Cloud Infrastructure Cloud Security

AWS WAF and DDoS Protection: Comprehensive Web Application Security

January 11, 2026

AWS WAF (Web Application Firewall) and Shield provide protection against web exploits and DDoS attacks. This guide covers implementing comprehensive web application security using AWS native services to protect your applications from common threats.

Web application security requires multiple layers of protection including WAF rules, rate limiting, bot management, and DDoS mitigation. AWS provides integrated services that work together to provide defense in depth.

WAF Web ACL Configuration

resource "aws_wafv2_web_acl" "main" {
  name        = "production-waf"
  scope       = "REGIONAL"
  description = "Production WAF rules"

  default_action { allow {} }

  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 1
    override_action { none {} }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name               = "CommonRuleSet"
    }
  }

  rule {
    name     = "AWSManagedRulesSQLiRuleSet"
    priority = 2
    override_action { none {} }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesSQLiRuleSet"
        vendor_name = "AWS"
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name               = "SQLiRuleSet"
    }
  }
}

Rate Limiting

rule {
  name     = "RateLimitRule"
  priority = 3
  action { block {} }
  statement {
    rate_based_statement {
      limit              = 2000
      aggregate_key_type = "IP"
    }
  }
  visibility_config {
    sampled_requests_enabled   = true
    cloudwatch_metrics_enabled = true
    metric_name               = "RateLimit"
  }
}

Bot Control

rule {
  name     = "AWSManagedRulesBotControlRuleSet"
  priority = 4
  override_action { none {} }
  statement {
    managed_rule_group_statement {
      name        = "AWSManagedRulesBotControlRuleSet"
      vendor_name = "AWS"
      managed_rule_group_configs {
        aws_managed_rules_bot_control_rule_set {
          inspection_level = "COMMON"
        }
      }
    }
  }
  visibility_config {
    sampled_requests_enabled   = true
    cloudwatch_metrics_enabled = true
    metric_name               = "BotControl"
  }
}

Shield Advanced

resource "aws_shield_protection" "alb" {
  name         = "alb-protection"
  resource_arn = aws_lb.main.arn
}

resource "aws_shield_protection_group" "main" {
  protection_group_id = "production-group"
  aggregation         = "MAX"
  pattern             = "ALL"
}

Logging and Monitoring

resource "aws_wafv2_web_acl_logging_configuration" "main" {
  log_destination_configs = [aws_kinesis_firehose_delivery_stream.waf.arn]
  resource_arn           = aws_wafv2_web_acl.main.arn
}

Best Practices

  • Use AWS Managed Rules as baseline
  • Implement rate limiting
  • Enable bot control for public APIs
  • Use Shield Advanced for critical apps
  • Enable WAF logging
  • Monitor blocked requests
  • Test rules in count mode first
  • Create custom rules for app-specific threats
  • Use IP reputation lists
  • Regularly review and update rules

Conclusion

AWS WAF and Shield provide comprehensive protection for web applications. By implementing managed rules, rate limiting, and DDoS protection, you can defend against common web attacks and ensure application availability.

Related Posts: