{"id":819,"date":"2021-12-16T10:29:11","date_gmt":"2021-12-16T10:29:11","guid":{"rendered":"https:\/\/www.workfall.com\/learning\/blog\/?p=819"},"modified":"2025-08-20T10:02:18","modified_gmt":"2025-08-20T10:02:18","slug":"secure-web-applications-using-aws-waf-and-aws-shield","status":"publish","type":"post","link":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/","title":{"rendered":"How to secure web applications using AWS WAF and AWS Shield?"},"content":{"rendered":"<span class=\"rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\">9<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span>\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/6exvcD0ViYqmp7c6Oc4MYZ5aKBJfb0t2GknWWFstejywW-6YdLyF-E2JXcedpejzUwXwNW7B_PonZqNHivl4W9ipKwzJevsNDfCvdK9xVOP0Vsg-3AZd8anolZn7ZZTJMfluMEZ32gjsXGbyT5-d90jLMXR4eptVgtaNB4ctceeGZwKm80ZI6FZN\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">The world now runs on applications, from internet banking and remote work applications to entertainment delivery and e-commerce. It&#8217;s no surprise that attackers target programs as a key target, exploiting design flaws as well as gaps in APIs, open-source code, third-party widgets, and access control.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">Modern cybersecurity attacks are undetectable and uncounterable by network layer firewalls and traditional security solutions. AWS provides the Web Application Firewall (WAF) and the AWS Shield to tackle such attacks and safeguard your application without having to manage the underlying infrastructure and application code of security solutions.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">AWS WAF has the greatest market share in the worldwide cloud service industry. It is mostly used to protect websites against web application assaults. AWS Shield protects your <a href=\"https:\/\/www.workfall.com\/learning\/blog\/how-to-set-up-an-aws-cloudfront-distribution-to-speed-up-content-delivery\/\">CloudFront<\/a> distributions, Amazon Route 53 hosted zones, and Elastic Load Balancers from DDoS attacks. Among other things, AWS WAF provides straightforward AWS integration, cost, and flexibility.<\/p>\n\n\n\n<p>In this blog, we will cover:<\/p>\n\n\n\n<ul><li>What is WAF?<\/li><li>How AWS WAF Works?<\/li><li>Role of WAF<\/li><li>Web Application Firewall (WAF) Capabilities<\/li><li>How AWS WAF handles bad requests<\/li><li>Logging and Monitoring of AWS WAF<\/li><li>AWS WAF and AWS Shield Architecture<\/li><li>Attacks that WAF prevents<\/li><li>Hands-on<\/li><li>Conclusion<\/li><\/ul>\n\n\n\n<h2>What is WAF?<\/h2>\n\n\n\n<p class=\"has-text-align-justify\">By filtering and monitoring HTTP traffic between a web application and the Internet, a WAF, or Online Application Firewall, aids in the protection of web applications. Cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection are common attacks that it protects web applications against. A WAF (in the OSI model) is a protocol layer 7 protection that is not meant to fight against all forms of assaults.<\/p>\n\n\n\n<h2>How AWS WAF Works?