Security Automations for AWS WAF

Important: As of 01/18/2022, WAF Automation on AWS for WAF Classic has been deprecated. For the latest features and updates, we encourage customers to use Security Automations for AWS WAF, which supports the latest WAFV2.

What does this AWS Solution do?

This solution automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. Users can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (web ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.

You can use AWS WAF to create custom, application-specific rules that block attack patterns to ensure application availability, secure resources, and prevent excessive resource consumption.

The Security Automations for AWS WAF solution supports the latest version of AWS WAF (AWS WAFV2) service API.

Click here for related content 
Featured Video
A Security Solution for Peach | Amazon Web Services


Out-of-the-box solution or build your own set of WAF rules

Leverage the Security Automation for AWS WAF solution out of-the-box, or build your own set of WAF rules.

Identifies and blocks cross-site scripting (XSS) attacks

The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or XSS patterns in the URI, query string, or body of a request.

Quickly configure WAF rules

The AWS CloudFormation template automatically launches and configures the AWS WAF settings and protective features you choose to include during initial deployment.

Log analysis

When activated, AWS CloudFormation provisions an Amazon Athena query and a scheduled AWS Lambda function responsible for orchestrating Athena executing, processing result output, and updating AWS WAF.

  • Security Automations for AWS WAF
  • AWS Solution overview

    The Security Automations for AWS WAF solution provides fine-grained control over the requests attempting to access your web application. The diagram below presents the architecture you can build using the solution's implementation guide and accompanying AWS CloudFormation template.

    At the core of the design is an AWS WAF web ACL that acts as central inspection and decision point for all incoming requests. The protective functions you choose to activate determine the custom rules that are added to your web ACL.

    Security Automations for AWS WAF architecture

    AWS Managed Rules (A): This set of AWS managed core rules provides protection against exploitation of a wide range of common application vulnerabilities or other unwanted traffic.

    Manual IP lists (B and C): This component creates two specific AWS WAF rules that allow you to manually insert IP addresses that you want to block or allow. You can also configure IP retention and remove expired IP addresses from these IP lists.

    SQL Injection (D) and XSS (E): The solution configures two native AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.

    HTTP flood (F): This component helps protect against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attacks or a brute-force login attempt. This feature supports thresholds of less than 100 requests within a 5 minute period.

    Scanners and Probes (G): This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. It then blocks those suspicious source IP addresses for a customer-defined period of time.

    IP Reputation Lists (H): This component is the IP Lists Parser AWS Lambda function which checks third-party IP reputation lists hourly for new ranges to block.

    Bad Bots (I): This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack.

    Use the button below to subscribe to solution updates.

    Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using.

    Did this AWS Solution help you?
    Provide feedback 
Customer Reference
Peach Boosts Security and Customer Confidence Using AWS Security Automations
Digital advertising company Peach has a large digital footprint but historically has not been at high risk for cyberattacks. But when it noticed an uptick in attacks, the company knew it needed to take further steps to protect its systems.
So Peach turned to AWS for a solution, and now Peach not only blocks cyberattacks but also deters them—reducing needless service slowdowns and boosting customer confidence.
Back to top 
Build icon
Deploy an AWS Solution yourself

Browse our library of AWS Solutions to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an AWS Partner Solution

Find AWS Partners to help you get started.

Explore icon
Explore Guidance

Find prescriptive architectural diagrams, sample code, and technical content for common use cases.

Learn more