AWS WAF Security Automations
AWS WAF Security Automations

Deployment Considerations

The AWS WAF Security Automations solution is designed to protect web applications deployed with Amazon CloudFront or with an Application Load Balancer. The following sections provide other constraints and considerations for implementing this solution.

AWS WAF Limits

Web ACL Rules

The web ACL that this solution generates is designed to offer comprehensive protection for web applications. The default configuration adds eight AWS WAF rules to the solution’s web ACL. You can manually modify the web ACL to add further rules, but note that there is a 10-rule limit for individual web ACLs.

IP Match Conditions

AWS WAF can block a maximum of 10,000 IP address ranges (in CIDR notation) per IP match condition. Each list that this solution creates is subject to this limit. The whitelist and blacklist sets (manual IP lists component) are separate lists, each with a 10,000 IP address limit. The third-party IP block list (IP list parsing component) uses two IP match conditions to offer a combined limit of 20,000 IP addresses. See Limits in the AWS WAF Developer Guide for more information.

AWS Regions and Multiple Deployments

The solution includes two AWS CloudFormation templates: one for web applications deployed with Amazon CloudFront and one for web applications deployed with an Application Load Balancer. Customers who use Amazon CloudFront for their applications can deploy the solution template in any AWS Region. Once deployed, AWS WAF can monitor web requests for any other CloudFront edge location. Customers who use Application Load Balancers for their applications must deploy the solution template in an AWS Region that supports AWS WAF for Application Load Balancers. For the most current service availability by region, see AWS service offerings by region.

Customers can deploy the AWS WAF Security Automations solution in different AWS Regions, or deploy it multiple times in the same AWS Region. Each unique deployment will incur the charges described in the Cost section.


If you plan to configure multiple instances of the solution in the same region, you must use a unique AWS CloudFormation stack name and Amazon S3 bucket name for each deployment.

Cross-Site Scripting False Positives

This solution configures a native AWS WAF rule that inspects commonly explored elements of incoming requests to identify and block cross-site scripting (XSS) attacks. This detection pattern is less effective if your workload legitimately allows users to compose and submit HTML, for example a rich text editor in a content management system. In this scenario, consider creating an exception rule that bypasses the default XSS rule for specific URL patterns that accept rich text input, and implement alternate mechanisms to protect those excluded URLs.

Additionally, some image or custom data formats can trigger false positives because they contain patterns indicating a potential XSS attack in HTML content. For example, an SVG file might contain a <script> tag. If you expect this type of content from legitimate users, narrowly tailor your XSS rules to allow HTML requests that include these other data formats.

Complete the following steps to update XSS rule in order to exclude URLs that accept HTML as input. See the Amazon WAF Developer Guide for detailed instructions.

  1. Sign in to the AWS Management Console and open the AWS WAF console at

  2. Create a string match condition.

  3. Configure the filter settings to inspect URI and list values that you want to match.

  4. Edit the solution’s XSS Rule and add the new condition you created.

    To make sure you exclude all URLs in the list, specify the following values for the new condition:

    • does not

    • match at least one of the filters in the string match condition

    • Choose your string match condition.