Protecting Web Apps with AWS WAF
4m 16s

The course is part of this learning path

Start course

The AWS Web Application Firewall Service, more commonly known as AWS WAF, is designed to help protect your web applications from external malicious activity. This course looks at the basics of the service before moving on to look at its components, followed by a demonstration of its configuration.

Learning Objectives

  • Understand what AWS WAF is and what it does
  • Understand the different components that make up the AWS WAF Service
  • Learn how to create and configure an AWS Web ACL that is associated with an Amazon CloudFront Distribution

Intended Audience

  • Security architects
  • Technical engineers
  • Website administrators
  • Anyone who requires a deeper understanding of the WAF service in preparation for an AWS certification


To get the most out of this course, it would be beneficial to have an understanding of Amazon CloudFront and some basic IT security knowledge.


In this final lecture, I want to summarize the key points from the previous lectures of this course. I started by providing an overview of AWS WAF, and in this lecture we'd cover the following points. The AWS Web Application Firewall is a service that helps to prevent websites and web applications from being maliciously attacked by common web attack patterns.

AWS WAF supports resources, including Amazon API Gateway REST APIs, CloudFront Distributions, Application Load Balancers and AWS AppSync GraphQL APIs. And there's currently two versions of AWS WAF. We have AWS WAF Classic and AWS WAF, sometimes referred to as new AWS WAF. And you should only use AWS WAF Classic if you created AWS WAF resources prior to November, 2019.

WAF filters both HTTP and HTTPS requests by distinguishing between legitimate and harmful inbound requests. And the service is composed of Web ACLs, rules and rule groups. So Web ACLs is the main building block of the AWS WAF service and it's associated with supportive resources, it contains rules and it has a default action that can be applied of allow or block.

Rules, these contain statements and actions which focus on specific criteria that the web request will be inspected against, and they can have actions of allow, block or count. And then we have rule groups, which is a collection of rules that you can apply to different Web ACLs. And AWS WAF also comes pre-configured with a number of AWS manageable groups as well.

Then next I focused my attention on the creation of rules and rule groups. And during this lecture, we learnt that rules are used to define inspection criteria that would determine if the web traffic will be allowed or blocked. And you can use management groups or create your own rules and rule groups in a Web ACL. And managed rule groups have pre-defined rules that have already been created by AWS and other AWS marketplace sellers for you to use. And they are tried and tested and they have been designed to help protect against a specific type of vulnerability or risk.

Now for each web ACL, there's a limit of 1500 capacity units, known as WCUs, and WCU values and applied to rules and rule groups. The more intricate the rule is from an inspection perspective, the more WCUs will be consumed. And when creating a rule group, you must stipulate an immutable capacity at the time of its creation. With custom rules, they can have a rule type of IP set, rule builder or rule groups. IP set allows you to configure the rule criteria based on either the source IP address or the IP address in the header. The rule builder allows you to create your rules with the rule visual editor or the rule JSON editor.

By nesting statements, you can implement logic within your rules that allow you to use arguments such as and, or and not. And the different between a rate-based rule and a regular rule is that rate-based rules count the number of requests that are being received based on source IP address or the IP address in the header over a time period of five minutes.

Regular rules are effectively if/then statements. Rule groups allow you to group a set of rules together to be associated with one or more Web ACLs, and you must specify the maximum capacity WCUs during the creation of a new rule group, and rule priorities determine the order that rules are executed.

In the final lecture, I provided a demonstration that showed you how to create an IP set, a rule group and its associated rules and a Web ACL that is associated with a CloudFront distribution.

That has now brought me to the end of this lecture and to the end of this course. You should now have a greater understanding of AWS WAF, what's it's used for, its core components and how to create and configure a web ACL to help you mitigate against vulnerabilities and threats towards your web application infrastructure and resources. If you have any feedback on this course, positive or negative, please contact us by sending an email to Your feedback is greatly appreciated. Thank you for your time and good luck with your continued learning of Cloud computing. Thank you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.