1. What is AWS WAF?
AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
2. How does AWS WAF block or allow traffic?
As the underlying service receives requests for your web sites, it forwards those requests to AWS WAF for inspection against your rules. Once a request meets a condition defined in your rules, AWS WAF instructs the underlying service to either block or allow the request based on the action you define.
3. How does AWS WAF protect my web site or application?
AWS WAF is tightly integrated with Amazon CloudFront and the Application Load Balancer (ALB), services that AWS customers commonly use to deliver content for their websites and applications. When you use AWS WAF on Amazon CloudFront, your rules run in all AWS Edge Locations, located around the world close to your end users. This means security doesn’t come at the expense of performance. Blocked requests are stopped before they reach your web servers. When you use AWS WAF on Application Load Balancer, your rules run in region and can be used to protect internet-facing as well as internal load balancers.
4. Can I use AWS WAF to protect web sites not hosted in AWS?
Yes, AWS WAF is integrated with Amazon CloudFront, which supports custom origins outside of AWS.
5. What types of attacks can AWS WAF help me to stop?
AWS WAF helps protects your website from common attack techniques like SQL injection and Cross-Site Scripting (XSS). In addition, you can create rules that can block attacks from specific user-agents, bad bots, or content scrapers. See the AWS WAF Developer Guide for examples.
6. Can I get a history of all AWS WAF API calls made on my account for security, operational or compliance auditing?
Yes. To receive a history of all AWS WAF API calls made on your account, you simply turn on AWS CloudTrail in the CloudTrail's AWS Management Console. For more information, visit AWS CloudTrail home page or visit the AWS WAF Developer Guide.
7. Does AWS WAF support IPv6?
Yes, support for IPv6 allows the AWS WAF to inspect HTTP/S requests coming from both IPv6 and IPv4 addresses.
8. Does IPSet match condition for an AWS WAF Rule support IPv6?
Yes, you can setup new IPv6 match condition(s) for new and existing WebACLs, as per the documentation.
9. Can I expect to see IPv6 address appear in the AWS WAF sampled requests where applicable?
Yes. The sampled requests will show the IPv6 address where applicable.
10. Can I use IPv6 with all AWS WAF features?
Yes. You will be able to use all the existing features for traffic both over IPv6 and IPv4 without any discernable changes to performance, scalability or availability of the service.
11. What services does AWS WAF support?
AWS WAF can be deployed on Amazon CloudFront and the Application Load Balancer (ALB). As part of Amazon CloudFront it can be part of your Content Distribution Network (CDN) protecting your resources and content at the Edge locations and as part of the Application Load Balancer it can protect your origin web servers running behind the ALBs.
12. In what Regions is AWF WAF on ALB available in?
US East (Northern Virginia), US West (Oregon), Asia Pacific (Tokyo) and EU (Ireland).
AWS WAF charges based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. There are no upfront commitments. AWS WAF charges are in addition to Amazon CloudFront Pricing and/or the Application Load Balancer (ALB) pricing.
Get Started with AWS for Free
Create a Free AccountReceive twelve months of access to the AWS Free Tier and enjoy AWS Basic Support features including, 24x7x365 customer service, support forums, and more.
1. Can I configure custom error pages?
Yes, you can configure CloudFront to present a custom error page when requests are blocked. Please see the CloudFront Developer Guide for more information
2. How long does it take AWS WAF to propagate my rules?
After an initial setup, adding or changing to rules typically takes around a minute to propagate worldwide.
3. How can I see if my rules are working?
AWS WAF includes two different ways to see how your website is being protected: one-minute metrics are available in CloudWatch and Sampled Web Requests are available in the AWS WAF API or management console. These allow you to see which requests were blocked, allowed, or counted and what rule was matched on a given request (i.e., this web request was blocked due to an IP address condition, etc.). For more information see the AWS WAF Developer Guide.
4. How can I test my rules?
AWS WAF allows you to configure a “count” action for rules, which counts the number of web requests that meet your rule conditions. You can look at the number of counted web requests to estimate how many of your web requests would be blocked or allowed if you enable the rule.
5. How long are Real-Time Metrics and Sampled Web Requests stored?
Real-Time Metrics are stored in Amazon CloudWatch. Using Amazon CloudWatch you can configure the time period in which you want to expire events. Sampled Web Requests are stored for up to 2 hours.
6. Can AWS WAF inspect HTTPS traffic?
Yes. AWS WAF helps protect applications and can inspect web requests transmitted over HTTP or HTTPS.