AWS WAF
AWS WAF (Web Application Firewall) protects web applications from widespread attacks. It filters malicious requests before they reach the application.
What is AWS WAF?
AWS WAF (Web Application Firewall) is a firewall specifically designed for web applications. Whilst a traditional network firewall filters traffic at the network layer, a web application firewall inspects the content of individual HTTP requests. It detects typical attack patterns targeting web applications and blocks malicious requests before they even reach the application.
AWS WAF is deployed in front of publicly accessible components – typically in front of a CloudFront distribution, a load balancer or an API Gateway. It thus provides an additional layer of protection at the outer boundary of the application.
What AWS WAF protects against
- SQL injection: Attempts to gain unauthorised access to the database via manipulated inputs.
- Cross-site scripting (XSS): Injecting malicious code into web pages.
- Malicious bots: Automated access attempts that scrape content or brute-force login credentials.
- Overload from individual sources: Rate limiting can be used to intercept flood of requests from a single IP address.
Rules and Managed Rule Groups
AWS WAF works with rules that determine which requests are allowed, blocked or examined more closely. You do not need to develop these rules from scratch yourself: AWS and its partners provide pre-built rule sets – known as Managed Rule Groups – that protect against common threats and are continuously updated. A common rule set is based on the OWASP Top 10, the established list of the most common security risks in web applications.
Monitor before blocking
A best practice is to initially run new rules in observation mode only. This allows you to identify which requests a rule would affect without accidentally blocking legitimate users. The rule is only activated after this test.
AWS WAF for SMEs
Every publicly accessible web application is exposed to automated attacks – this is not an exception, but the norm on the internet. AWS WAF offers a pragmatic introduction to application protection: with Managed Rule Groups, a solid baseline level of protection can be achieved quickly, which can then be refined with your own application-specific rules. WAF does not replace secure code, but complements it with an effective additional line of defence.
Frequently asked questions about AWS WAF
AWS WAF charges a monthly fee per Web ACL (around 5 USD), per rule and per million checked requests. Managed Rule Groups can incur additional fees. For medium-sized applications, the total costs are typically in the low double-digit euro range per month.
A classic firewall filters traffic at network level based on IP addresses and ports. A web application firewall checks the content of individual HTTP requests and recognises application-specific attacks such as SQL injection or cross-site scripting. Both complement each other.
No. AWS WAF is an additional line of defence, not a replacement for secure development. The application itself must continue to check inputs properly. WAF intercepts many common attacks at the perimeter and provides valuable response time in an emergency.
This is possible if rules are configured too strictly. It is therefore advisable to first run new rules in observation mode and evaluate which requests would be affected before actually blocking them.
Related terms
Related services
DevSecOps
Security that doesn't slow you down: we integrate scans, policies, and compliance checks directly into your pipeline — protecting data without blocking development.
Edge Networking
Fast load times worldwide — with CDN, BGP routing, and edge caching that brings your application closer to your users.
Last updated: May 2026