cloud service

AWS Web Application Firewall (AWS WAF)

Protect your web applications or APIs from common web exploits

StormIT helps organizations protect their websites and applications against all commonly known application-layer attacks and exploits by leveraging comprehensive protection of AWS Web Application Firewall (WAF). AWS WAF protection is tightly integrated with AWS services that AWS customers use to deliver content such as Amazon CloudFront, the Application Load Balancer (ALB), and Amazon API Gateway.

Secure your web application and deliver your data, videos, or APIs to your customers globally with low latency and higher transfer speeds with AWS WAF and AWS Edge Services Bundles.


AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources.

AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns.

You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. These rules are regularly updated as new issues emerge.

How AWS WAF Works

Use AWS WAF to control how an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API responds to web requests.


Create a policy

Build your own rules using the visual rule builder, code in JSON, or simply deploy managed rules maintained by AWS and/or sellers from AWS Marketplace.


Block & Filter

Protect against exploits and vulnerabilities such as SQL injection attacks or Cross-Site Scripting (XSS) attacks. Filter out unwanted traffic by defining specific patterns or by IP address.


Monitor traffic

Use Amazon CloudWatch for incoming traffic metrics and Amazon Kinesis Firehose for request details, then tune rules based on metrics and log data.

get started

AWS WAF Protection

AWS WAF can help you mitigate the OWASP Top 10 and other web application security vulnerabilities because attempts to exploit them often have common detectable patterns in the HTTP requests.

Layer 7 DDoS attacks

You can use AWS WAF rate limiting rules to block clients from specific IP addresses that are sending an abusive number of requests to your application. AWS WAF also provides the ability to block known malicious IP addresses using the Amazon IP reputation list or by subscribing to AWS partner IP reputation lists from the AWS Marketplace.

Bad bots

To stop traffic generated by bad bots, you can use the IP reputation lists within AWS Managed Rules to cover some of the scanner-type bots. In addition, you can use the AWS WAF Security Automations Solution to defend against bots by implementing honeypots and behavioral detections with WAF logs.

Web application attacks

You can select and add some of the AWS managed rule groups to protect your application from various threats. In addition to AWS Managed Rules, you can also write custom rules specific to your application to block undesired patterns in parts of the HTTP request.

Benefits of AWS WAF

AWS WAF completes other protective systems such as firewalls and intrusion prevention systems, and helps you reduce the risk of downtime, data theft and security breaches.


AWS WAF rule propagation and updates take under a minute. WAF rules can inspect any part of the web request with minimal latency.

You can filter any part of the web request, such as IP addresses, HTTP headers, HTTP body, or URI strings. This allows you to block common attack patterns, such as SQL injection or cross-site scripting.

With Managed Rules for AWS WAF, you can quickly get started and protect your web application or APIs against common threats

Managed rules are written by security experts who have extensive and up-to-date knowledge of threats and vulnerabilities. Managed rules are automatically updated as new issues emerge.

AWS WAF gives near real-time visibility into your web traffic, which you can use to create new rules or alerts in Amazon CloudWatch.

In addition, AWS WAF offers comprehensive logging by capturing each inspected web request’s full header data for use in security automation, analytics, or auditing purposes.

You pay only for what you use. AWS WAF provides a customizable, self-service offering, and pricing is based on how many rules you deploy and how many web requests your web application receives. There are no minimum fees and no upfront commitments.