Provide a Firewall to your AWS frontend using AWS WAF
January 09, 2025
Provide a Firewall to your AWS frontend using AWS WAF
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with AWS WAF
We are using AWS WAF in front of all our CloudFront distributions and some API Gateways. We need AWS WAF to prevent DDOS attacks on our websites as it provides rules for rate limitation for requests, BOT control features, AWS Managed common rule set against dangerous IP addresses, and many more features. The introduction of AWS WAF in front of all our CloudFronts reduced many attacks and rate-limited bot requests to our websites. The WAF also provides features to send metrics to an OpenSearch distribution for all the requests based on certain criteria, allowing us to send custom alerts to Slack for imminent attacks and requests exceeding rate limitation. AWS WAF is certainly a state-of-the-art product introduced by AWS that easily integrates with most of the AWS products.
Pros
- AWS WAF prevents DDOS attacks by providing a feature to rate limit the requests originating from a certain IP address. It has prevented a lot of attacks on our websites. It is quick in identifying heavy requests on our domains and alerting us for attacks.
- AWS WAF has a BOT control feature that identifies certain BOTs attacking our frontend websites for crawling data. These BOTs just like ChatGPT try to steal our data and use it for Machine Learning purposes. AWS WAF has a ManagedRule to identify such bots that crawl the data or send bulk requests and stop the requests to reach our websites from these bots.
- An amazing feature of AWS WAF is the precedence for the rules for blocking/allowing requests. We are using a lot of AWS managed rules and sometimes the requests from our backend or from our offices were being blocked because of AWS managed rules such as rate limitation when performing stress tests on our websites. AWS WAF allows adding custom rules before the managed rules which allow certain IP addresses to send unlimited traffic to our websites and do not block our day to day work.
Cons
- AWS BOT protection is an amazing functionality but it is expensive. There are rooms for improvement in the BOT protection also to block Small Language Models. The SMLs are growing day by day and there should be some more restrictions added for these BOTs.
- One feature where WAF can improve is the metrics shown on the AWS WAF console. Sometimes it is very hard to follow these metrics. There should be an easy UI for filtering BLOCK/ALLOW requests on the AWS WAF console so that it is easy to debug why certain requests were blocked.
- The UI should not be the native cloudwatch but a separate UI can be developed that can have features to filter the requests based on the URI, path, host header, IP addresses, etc.
- I know that this can be achieved from CloudWatch and OpenSearch, but I find using these 2 a bit expensive.
- AWS WAF should expand the functionality to integrate with applications that are not hosted on AWS as well. Currently, there is no such functionality and to implement such functionality, we need to introduce an AWS managed resource infront of our current applications.
- With the introduction of rate limitation using AWS WAF on our websites, we have filtered out a lot of requests that are originiating from the same IP address in a very small span of time. We identified that these are rival BOTs trying to crawl data from our websites. This reduced traffic on our websites by 20% but provided a positive impact because the rival organizations were not able to crawl data on our websites anymore.
- We have forgotten to add one of our website behind AWS WAF. What we found later was a DDOS attack on our website again and again. When we realised our mistake, we added the AWS WAF and we never saw another DDOS attack on the same domain.
- For a negative impact I can say that we are paying a lot of money for BOT protection and this disrupts the budget for DevOps team.
- Cloudflare and Akamai
When it comes to integration with AWS resources, we found that AWS WAF can easily integrate with CloudFront, API gateway, ALB, etc. When we analyzed other products, we found that the integration can be a little more difficult than just a click of a button. However, the pricing that we were offered for Cloudflare was less than AWS WAF but the leadership decided to use the Discounts offered by AWS to manage the AWS WAF pricing.
Do you think AWS WAF delivers good value for the price?
Yes
Are you happy with AWS WAF's feature set?
Yes
Did AWS WAF live up to sales and marketing promises?
Yes
Did implementation of AWS WAF go as expected?
Yes
Would you buy AWS WAF again?
Yes
Using AWS WAF
12 - They all are part of the same team which is Cloud Platform Engineering (DevOps). We use the AWS WAF to provide security to our frontends and that is why all of the DevOps team needs access to AWS WAF.
12 - All of the DevOps team has the knowledge on using WAF. There are basically no skills required to manage AWS WAF as AWS provides easy customization and attachments to the AWS resources. However, one should learn about the pricing of the AWS WAF before integrating with any of the AWS resources and before enabling any feature that will result in a higher price for the AWS WAF.
- Preventing DDOS attacks
- Rate Limiting Requests originating from same IP address
- Preventing data crawling by LLMs
- We added the AWS WAF infront of ALB that sends traffic to one of our website not hosted on AWS cloud
- Infront of CloudFront
- Infront of API Gateway
Comments
Please log in to join the conversation