<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/ysbQEJxvtI22MtueAUh0ayRcMdXvqNX-tvF0FFUud0np4ZGjhVdBctpoMuV9vISMdRk5lU5uiu3a6RFFO8ma3zL06Au34C7A3Xj1ickM2x4CJSV5585qrzg3THVwT2L95BxsxicLUwsXeFNO-R6urRn9_JE4C9hZ4O0aD825Q2JpESumP4tfWmzc\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">AWS WAF allows you to regulate how traffic enters your applications by allowing you to establish security rules that block typical attack patterns like SQL injection and cross-site scripting, as well as rules that filter out specific traffic patterns. Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers, will help you get started quickly. The OWASP Top 10 security threats are addressed by the Managed Rules for WAF. As new concerns arise, these guidelines are revised on a regular basis. AWS WAF comes with a comprehensive API for automating the generation, implementation, and management of security rules.<\/p>\n\n\n\n<h2>Role of AWS AWF<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/RDqH2luPoTxeOkpY-ekqScTyPMF6HoI63DdBASgnzES-_dGTjUcaSPuogDDA8GXaCN2az0fat3TjuxJoMXFqUVp1Z3r1gk1TSIkcP3TSGpHd4j0Du2tuCaL5t7tcnQliwoDOV7u69gaM3blWZIvTVgyTqlVVQeMlGvB1AwOf8TET_F2Mt0oa8bHi\" alt=\"Role of AWS AWF\"\/><\/figure>\n\n\n\n<h2>Web Application Firewall (WAF) Capabilities&nbsp;<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/ju8uCz6YlQQUlh6PSASr56oafNx_mk-xyKhPn1PezPo2uAxNN6dZuu6-a8IZhVrB64hUhUuyqUjiYabvyxdAlUiwNn62-Q8MGpBKW1hBO7eeyT6Um314TH7zEQKALqn-udJtMj06M3RkLEnbbVDbqDczzVdTtOby2_70TOFzXxrvFISB0MaQGX0w\" alt=\"Web Application Firewall (WAF) Capabilities\"\/><\/figure>\n\n\n\n<p><strong>WAF security can prevent many attacks, including:<\/strong><\/p>\n\n\n\n<ul><li><strong>Cross-site Scripting (XSS) &#8211;<\/strong> Attackers inject client-side scripts into websites that are viewed by other users<\/li><li><strong>SQL injection &#8211;<\/strong> Inserting or injecting malicious code into a web entry field, allowing attackers to gain access to the program and its underlying systems.<\/li><li><strong>Cookie poisoning &#8211;<\/strong> It is the process of altering a cookie in order to get illegal information about a user for reasons such as identity theft.<\/li><li><strong>Unvalidated input &#8211;<\/strong> To get beyond the site&#8217;s security systems, attackers tamper with HTTP requests (including the URL, headers, and form fields).<\/li><li><strong>Layer 7 DoS &#8211;<\/strong> An HTTP flood attack that uses valid requests to retrieve data from normal URLs.<\/li><li><strong>Web scraping &#8211;<\/strong> Web scraping is a type of data scraping that is used to retrieve information from websites.<\/li><\/ul>\n\n\n\n<h2>How does the AWS WAF handle bad requests?<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/YIvu5jtqcJpcusXlTMQQO-9tn47LdVtlLRoB_HK552Q-uAKBSoVKrgxu2VJUkxyyvDQUt9BM6vyLeBev3e0SMblFUatH0WJyAdopafdj70uTw-xxGqP8Vb_PDkyc2QdO7aijNzG3kbfpyDw8lUC84iodCHKZZ_07fSTn_4EfagLNiG6lC6lIMls1\" alt=\"How does the WAF handle bad requests?\"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront. These WEB ACLs are set up with rules that determine whether a request should be approved or rejected.<\/p>\n\n\n\n<h2>Logging and Monitoring of AWS WAF&nbsp;<\/h2>\n\n\n\n<p class=\"has-text-align-justify\">At any moment, you can activate or stop logging in for a web ACL. To log AWS WAF events, you can use CloudWatch or Amazon Kinesis. You may also create custom reports and take actions based on your own requirements.