Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

AWS WAF Setup and Configuration

February 13, 2026 | AWS WAF Security

Managed rules and rate-based protection.

AWS WAF: Setup and Configuration Guide

AWS WAF (Web Application Firewall) protects your web applications from common exploits like SQL injection, cross-site scripting, and DDoS attacks. Deployed in front of CloudFront, ALB, or API Gateway, WAF inspects every request and blocks malicious traffic before it reaches your application.

WAF Architecture

Client → CloudFront → AWS WAF → ALB → Application
                         ↓
                    Rule Evaluation
                    ├── Managed Rules (AWS + Marketplace)
                    ├── Custom Rules (your logic)
                    └── Rate-Based Rules (DDoS protection)

Creating a Web ACL

aws wafv2 create-web-acl \
  --name production-waf \
  --scope REGIONAL \
  --default-action Allow={} \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=ProdWAF \
  --rules file://waf-rules.json

Recommended Managed Rules

Rule GroupProtectionCost
AWSManagedRulesCommonRuleSetOWASP Top 10Free (with WAF)
AWSManagedRulesKnownBadInputsRuleSetLog4Shell, etc.Free
AWSManagedRulesSQLiRuleSetSQL injectionFree
AWSManagedRulesAmazonIpReputationListKnown malicious IPsFree
AWSManagedRulesBotControlRuleSetBot management$10/month

Rules Configuration

{
  "Rules": [
    {
      "Name": "AWS-Common",
      "Priority": 1,
      "Statement": {
        "ManagedRuleGroupStatement": {
          "VendorName": "AWS",
          "Name": "AWSManagedRulesCommonRuleSet",
          "ExcludedRules": []
        }
      },
      "OverrideAction": {"None": {}},
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "AWS-Common"
      }
    },
    {
      "Name": "RateLimit",
      "Priority": 2,
      "Statement": {
        "RateBasedStatement": {
          "Limit": 2000,
          "AggregateKeyType": "IP"
        }
      },
      "Action": {"Block": {}},
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "RateLimit"
      }
    }
  ]
}

Rate-Based Rules for DDoS Protection

Rate-based rules automatically block IPs that exceed a request threshold:

  • Global rate limit: 2,000 requests per 5 minutes per IP
  • Login endpoint: 100 requests per 5 minutes per IP
  • API endpoint: 500 requests per 5 minutes per IP

Custom Rules

# Block requests from specific countries
{
  "Name": "GeoBlock",
  "Priority": 0,
  "Statement": {
    "GeoMatchStatement": {
      "CountryCodes": ["CN", "RU", "KP"]
    }
  },
  "Action": {"Block": {}}
}

# Block requests without User-Agent
{
  "Name": "RequireUserAgent",
  "Priority": 3,
  "Statement": {
    "SizeConstraintStatement": {
      "FieldToMatch": {"SingleHeader": {"Name": "user-agent"}},
      "ComparisonOperator": "EQ",
      "Size": 0,
      "TextTransformations": [{"Priority": 0, "Type": "NONE"}]
    }
  },
  "Action": {"Block": {}}
}

Monitoring and Tuning

  • Enable logging — Send WAF logs to S3 or CloudWatch for analysis
  • Start in Count mode — Run new rules in count mode first to check for false positives
  • Review blocked requests — Check sampled requests weekly for legitimate traffic being blocked
  • Tune rules — Exclude specific rules that cause false positives for your application

Eazy SaaS Tip: We deploy AWS WAF with all free managed rule groups enabled in count mode for the first week. After reviewing the logs and confirming no legitimate traffic is blocked, we switch to block mode. This zero-risk rollout prevents false positives from affecting your users.

← Back to Blog