AWS WAF - AWS GovCloud (US)


This service is currently available in AWS GovCloud (US-West) only.

AWS WAF is a web application firewall that lets you monitor web requests that are forwarded to Amazon CloudFront distributions, Application Load Balancers, or APIGateway APIs. You can also use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses that requests originate from or values in the requests.

How AWS WAF Differs for AWS GovCloud (US)

AWS WAF for AWS GovCloud (US) doesn't support the following functionality:

  • AWS Marketplace managed rule groups are not available in AWS GovCloud (US). Managed rule groups are collections of predefined, ready-to-use rules that AWS and AWS Marketplace sellers write and maintain for you. AWS managed rule groups are provided free of charge with AWS WAF and are available for use in AWS GovCloud (US). AWS Marketplace rule groups are provided for subscription by AWS Marketplace sellers and aren't available for use in AWS GovCloud (US). For more information about managed rule groups in AWS WAF, see Managed rule groups in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

  • Logging of web ACL traffic information is not available in AWS GovCloud (US). Logging provides detailed information about traffic that is analyzed by your web ACL. For information about logging in AWS WAF, see Logging Web ACL traffic information in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.

Documentation for AWS WAF

AWS WAF documentation.

ITAR Boundary

AWS GovCloud (US) has an ITAR boundary, which defines where customers are allowed to store ITAR-controlled data for this service in the AWS GovCloud (US-West) Region. To maintain ITAR compliance, you must place ITAR-controlled data on the applicable part of the ITAR boundary. If you do not have any ITAR-controlled data in the AWS GovCloud (US-West) Region, this section does not apply to you. The following information identifies the ITAR boundary for this service:

ITAR-Regulated Data Permitted ITAR-Regulated Data Not Permitted
  • Not applicable

No ITAR-regulated data may be entered, stored, or processed by AWS WAF. For example, AWS WAF metadata is not permitted to contain ITAR-regulated data.

For example, do not enter ITAR-regulated data in the following fields:

  • Web ACL name

  • CloudWatch metric name

  • Condition

  • Rule name

  • String filters and regex pattern set