Overview - AWS WAF Security Automations


AWS WAF is a web application firewall that helps protect web applications from common web exploits that can affect application availability, compromise security, or consume excessive resources. AWS WAF enables customers to define customizable web security rules, giving them control over which traffic to allow or block to web applications and APIs deployed on Amazon CloudFront, an Application Load Balancer, or API Gateway.

Configuring WAF rules can be challenging and burdensome to large and small organizations alike, especially for those who do not have dedicated security teams. To simplify this process, AWS offers the AWS WAF Security Automations solution, which automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks. During initial configuration of this solution’s AWS CloudFormation template, users specify which protective features to include, as depicted in the image below. After this solution is deployed, AWS WAF will begin inspecting web requests to their existing CloudFront distributions or Application Load Balancer, and block them as applicable.

      Configuration of the AWS WAF web ACL

Figure 1: Configuration of the AWS WAF web ACL

The information in this guide assumes working knowledge of AWS services such as AWS WAF, Amazon CloudFront, Application Load Balancers, and AWS Lambda. It also requires basic knowledge of common web-based attacks, and mitigation strategies.


You are responsible for the cost of the AWS services used while running the AWS WAF Security Automations solution. The total cost for running this solution depends on the protection activated and the amount of data ingested, stored, and processed. For full details, see the pricing webpage for each AWS service you will be using in this solution.


If you select to use the Athena Log Parser on installation, this solution schedules a query to run against the WAF or/and application access logs in your Amazon S3 bucket(s) as configured. You are charged based on the amount of data scanned by each query. Partitioning is applied to logs and queries to keep costs low. By default application access logs are moved from their original S3 location to a partitioned folder structure. You have the option to keep original logs as well but you will be charged for duplicated log storage. This solution uses Workgroups to segment workloads and these can be configured to manage query access and costs. See Appendix F for a sample cost estimate calculation. For more information, see Amazon Athena Pricing.