1. Home
  2. Training Library
  3. Amazon Web Services
  4. Courses
  5. Introduction to AWS Web Application Firewall

When and why should you use AWS WAF?


2m 50s
Start course



Please note: This course has been replaced with a more recent version found here.


Security is one of the hottest topics within the cloud industry right now, mostly due to uncertainty and a lack of understanding when it comes to knowing how to secure the cloud really is. With this in mind, public cloud vendors focus massive effort and resources into security, resulting in additional levels of security at all layers within their cloud architecture.

This made way for the development of the AWS Web Application Firewall (WAF) service which was launched at Re:Invent in October 2015.

This course looks at all the elements of AWS Web Application Firewall from a beginners introduction to the service from what it is and when to use it within your environment, to how it can be used in conjunction with other services like AWS CloudWatch and AWS Lambda to help with automation of your security.

If you have thoughts or suggestions for this course, please contact Cloud Academy at support@cloudacademy.com.


Hello and welcome to this lecture where I shall cover when and why you should use AWS WAF.

If you are delivering web content via a CloudFront distribution, then I would recommend you implement the AWS web application firewall service as an additional layer of security. Without using a web application for firewall, you could be exposing your websites and web apps to potentially harmful and malicious traffic which could wreak havoc within your environment. This could have significant detrimental impact on your business from a financial and reputation perspective.

There are a number of security vulnerabilities that can exist across web applications and it's important that these risks of exposure are mitigated as early as possible. OWASP, Open Web Applications Security Project, is an not for profit organization which looks at improving the security on software.

They provide a top 10 list of the most critical security risks facing organizations around application architecture. This list includes the following and can be found on their website.

If you can implement a WAF within your architecture to mitigate against some of these vulnerabilities, then that's a huge asset to your web application architecture and a great relief to the security officers within your organization. If you then compare the implementation and administration time to deploy AWS WAF to a standard WAF solution, then it's by far quicker. Further, AWS WAF is far simpler and easier to manage as well.

Another motivation for implementing a web application firewall might be to achieve a high level of security compliance. If, for example, your web app handles credit card transactions, then your web solution may need to PCI DSS compliant. As of April 2016, AWS WAF is PCI DSS 3.2 certified making AWS the first cloud provider to do so.

You may have other security detection mechanisms within your organization that operate deeper within your infrastructure. Perhaps, at the web server layer, to mitigate against some of the risks that WAF does and so you may be thinking why should I implement WAF if I have this existing solution which is working okay.

If you have existing detection systems within your infrastructure then that's great. However, the closer they are logically implemented to your web application, the greater the risk of additional vulnerabilities occurring elsewhere within your infrastructure. It's best to mitigate vulnerability risks as close to the perimeter of your network environment as possible. By doing so it reduces the chances of other infrastructure and systems being compromised.

AWS WAF sits logically between the end user requesting access to your website or web app and your CloudFront distributions. Although logically, AWS WAF is in front of your CloudFront, the requests will be received by the CloudFront distribution first, and then it's immediately forwarded to you associated WAF web ACL to block all other requests. So, before it's even traversed your CloudFront environment and networks, you have the ability to detect, analyze, and either allow or block the incoming request. If the traffic is dropped, no more processing occurs which saves valuable bandwidth across your internal network and prevents other internal systems potentially becoming compromised. If the traffic is allowed, then AWS CloudFront continues to process a request as normal, and forwards the traffic to the web resource.

WAF is very easy to manage either via the AWS management console or via API ACLS and offer integration with other AWS services such as AWS CloudWatch for monitoring specific WAF metrics and AWS Lambda for automation. If you couple ease of use, build in monitoring metrics, and automation possibilities with a low cost point compared to other WAF products, then you will realize AWS WAF offers an excellent secure solution for your web applications.

That bring us to the end of this lecture. Following this, I shall be giving a demonstration on how to configure the WAF service.



About the Author
Learning paths61

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 80+ courses relating to Cloud reaching over 100,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.