AWS - WAF

WAF:

WAF is a global service like CloudFront, Route 53, SES, IAM. 

It’s a Web Application Firewall to protect Web apps/APIs. 

You can allow/block requests based on request properties. 

WAF can be administered using AWS Firewall Manager (across multiple accounts and resources). 

AWS Shield Advanced can be integrated with AWS WAF. 

WAF comes free with Shield Advanced. 

With WAF + CloudFront, the rules will run in Edge locations (security + performance). 

With WAF + regional resources like ALB/APIGW/AppSync/Cognito User Pools, the rules will run in the region (internet-facing/internal resources are protected). 

WAF can block XSS and SQL Injection attacks but can’t withstand DDoS attacks (use WAF’s Web ACL rate-based rules + AWS Shield Advanced for DDoS attacks). 

WAF can mitigate application layer DDoS attacks. 

WAF’s Web ACL has two types of rules – regular and rate-based. 

You can’t do rate limit in the regular rule (but can add conditions). 

WAF’s Web ACL rate-based rules can be used to block request flooding from an originating IP (limit the rate of traffic to your application). 

Those who send HTTP flood attacks will receive 403 Forbidden until the request rate drops below threshold. 

With WAF’s Web ACL, you can create a geo-match condition to block/allow requests originating from specific countries. 

If you want to allow/block requests ONLY based on geography, use CloudFront’s geo-restriction. 

If you want to allow/block requests based on geography + other WAF criteria, use WAF geo-match condition.