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/XMFGI0TeUHQrCoOCYNEDwPzsbdKaC_cayqE0rSXj1Ru7heEkkmRqa50v75jHBcra0xlgQOIBExwTi3gk26Gn0hZwYdCYXyE4MWkov02qHJ1z2bhEkPZi1goQ6qnBY8QjLjiTrD3imNfq1L_PbVmmWs9c0gYHDmPjrmNmTZbglkXSSiRRt21Vas4a\" alt=\"Logging and Monitoring of WAF\u00a0\"\/><\/figure>\n\n\n\n<h2>AWS WAF and AWS Shield Architecture<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/muFak7QA2uEkt6Q1J1JmNXYV3qH42VcHbRtyfR9H4BwZ-EPw2yohGBUKARld9o9ic3rNunK_RVr6Omt4dq0KX0NSR4BKso6V9y-ejyOe0U9u87rX9yXGoNe4tFk9olOrRJFeUAZFUzVS9DwXa-bFCE8KUNJSGOuS5k3z1xKP5ffLOXe3W81fnpez\" alt=\"AWS WAF and AWS Shield Architecture\"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">DDoS is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so you don&#8217;t need to engage AWS Support to benefit from DDoS protection. Custom WEB ACLs in AWS WAF can help you block or refuse requests that aren&#8217;t permitted, safeguarding your application&#8217;s integrity.<\/p>\n\n\n\n<h2>Attacks that WAF prevents<\/h2>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/-dSY-qAlU13WiOosTxNYZAfdfy9n83NZ09GVy4NSM1Vk9ON9DcR1eZJ6adXVcQeWluyOiImcfsYqhZMaruHbdksifd7v3D1xeLsabyrBden1vTkvVpOiq1WI-a1UNLHzlqtF3MUH-3AtPMPjtJKoHfLJkgmMBlcvP7o4N9_K7qq12EWLMn7P-G0w\" alt=\"Attacks that WAF prevents\"\/><\/figure>\n\n\n\n<p>Terminologies to be familiar with while using WAF:&nbsp;<\/p>\n\n\n\n<p><strong>Web ACL<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">A web access control list (web ACL) allows you to fine-tune how your protected resource reacts to web requests. Amazon CloudFront, Amazon API Gateway, Application Load Balancer, and AWS AppSync resources may all be protected.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">You may also test for any of these criteria in combination. You can block or count web requests that not only match the parameters but also surpass a certain number of requests in a 5-minute timeframe. Logical operators can be used to combine conditions.<\/p>\n\n\n\n<p><strong>Rule groups<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">A rule group is a set of rules that may be reused in a web ACL. See Managing and Using a Web Access Control List for further information on web ACLs (Web ACL).<\/p>\n\n\n\n<p>There are two primary types of rule groups:<\/p>\n\n\n\n<ul><li>AWS Managed Rules and AWS Marketplace vendors establish and maintain managed rule groups for you.<\/li><li>You design and manage your own rule groups.<\/li><\/ul>\n\n\n\n<p><strong>AWS WAF rules<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">Rules explain how to check web requests and what to execute when a web request fits the inspection criteria in each ruling group and web ACL. Depending on the rule and statement type, each rule requires one top-level statement, which may contain nested statements at any depth.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">The inspection instructions are contained as rule statements in the JSON format, and the action is included as rule actions.