Automatically launch and configure the AWS WAF settings and protective features that you choose to include during initial deployment by using the AWS CloudFormation template.
Overview
Security Automations for AWS WAF automatically deploys a set of AWS WAF (web application firewall) rules that filter common web-based attacks. You can select from preconfigured protective features that define the rules included in an AWS WAF web access control list (ACL). Once deployed, AWS WAF protects your Amazon CloudFront distributions or Application Load Balancers by inspecting web requests.
You can use AWS WAF to create custom, application-specific rules that block attack patterns to help ensure application availability, secure resources, and prevent excessive resource consumption.
This AWS Solution supports the latest version of the AWS WAF (AWS WAFV2) service API.
Benefits
Automatic WAF rules configuration
Log analysis
Activate AWS CloudFormation to provision an Amazon Athena query and a scheduled AWS Lambda function responsible for orchestrating Athena, processing result output, and updating AWS WAF.
Build your own monitoring dashboard
Build a customized dashboard to visualize Amazon CloudWatch metrics emitted by this solution, and gain insights into the pattern of attacks and protection provided by AWS WAF.
How it works
You can automatically deploy this architecture using the implementation guide and the accompanying AWS CloudFormation template.
Step 1
AWS Managed Rules (A) - This component contains AWS Managed Rules IP reputation rule groups, baseline rule groups, and use-case specific rule groups. These rule groups protect against exploitation of common application vulnerabilities or other unwanted traffic, including those described in OWASP publications, without having to write your own rules.
Manual IP lists (B and C) - These components create two AWS WAF rules. With these rules, you can manually insert IP addresses that you want to allow or deny. You can configure IP retention and remove expired IP addresses on allowed or denied IP sets using Amazon EventBridge rules and Amazon DynamoDB . For more information, refer to Configure IP retention on Allowed and Denied AWS WAF IP sets.
SQL Injection (D) and XSS (E) - These components configure two AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
HTTP Flood (F) - This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt. With this rule, you set a quota that defines the maximum number of incoming requests allowed from a single IP address within a default five-minute period (configurable with the Athena Query Run Time Schedule parameter). After this threshold is breached, additional requests from the IP address are temporarily blocked. You can implement this rule by using an AWS WAF rate-based rule, or by processing AWS WAF logs using a Lambda function or Athena query. For more information about the tradeoffs related to HTTP flood mitigation options, refer to Log parser options.
Scanner and Probe (G) - This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. Then it blocks those suspicious source IP addresses for a customer-defined period of time. You can implement this rule using a Lambda function or Athena query. For more information about the tradeoffs related to scanner and probe mitigation options, refer to Log parser options.
IP Reputation Lists (H)
- This component is the
IP Lists Parser
Lambda function that checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.
Bad Bot (I) - This component enhances bad bot detection by monitoring direct connections to an Application Load Balancer (ALB) or Amazon CloudFront, in addition to the honeypot mechanism. If a bot bypasses the honeypot and attempts to interact with ALB or CloudFront, the system analyzes request patterns and logs to identify malicious activity. When a bad bot is detected, its IP address is extracted and added to an AWS WAF block list to prevent further access. Bad bot detection operates through a structured logic chain, ensuring comprehensive threat coverage:
-
HTTP Flood Protection Lambda Log Parser – Collects bad bot IPs from log entries during flood analysis.
-
Scanner & Probe Protection Lambda Log Parser – Identifies bad bot IPs from scanner-related log entries.
-
HTTP Flood Protection Athena Log Parser – Extracts bad bot IPs from Athena logs, using partitions across query run.
-
Scanner & Probe Protection Athena Log Parser – Retrieves bad bot IPs from scanner-related Athena logs, using the same partitioning strategy.
-
Fallback Detection – If both HTTP Flood Protection and Scanner & Probe Protection are disabled, the system relies on the Log Lambda parser, which logs bot activity based on WAF label filters.
Deploy with confidence
We'll walk you through it
Get started fast. Read the implementation guide for deployment steps, architecture details, cost information, and customization options.
Let's make it happen
Ready to deploy? Open the CloudFormation template in the AWS Console to begin setting up the infrastructure you need. You'll be prompted to access your AWS account if you haven't yet logged in.
Deployment options
Download implementation guide
Follow the implementation guide for step-by-step actions to deploy this AWS Solution.
Source code
The source code for this AWS Solution is available in GitHub.
CloudFormation template
View or modify the CloudFormation template to customize your deployment.
Related content
Security Automations for AWS WAF - Terraform
Deploy Security Automations for AWS WAF with this Terraform template.
AWS Certified Security – Specialty
This exam tests your technical expertise in securing the AWS platform. This is for anyone in an experienced security role.