Skip to main content

What is AWS WAF?

What is AWS WAF?
(Image credit: Pixabay)

Security on the web is often all about assumptions. On the one hand, we make assumptions about never being the victim of a data breach, that our apps and services running in the cloud are perfectly safe, and that there is no possibility of data compromise. On the other hand, there is also the correct assumption that something will occur, that the attack vector is wider and more obvious to hackers than you might expect, and that it’s not if you’ll experience a breach but when.

It’s easy to assume there are no risks because that doesn’t require any changes or actions. It’s definitely much more difficult to assume there will be attacks. That’s why the Amazon Web Service known as WAF, or Web Application Firewall, is such a valuable offering.

Designed to protect web applications, AWS WAF is a cloud firewall that can be customized to match the needs of an organization, which means you can add and customize security rules for the applications you need to protect at the level that is required. You can configure your own managed rules on your own or use the predetermined, managed rules set by Amazon Web Services (AWS).

What this means for any business is that you can manage risk in a way that is clear and understandable. There are no assumptions -- with any application, you can decide which rules to deploy to protect you from common attacks.

One example of this has to do with typical traffic patterns that occur when there is an attempted breach. You can deploy a security rule related to an SQL injection or cross-site scripting. AWS WAF will then look for those patterns and block breach attempts.

In essence, WAF gives you control over exactly how and why traffic reaches your applications in the first place. Then you can govern the rules over what happens when the data reaches the application based on company dictums over endpoint security or compliance regulations.

WAF works with Amazon services such as Amazon CloudFront, EC2 (Elastic Compute Cloud), and Application Load Balancer. It can also be deployed as part of an API or Application Programming Interface. If you deploy WAF as part of an API, it works with Amazon API Gateway.

Benefits of AWS WAF

One of the key benefits of using WAF is that you pay only for the rules you use and only as the traffic occurs. If a web application does not contain any financial information and is purely for, let’s say, managing the high scores in a game, and doesn’t track any user account information, you can decide to deploy fewer rules and pay less. If it’s a cloud database that also maintains credit card and insurance information, you can deploy more rules for security.

There are also no upfront fees or monthly charges, and no setup costs or configuration fees. You can deploy rules for a single application that needs minimal protection against a breach or deploy rules for hundreds of apps that need the tightest security available.

Importantly, the costs are also based on the traffic requests the web application receives. Unlike a firewall you build yourself for a data center or server room, or one that protects apps that run internally on desktops at a company, WAF monitors only the traffic coming into your apps and you pay only for the traffic you actually receive. For an incredibly popular app with high traffic, the costs might be higher based on the rules you deploy and your security needs, but they would be much lower for a new app or one that is not designed for a large user base.

Another important advantage of using AWS WAF in the cloud is that it has little to no impact on the actual web traffic for your applications. Because of how the service inspects traffic on the fly and monitors the security rules you select, it can stay “agile” in terms of not interfering with the flow of data to and from your business apps.

One last benefit is that deploying WAF is not a complex endeavor where you have to build out the IT infrastructure, install firewall software and hardware, or constantly manage the security on your own on-premise servers to stay up to date with the changing security landscape. As new exploits and vulnerabilities arise, the service can adapt and look for unusual traffic flows and introduce new rules to deploy as part of your application security framework.

This all leads to the typical cloud computing advantages of cost-savings (from not building your own infrastructure), flexibility (customizing how it works with your web applications and the rules you need to deploy), and scaling (to meet the needs of an app that has suddenly become more popular or that you are relying on more heavily in your organization).