<\/p>\n\n\n\n<p>A web ACL&#8217;s rules are used to deny or allow web requests based on criteria such as these:<\/p>\n\n\n\n<ul><li>Scripts with a high likelihood of becoming malicious. Scripts that can exploit vulnerabilities in online applications are embedded by attackers. Cross-site scripting is the term for this (XSS).<\/li><li>Requests are sent from IP addresses or address ranges.<\/li><li>The country or geographic location from which the requests come.<\/li><li>The query string, for example, is the length of the given section of the request.<\/li><li>SQL code has a high probability of being harmful. By injecting malicious SQL code in a web request, attackers attempt to harvest data from your database. SQL injection is the term for this.<\/li><li>Values in the User-Agent header or text strings in the query string, for example, are strings that occur in the request. Regular expressions (regex) can also be used to specify these strings.<\/li><\/ul>\n\n\n\n<p><strong>IP SET<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">In a rule statement, an IP set is a collection of IP addresses and IP address ranges that you want to utilize together. AWS resources are IP sets.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">You must first establish an AWS resource, IPSet, with your address requirements before using an IP set in a web ACL or rule group. The set is then referenced when an IP set rule statement is added to a web ACL or rule group.<\/p>\n\n\n\n<p><strong>Regex pattern set<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-justify\">A regex pattern set is a set of regular expressions that you may employ in a rule statement together. AWS provides regex pattern sets.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">You must first build an AWS resource, RegexPatternSet, containing your regex pattern specifications before using it in a web ACL or rule group. The set is then referenced when a regex pattern set rule statement is added to a web ACL or rule group. There must be at least one regex pattern in a regex pattern set.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">When a regex pattern set comprises more than one regex pattern, the pattern matching is merged with an OR when it&#8217;s utilized in a rule. That is, if the request component meets any of the patterns in the set, the web request will match the pattern set rule statement.<\/p>\n\n\n\n<h2>Hands-on<\/h2>\n\n\n\n<p>In this hands-on, we will deploy a sample web application and implement WAF.<\/p>\n\n\n\n<ol><li>We will use an AWS sample web application to demonstrate AWS WAF.&nbsp;<\/li><\/ol>\n\n\n\n<p>Go to the website: <a href=\"https:\/\/github.com\/aws-samples\/aws-bookstore-demo-app\">https:\/\/github.com\/aws-samples\/aws-bookstore-demo-app<\/a><\/p>\n\n\n\n<p>Click Launch stack with your preferred region:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/Bk-fl26Y-oobesDofjE_Am1pzsian3oHMo5lQ0STYG7dyFH79BcX90kW-oFh6YV6gFfinuLETOLYSE5bQJ6WX1LmKz9ZLAK-XqmUYwwH0lnATdmv_9VZaZb-MEpV9mDlOfKJ4Q-qJzATvMeKYlmcbuDVRQdGhoMx-WGuW8i-Bv1SGhSSAirgH1aR\" alt=\"\"\/><\/figure>\n\n\n\n<p>Click Launch stack.