application with Bot Control
A SaaS company offers a web-based tool and wants to prevent bots from scraping pricing pages and creating fake accounts. They use API Gateway for their REST APIs. They enable AWS WAF Bot Control managed rule group, which categorizes bots as 'verified' (e.g., Googlebot), 'unverified', or 'malicious'. They allow verified bots, block malicious bots (e.g., scrapers), and apply CAPTCHA to unverified bots. This reduces fake sign-ups by 90%. Cost: Bot Control adds $10/month per web ACL plus $1 per million requests. They also use AWS WAF logging to S3 to analyze bot patterns. Misconfiguration: if they block all unverified bots, they might block legitimate API clients that don't identify themselves. They use the 'Count' action initially to assess impact.
Exactly What CLF-C02 Tests on This Objective
Domain: Security and Compliance (Objective 2.3: Explain the security services and features of AWS). The exam expects you to:
Identify that AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting.
Know which AWS services AWS WAF can protect: CloudFront, Application Load Balancer (ALB), API Gateway, and AWS AppSync.
Understand the difference between AWS WAF (Layer 7) and AWS Shield (Layer 3/4 DDoS protection).
Recognize that AWS WAF uses web ACLs, rules, and rule groups.
Know that AWS WAF can be centrally managed using AWS Firewall Manager.
Be aware that AWS WAF integrates with AWS Shield Advanced for enhanced protection.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong: 'AWS WAF protects against DDoS attacks at the network layer.' Why chosen: Candidates confuse WAF (Layer 7) with Shield (Layer 3/4). Correct: AWS WAF handles application-layer attacks; Shield handles network-layer DDoS.
2. Wrong: 'AWS WAF can be used to protect EC2 instances directly.' Why chosen: Candidates think any AWS resource can be protected. Correct: AWS WAF can only protect CloudFront, ALB, API Gateway, and AppSync. EC2 instances must be behind one of these.
3. Wrong: 'AWS WAF is a free service.' Why chosen: AWS offers many free-tier services; candidates assume WAF is free. Correct: AWS WAF has pay-as-you-go pricing for web ACLs, rules, and requests.
4. Wrong: 'AWS WAF uses security groups to filter traffic.' Why chosen: Security groups are a common AWS security concept. Correct: Security groups are for EC2 instance-level firewall (Layer 3/4); AWS WAF is for web application traffic.
Specific Terms That Appear on the Exam
Web ACL: The core resource that contains rules.
Rule: Defines a condition and an action (allow, block, count, CAPTCHA).
Rule Group: A reusable collection of rules.
Rate-based rule: A rule that blocks IPs exceeding a request rate threshold.
IP Set: A list of IP addresses to allow or block.
Managed rule groups: Pre-configured rules provided by AWS or AWS Marketplace sellers.
Tricky Distinctions
AWS WAF vs AWS Shield: WAF is for application layer (HTTP/HTTPS); Shield is for network and transport layer (SYN floods, UDP reflection). Shield Standard is free; WAF is not.
AWS WAF vs AWS Firewall Manager: Firewall Manager is a policy management service that can deploy WAF rules across accounts; it is not a firewall itself.
AWS WAF vs AWS Network Firewall: Network Firewall is for VPC traffic filtering (stateful inspection, intrusion prevention); WAF is for web application traffic.
Decision Rule for Multiple-Choice Questions
If the question mentions 'web application,' 'SQL injection,' 'XSS,' or 'Layer 7,' the answer is likely AWS WAF. If it mentions 'DDoS' at the network layer, 'SYN flood,' or 'UDP flood,' the answer is AWS Shield. If it mentions 'centralized management across accounts,' the answer is AWS Firewall Manager.
AWS WAF is a web application firewall that protects against common web exploits like SQL injection and cross-site scripting (XSS).
AWS WAF can be associated with CloudFront, Application Load Balancer (ALB), API Gateway, and AWS AppSync.
Core components: Web ACL, rules, rule groups, IP sets, regex pattern sets, and rate-based rules.
AWS WAF pricing: $5/month per web ACL, $1/month per rule, $0.60 per million requests (first tier).
Managed rule groups (e.g., AWS Core Rule Set) provide pre-configured protection for common threats.
AWS WAF operates at Layer 7; AWS Shield operates at Layers 3/4 for DDoS protection.
Use AWS Firewall Manager to centrally manage AWS WAF rules across multiple accounts.
Rate-based rules automatically block IPs that exceed a request threshold within a time window.
These come up on the exam all the time. Here's how to tell them apart.
AWS WAF
Operates at Layer 7 (application layer).
Inspects HTTP/HTTPS requests for malicious content (SQL injection, XSS).
Uses web ACLs with custom rules and managed rule groups.
Priced per web ACL, rule, and request.
