AWS WAF Documentation

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots. AWS WAF enables you to create security rules designed to control bot traffic and block common attack patterns. You can also customize rules that filter out specific traffic patterns. You can use Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. These rules are updated as new issues emerge. AWS WAF includes an API that you can use to automate the creation, deployment, and maintenance of security rules.

You can deploy AWS WAF on Amazon CloudFront as part of your CDN solution, the Application Load Balancer that fronts your web servers or origin servers running on EC2, Amazon API Gateway for your REST APIs, or AWS AppSync for your GraphQL APIs.

Web traffic filtering

AWS WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs. AWS WAF allows you to create a centralized set of rules that you can deploy across multiple websites.

AWS WAF Bot Control

AWS WAF Bot Control is a managed rule group that gives you visibility and control over common and pervasive bot traffic. You can block, or rate-limit, pervasive bots, such as scrapers, scanners, and crawlers, or you can allow common bots, such as status monitors and search engines. The Bot Control managed rule group can be used alongside other Managed Rules for WAF or your own custom WAF rules to protect your applications.


AWS WAF can be administered via APIs. AWS WAF can also be deployed and provisioned using AWS CloudFormation sample templates.


AWS WAF provides metrics and captures raw requests that include details about IP addresses, geo locations, URIs, User-Agent and Referrers. AWS WAF is integrated with Amazon CloudWatch, enabling you to set up custom alarms when thresholds are exceeded or particular attacks occur.

Integration with AWS Firewall Manager

You can centrally configure and manage AWS WAF deployments across multiple AWS accounts using AWS Firewall Manager.

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at, or other agreement between you and AWS governing your use of AWS’s services.