<\/p>\n\n\n\n<p class=\"has-text-align-justify\">You\u2019ll be redirected to the CloudFormation page of AWS. You&#8217;ll need to provide some basic stack details as shown in the upcoming steps:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/saxbsBdi0iE-7LGjE2e3Ys9HIASxKIki382RZl_Xi_t1O9vPu0D8EbtIbOpNUOKHiyeiwxVXchupaCDYVQsp_joy38FQssLMkKgDioVXkdcldiVbu8CE-3Vg7QTYbjh78qlqw7hv5Ca0rbaZKM3GuI0cMjH_ae2x0Kjqu6inBLrYdR-NrhFZes7N\" alt=\"\"\/><\/figure>\n\n\n\n<p>Specify stack details as shown below and click Next.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/pPwgRfW4jIU8CY8tXbQg89hoNuMvIZ7702V_l7YXbcJGW5i_HYS1J-pVbUZcU1b748LT5RFKs5s2be9LZ_jwm3VwZhH0_aiT-jOTW2_JXcHfBV8FYVQcy0OsnDJSYeVG7nWEcxYaTzh8oFVm13s-CwEBx5HTyNhLG8mpEgAOO1C4hJwm7FsKU-eA\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/ihZNHw8pOl92vX92NjTq3xPhv-hrn1xJGHX9f7HxbMZtur6y5oZX32a9TBKptbjs83RgCH62n_N79YSQUMV6O0-p9kpVGwiOZiXqUH8L0xoAOl3b3Gg-vDg1kSbGgTeMl5G82KP-cNcmLi7ygX7berzbrvGughRXNv0sQutgGu_u6uDywrcxplgw\" alt=\"\"\/><\/figure>\n\n\n\n<p>After filling out the stack details, click create a stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/xId1V-WYQL_9WnS1l-ufocvTTgLbV94M2rfSFYL5KqmdKw9EWv40iNGTk2HqxDtyq8H7KEjZyTw99CNSESP62YoaOLVanekkU2klZrl6kfHBk-Kjq_Bgt0ROOl2BbT6D9LbI_t9bI7yLfq83DFD6b0CM1l4lTdcLDLGHtI2uX7-9MIHCvRvo0xGE\" alt=\"\"\/><\/figure>\n\n\n\n<p class=\"has-text-align-justify\">As you can see, the stack has been created. This will take 10-15 mins to complete. After successful creation, you\u2019ll get a CloudFront URL in the outputs section to access the web application as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/3uxqbpwCx4p_O4K669mePF_ms-1GWz3A7zB_WB6Cnpad8FMFYRO554zk5uRIX56fDscL8JV-0-89VwWgmxH6bKfw7UWEA12UygVMzD0BZiIH99ussJ_EjnsG6S8kxhsCvxwKpDTVShzLvRYLtloRNGeAkFRhRs5DdWgDRsCxBUrPCgMcdOpIr0sA\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p>Now copy the URL and open it in your browser. The application will look like this:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/BnI8ljHDj9kWtSnUIgEzqVAIGHm0JyDmEr9PmiSGnqqsXa3DarxocAClIUZwsLyCS4MnlI0HJWwIgbqmzzNAWnx9dGuS9udbkTX_dMaogdwh0ITzF1E87rCWhjHKIIl5qUZW0PI4BEo_n7DQNBBF6fIZnOyhecRszG_XMyy1QPCpigQ06t3tUrOl\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now that our web application is ready, let&#8217;s protect it using AWS WAF.<\/p>\n\n\n\n<p>Go to AWS WAF and click Web ACLs as shown below:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/G9uKpTXEKpqg249jd1a092E3ZYmoD7GzLDBjP_LgtJCvuV8JymJEEZKw5tomlGLHYhrfRqHK0qKMlZXA98T1lJiLtZ6MJu1Pped6kMdAuYascelRpqswLIJWlgQLvzFRzcRUsvkZpUPPCbTDsdg127NUMHG5kmJF7BqlybfCeJjFOWavh0kCt0Zw\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p>Fill in the specifications as shown below and click next:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/p8mEXLVSkVXKvfzZMbtWH2QcZuKVfZqsUpM25YZrTGivHlUJ4pfH5Ehwg_bc5yru8YMNdCdHXg4AVd5BfzDubqevnT4-9D6HBvZE3SatJiOrHgf-L67pWXVPdukLXEbKpb3u89b05Hc4z0AmUK_coJnb0B1WihlWzvyx6YGscbWW5eGXJwlIt49i\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/t9bZBAvs51J1vy3ELzhmX4doUPXTUchqzL1ig8TY-_2f6i4HpSi1H-ldMiCEFYMZ5jxRaoCDxg-6R0GLBs3C89GzUXYT4CY6iw2pGQR9sVmSHvvrshjAJqUKwRB3DHONCLvu5vs7uSyXR9b1lbR8RDqqoheLiLZWTBfcMHcG7eBFIFg86SxSQE-b\" alt=\"\"\/><\/figure>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Select add rules as shown below:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/Zd5ujlvVmWFtiseodl57hgtX8tgDe3VzUX1wcf96Fj8txttN9ZzIJvCXN_q8WuNp4AXekChzez6f8b_KI-aGKHBeH4eZtal2fq-91QqxT1NbHMFrW1FuQDwHvQ0W3MM1LXNOXFn8VP4eNNjznNymr-fcOnFEGSZbNmwF78jXG0Chq-fVSGqzXJER\" alt=\"\"\/><\/figure>\n\n\n\n<p>AWS provides some managed rules which are production ready. Here will be creating our own rules.