Integrates with CloudFront, ALB, API Gateway, AppSync.
AWS Shield
Operates at Layers 3 and 4 (network and transport layers).
Protects against DDoS attacks like SYN floods and UDP reflection.
Shield Standard is free and automatic; Shield Advanced is paid with additional features.
Shield Advanced costs $3,000/month plus data transfer fees.
Protects any AWS resource (EC2, ELB, CloudFront, etc.) at the network level.
Mistake
AWS WAF can protect any AWS resource, including EC2 instances directly.
Correct
AWS WAF can only be associated with CloudFront distributions, Application Load Balancers, API Gateway APIs, and AWS AppSync. To protect EC2 instances, you must place them behind an ALB or CloudFront.
Mistake
AWS WAF is free because it's a managed service.
Correct
AWS WAF has a pay-as-you-go pricing model. You pay for web ACLs ($5/month each), rules ($1/month each), and requests ($0.60 per million requests). There is no free tier for WAF.
Mistake
AWS WAF and AWS Shield are the same service.
Correct
AWS WAF protects web applications from Layer 7 attacks (e.g., SQL injection). AWS Shield protects against DDoS attacks at Layers 3 and 4 (e.g., SYN floods). They are separate but complementary services.
Mistake
AWS WAF only blocks traffic based on IP addresses.
Correct
AWS WAF can inspect HTTP headers, URI path, query string, body content, and size. IP-based blocking is just one of many capabilities. It can also use regex patterns, rate limiting, and managed rules.
Mistake
You can only use AWS WAF with CloudFront.
Correct
AWS WAF supports CloudFront, ALB, API Gateway, and AppSync. You can use it with any of these services, each in the appropriate region (CloudFront global, others regional).
AWS WAF is a web application firewall that inspects HTTP/HTTPS traffic at Layer 7 to block attacks like SQL injection, cross-site scripting, and HTTP floods. AWS Shield is a DDoS protection service that operates at Layers 3 and 4, protecting against network-level attacks like SYN floods and UDP reflection. Shield Standard is free and automatically enabled for all AWS customers. Shield Advanced is a paid service that provides enhanced protection, cost protection, and access to the DDoS Response Team. On the exam, if the question mentions 'web application' or 'Layer 7', think WAF; if it mentions 'DDoS' or 'network layer', think Shield.
AWS WAF can protect Amazon CloudFront distributions, Application Load Balancers (ALB), Amazon API Gateway (REST and HTTP APIs), and AWS AppSync. It cannot be applied directly to EC2 instances, Network Load Balancers, or Classic Load Balancers. To protect EC2 instances, place them behind an ALB or CloudFront. On the exam, remember these four services; you may be asked which resources are valid for WAF association.
AWS WAF pricing is pay-as-you-go. You pay $5.00 per month for each web ACL (prorated hourly). Each rule (including custom and managed rules) costs $1.00 per month. For requests, you pay $0.60 per million requests for the first 1 billion requests per month, with lower rates for higher volumes. Managed rule groups have additional costs (e.g., Bot Control adds $10/month per web ACL plus $1 per million requests). There is no free tier. On the exam, you may be asked to estimate costs or identify that WAF is not free.
A rate-based rule counts requests from a source IP address over a time period (e.g., 5 minutes). If the count exceeds a threshold (e.g., 2,000 requests), the rule's action (block or count) is applied. This is useful for mitigating HTTP flood DDoS attacks or brute-force login attempts. The rate limit is applied per IP. On the exam, know that rate-based rules are a type of rule in AWS WAF used for Layer 7 DDoS mitigation.
Yes, but with a caveat. For CloudFront, you create a single web ACL in US East (N. Virginia) region, and it applies globally to all CloudFront edge locations. For regional resources (ALB, API Gateway, AppSync), you must create a separate web ACL in each region where your resources reside. You cannot associate a regional web ACL with resources in another region. On the exam, you may be asked about regional vs global scope of WAF.
When you create a web ACL, you specify a default action: either 'Allow' or 'Block'. If a request does not match any rule, the default action is taken. Typically, you set default to 'Allow' and then add rules to block malicious traffic. If you set default to 'Block', you must add rules to allow legitimate traffic. On the exam, understand that the default action applies to requests that don't match any rule.
Managed rule groups are pre-configured sets of rules provided by AWS or AWS Marketplace sellers. AWS provides several, including the AWS Core Rule Set (protection against common web exploits), AWS SQL Database rule group (SQL injection protection), AWS Known Bad Inputs rule set, and AWS Anonymous IP list. Using managed rule groups saves time and ensures you benefit from AWS security expertise. On the exam, know that managed rule groups are a feature that simplifies rule creation.
You've just covered AWS WAF — Web Application Firewall — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?