When and why should I use WAF?


AWS Shield
11m 20s
Start course
1h 17m

Explore the 3 AWS services, designed to help protect your web applications from external malicious activity, with this course. Once getting started, this course will delve into depth on all three services, comprised of AWS Web Application Firewall Service (WAF), AWS Firewall Manager and AWS Shield. By learning how all three services can be used together for enhanced protection of web applications you enterprise will wholly benefit from all the advantages that these services have to offer.

Study the core principles, understand the importance and discuss how protecting web apps with AWS can elevate your business to the next level with this cohesive course made up of 14 lectures, including demos.

Learning Objectives

  • Gain a core foundation of what AWS WAF is and what it does
  • Knowledge of how to configure and implement a WAF solution
  • Analyze how AWS WAF works closely with AWS CloudFront
  • An understanding of how AWS Firewall Manager can be used to help you control AWS WAF across multiple accounts
  • How AWS Shield is protecting Distributed Denial of Service attacks
  • An awareness of different types of DDoS attacks
  • An awareness of the step involved in configuring AWS Shield Advanced

Intended Audience

  • Security architects
  • Technical engineers
  • Website administrators
  • Anyone requiring a deeper understanding of WAF, Shield, and Firewall Manager


Cloud Academy would recommend having a basic understanding of the following, before starting this course:

  • Amazon CloudFront Distributions
  • AWS Application Load Balancer
  • AWS Organizations
  • The 7 layers of the OSI model

Related Training Content

If you are interested in further training content related to this topic, discover the following learning paths:



Hello and welcome to this lecture where I shall cover when and why you should use AWS WAF. If you are delivering web content via a CloudFront distribution or through an application load balancer, then I would recommend you implement the AWS Web Application Firewall service as an additional layer of security. Without using a Web Application Firewall, you could be exposing your websites and web apps to potentially harmful or malicious traffic, which could wreak havoc within your environment. This could have significant and detrimental impact on your business from a financial and reputation perspective. There are a number of security vulnerabilities that exist across web applications, and it's important these risks of exposure are mitigated as early as possible. OWASP, the Open Web Applications Security Project, is a not-for-profit organization where it looks at improving the security in software. They provide a top 10 list of the most critical security risks facing organizations around application architecture. This list includes the following, and their website can be found here.

So the top 10 vulnerabilities and risks are as follows, injections, broken authentication and session management, cross-site scripting, insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery, using known vulnerable components, and unvalidated redirects and forwards. If you can implement a WAF within your architecture to mitigate against some of these vulnerabilities, then that acts as a huge asset to your web application architecture and a great relief to the security officers within your organization. If you then compare the implementation and administration time needed to deploy AWS WAF to a standard WAF solution, then it's by far quicker. Further, AWS WAF is far simpler and easier to manage as well. Another motivation for implementing a Web Application Firewall might be to achieve a higher level of security compliance.

If, for example, your web application handles credit card transactions, then your web solution may need to be PCI DSS compliant, which is Payment Card Industry Data Security Standard. As of April 2016, AWS WAF was PCI DSS 3.2 certified. You may have other security detection mechanisms within your organization that operate deeper within your infrastructure, perhaps at the web server layer to mitigate against some of the same risks that WAF does. And so you may be thinking, why should I implement WAF if I have this existing solution which is working perfectly fine? Well, if you have existing detection systems within your infrastructure, then that's great. However, the closer they are logically implemented to your web application, the greater the risk of additional vulnerabilities occurring elsewhere within your infrastructure.

It's best to mitigate vulnerability risks as close to the perimeter of your network environment as possible. By doing so, it reduces the chances of other infrastructure and systems being compromised. When using CloudFront, AWS WAF sits logically between the end user requesting access to your website or web app and your CloudFront distribution. Although logically AWS WAF is in front of CloudFront, the request will be received by the CloudFront distribution first, and then it's immediately forwarded to your associated WAF Web ACL to either block or allow the request. So before it's even traversed your CloudFront environment and network, you have the ability to detect, analyze, and either block or allow the incoming request. If the traffic is dropped, no more processing occurs, which saves valuable bandwidth across your internal network and prevents other internal systems potentially becoming compromised.

If the traffic is allowed, then AWS CloudFront continues to process the request as normal and forwards the traffic to the web resource. WAF is very easy to manage either via the AWS Management Console or via the API calls and offers integration with other AWS services, such as AWS CloudWatch for monitoring specific WAF metrics and AWS Lambda for automation. If you couple ease of use, built-in monitoring metrics, and automation possibilities with a low cost point compared to other WAF products, then you'll realize AWS WAF offers an excellent secure solution for your web applications. That brings me to the end of this lecture. Following this, I shall be giving a demonstration on how to configure the WAF service itself.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.