Background
At AWS re:Invent in 2015, Amazon released AWS WAF (Amazon Web Services Web Application Firewall). Since the introduction of Managed Rules at the 2017 AWS re:Invent, to be used in conjunction with AWS WAF, companies have increasingly come to rely on these products for web security.
About WAF
What is WAF (Web Application Firewall)?
A web application firewall (or WAF) protects your web applications from various attacks by filtering, monitoring, and blocking HTTP traffic to and from a web application. It can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.
About AWS
AWS (Amazon Web Services) is Amazon’s cloud service, which includes databases, virtual servers, and other related things for IT web services. There are more than 90 services currently provided, and you can use as many as you need, with prices depending on how many times you use each service.
AWS satisfies many security requirements and standards, so it provides high quality security, ease of availability, and a high fault-tolerance. Many companies and governments all over the world find AWS well-suited to their daily security needs.
AWS WAF Pros and Cons
Pros
✔︎ Easy to use: You can start using AWS WAF by attaching it with CloudFront, ALB (Application Load Balancer), or API Gateway and enabling the settings.
✔︎ Huge library of useful APIs: There are plenty of APIs in AWS WAF, which allows you to use many processes.
✔︎ No initial cost and cheap to use: It is cheaper to operate, as you don’t need to worry about any initial costs like hardware, etc.
*See table for cost breakdown at the bottom of the page.
Cons
✖︎ Difficult to manage: If you have little to no experience with AWS WAF, creating rules from scratch might be difficult.
About Web ACLs
Web ACLs (Access Control Lists) are lists that restrict requests to your website. Web ACLs decide which communication should be allowed or blocked by conditions you define on AWS WAF. If you don’t set this list, you can’t stop attacks against vulnerabilities that your web applications have, and malicious users will be able to hack your website.
AWS WAF has a limit on the number for Web ACLs, rules, and conditions. **See table for limitations at the bottom of the page.
Conclusion
As cyber attacks are becoming more and more frequent & sophisticated, using appropriate WAF is of the utmost importance not only for governments and companies, but also for individuals using personal web applications.
Moreover, AWS WAF doesn’t require any initial cost and makes it easier to expand resources as needed.
While there are some limitations, there is a free trial term for one year, so we here at Cyber Security Cloud strongly recommend AWS services.
To learn more about AWS WAF, visit our blog page.
*AWS WAF Cost
| Per 1 million requests | $0.60 |
| Per single rule | $1.00 |
| Per single Web ACL | $5.00 |
**AWS WAF Account Limit
| Web ACLs per account | 50 |
| Rules per account | 100 |
| Rules per single Web ACL | 10 |
| Conditions per account | 100 |
| Regex Conditions per account | 10 |
| Regex pattern sets per account | 5 |
