AWS WAF Security Automations
AWS WAF Security Automations


AWS WAF is a web application firewall that helps protect web applications from common web exploits that can affect application availability, compromise security, or consume excessive resources. AWS WAF enables customers to define customizable web security rules, giving them control over which traffic to allow or block to web applications deployed on Amazon CloudFront or with an Application Load Balancer.

Configuring WAF rules can be challenging and burdensome to large and small organizations alike, especially for those who do not have dedicated security teams. To simplify this process, AWS offers the AWS WAF Security Automations solution, which automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks. During initial configuration of the solution’s AWS CloudFormation template, users specify which protective features to include, as depicted in the image below. After the solution is deployed, AWS WAF will begin inspecting web requests to their existing CloudFront distributions or Application Load Balancer, and block them as applicable.

      Configuration of the AWS WAF web ACL

Figure 1: Configuration of the AWS WAF web ACL

The information in this guide assumes working knowledge of AWS services such as AWS WAF, Amazon CloudFront, Application Load Balancers, and AWS Lambda. It also requires basic knowledge of common web-based attacks, and mitigation strategies.


You are responsible for the cost of the AWS services used while running this solution. There is no additional cost for deploying the automated solution. As of the date of publication, the cost for running this solution with default settings in US East (N. Virginia) Region is approximately $14.00 per month in fixed AWS WAF charges ($5.00 for one web ACL and $1.00 for each of the nine rules) plus $0.65 per million web requests in combined, variable charges (which include AWS WAF request charges, AWS Lambda, Amazon S3, and Amazon API Gateway charges). This does not include costs incurred from Amazon CloudFront, Application Load Balancers, or other existing resources. The following table gives estimated monthly pricing based on number of web requests.

Web Requests Cost/Month
1 million $14.65
10 million $46.50
100 million $79.00

These pricing projections are subject to change and vary with the solution features that are activated. For full details, see the pricing webpage for each AWS service you will be using in this solution.

On this page: