Resources

The AWS Best Practices for DDoS Resiliency whitepaper provides an overview of DDoS attacks, capabilities provided by AWS, mitigation techniques, and a DDoS-resilient reference architecture that can be used as a guide to help protect application availability.

Download the whitepaper 

FAQ

Q: Can I incorporate the AWS WAF Security Automations and AWS WAF Security Automations for Classic solutions into my existing web application firewall strategy?

A: Yes. You can aggregate existing rules and solution-created rules into a single web ACL. Note that individual web ACLs are subject to rule limits (now called quotas); see the AWS WAF Developer Guide for information.

Q: How much does the WAF Security Automations solution cost?

A: You are responsible for the cost of the AWS services used while running this solution. The total cost for running this solution mainly depends on the amount of data ingested, stored, and processed, the number of requests received by Amazon API Gateway and the number of AWS Lambda invocations. We recommend creating a budget through AWS Cost Explorer to help manage costs. For full details, see the pricing webpage for each AWS service used in this solution.

The following table is an example cost breakdown for running this solution in the US East (N. Virginia) Region (excludes free tier). Prices are subject to change. For more information, refer to the implementation guide.

Example 1: Enabled Reputation List Protection, Bad Bot Protection, and Lambda Log Parser for HTTP Flood Protection and Scanner & Probe Protection

AWS Service

Dimensions/Month

Cost/Month

Amazon Kinesis Data Firehose

100 GB

~$2.90

Amazon Simple Storage Service (Amazon S3)

100 GB

 

~$2.30

Amazon Lambda

 

128 MB: 3 functions, total of 1M invocations and average 500 millisecond duration per lambda run

512 MB: 2 functions, total of 1M invocations and average 500 millisecond duration per lambda run

~$5.4

Amazon API Gateway

1M requests

~$3.4

Total

 

~$14

 
Example 2: Enabled Reputation List Protection, Bad Bot Protection, and Athena Log Parser for HTTP Flood Protection and Scanner & Probe Protection

AWS Service

Dimensions/Month

Cost/Month

Amazon Kinesis Data Firehose

100 GB

~$2.90

Amazon Simple Storage Service (Amazon S3)

100 GB

 

~$2.30

Amazon Lambda

 

128 MB: 3 functions, total of 1M invocations and average 500 millisecond duration per lambda run

512 MB: 2 functions, total of 7560 invocations and average 500 millisecond duration per lambda run

~$1.26

Amazon API Gateway

1M requests

~$3.4

Amazon Athena

1.2M CloudFront objects hits or 1.2M ALB requests per day that generates a ~500 byte log record per hit/request

~$4.32

 

Total

 

~$14.18

Q: Can I use these solutions to protect multiple web applications?

A: Yes. After you deploy the AWS WAF Security Automations or AWS WAF Security Automations for WAF Classic solution, you can associate its web ACL (with all the rules included in the solution) with multiple web applications. Note that the web ACL that the solution creates will be compatible with either a CloudFront distribution or an Application Load Balancer, depending on what you select for the Endpoint Type template parameter.

Q: Can I extend the functionality of AWS WAF Security Automations?

A: Yes. You can modify and customize all the rules provided in either solution. During initial configuration, use the template parameters to control rule behavior, as well as the code for the AWS Lambda functions.

Q: Do these solutions integrate with my third-party web application firewall?

A: No. These rules are specific to the AWS WAF service.

Q: Can I deploy these solutions in any AWS Region?

A: For web apps deployed with an Application Load Balancer, you must deploy the relevant solution's AWS CloudFormation template in an AWS Region that supports AWS WAF for Application Load Balancers (for the most current AWS WAF availability, see AWS service offerings by Region).

For web apps deployed with Amazon CloudFront, you can deploy the solution template only in the US East (N. Virginia) Region.

Training and Certification

AWS Training and Certification builds your competence, confidence, and credibility through practical cloud skills that help you innovate and build your future.  Learn more »

Getting Started with AWS Security, Identity, and Compliance

This course provides an overview of AWS security technology, use cases, benefits, and services. The infrastructure protection section covers AWS WAF for traffic filtering

Enroll now »

Introduction to Amazon Macie

Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS. In this course, you will be introduced to Amazon Macie, how the service works, and the underlying concepts driving the service.

Enroll now »

AWS Certified Security – Specialty

This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.

Schedule your exam »

Partner resources

The AWS Partner Network (APN) is focused on helping partners build successful AWS-based businesses to drive superb solutions and customer experiences. APN Partners are focused on customer success, helping you take full advantage of all the business benefits that AWS has to offer. With their deep expertise on AWS, APN Partners are uniquely positioned to help your company at any stage of your Cloud Adoption Journey and to help you solve some of your most complex problems.

Visit the following pages to learn more about the services we used to build this AWS Solution.

Need more resources to get started with AWS?

Visit the Getting Started Resource Center to find tutorials, projects and videos to get started with AWS.

Learn more »