&nbsp;<\/p>\n\n\n\n<p>From the drop-down, select Add my own rules and rule groups:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/oAQCSbrJRm40ZLF02noxvbMxjhm9cVgmmYFK0yTeb-BC_oKix4PP2fSIlrh6m5RGQ0pxdVPttU9bfn687npXvrPy7zt9NV4Fd1mE8yd6ujPGlQCRG9C0jfYd_karM-QCW5TS6lxO4aY1ERceanXPuodBfIIUSvVh9L08R0q_jDU_Uev1gLGI-DfX\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/U7U5JKuX45Y9bIHkjpBdAaoo6pJiOhQwfJdjMOXi98cpPdo3VHMuy4Jt9LqFESrHlfrlGj4M5em3CDGfcy1jxugrO_IvL-JE9UVYsTlgmjtnFuSK1H1cKkzogtVjWogzCxawd1_xeIuPEDh7OD8B88ZQE_Hk2iFV4DXfGOfhMk7q1yiQoaDjQkPF\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p>We will create two rules here to demonstrate WAF features:&nbsp;<\/p>\n\n\n\n<ol><li>To block requests originating from specific sources we need to create an IP set.<\/li><li>Block a particular URI path.<\/li><\/ol>\n\n\n\n<p>Steps to create an IP set:<\/p>\n\n\n\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Click create an IP set<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/B9grV_awoAStxGymItIl_JNGCywAuOOj04SUlcPhapECj0LpnJvVYTlALykA8mRDer8lEbSAu1OX5njfYOLiK-0iGJtMgnnxsQvmypjojPKbZIh5CQaNaGXM138ohR6kT52tJn7fI192XTQIfUUs6IagybOg1NVHeVPE1dn2u3MDUlWeKDv_A2pm\" alt=\"\"\/><\/figure>\n\n\n\n<p>Provide the required details as shown below:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/HhY4fMlVGu9DsR7MfghuGvbssy4sp38UzecalrY7j7SIx7XBISngu9qidEIjmjyyaZKEnTLJ3CnZIU-484qNCQkmt3pHNN4jqySo6H9Mw6x1dk_Ch-TLdvs-C9NlJa36QazPUowsjRBvUVPh1Y-DN-FaTN_Pq6XBWldWNPLGB3a3qizekSuSVFFF\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/bvxvbjtmNPtq3FWHwUIWX4Nx_2vS9FxsVlke1hVqJamTBjugoYD8-z1oFBJN2DmqBKARhwkE1lGots8CH7fIsblioLpe2flsFwZH7ZrQUu2auv_t_ekgbegG3te7RQYkTtlhSoe9rNuaUq_O8V1RgLrDuCSbEUiwfQkw2JWDWfujmhVRPnJhlQ4j\" alt=\"\"\/><\/figure>\n\n\n\n<p>After successful creation. It will be shown in the main page as shown below:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/w6fciP4ufbtdUETdV2hBiLEQMYASL9QCya8ULFJE-HKyIhc9VCGGMWQqVDyQnhfY76Xqpha3rItpRxvF7Tt4NCmoW3vm6E_LJqTYvkm7N1brpvfi_vjbUzsoXrngsV_eR073g9BodCFXvYUHApOzUylK8AyjwXHmoFisz11SIbhkpOGTnhaPrOCd\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p>Steps to create URI base rule:&nbsp;<\/p>\n\n\n\n<p>Select rule builder and provide details as shown below<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/LLMz3uQL9QnBxDiXW2u9FVTRDRH9vWbG6fX2KyvY1o3K_VHWBU5ughSAikXdfxV0_471C7C5q9mi7MimDE-BWnos6U4lSNiAsJgmR-i2j80SqVYUp-uQUsvJL-lU49McDx4OGCeMuOHDzSghllxaMwNZILOxDPuAxy9d9nwcvKTtpeD4fDP6Gzvb\" alt=\"\"\/><\/figure>\n\n\n\n<p>Select action as block and click add the rule as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/tHXClO7eIgHaYi91U01oKLaHhfABgNanwIroLnbCsmuQfLx0Mlje8n4ThmBeu6jJ_O4ApVQvVzibiWI_EMK6ezWpaaFDauoVaOCiqCag9Qj9WjgjhOR9Fl48s9UadbQG7Ny2VMSGoJhbMtjlV-YoXwtug34L5Q-whtpUYszWDERP6tlBcQyRReah\" alt=\"\"\/><\/figure>\n\n\n\n<p>Go to the Web ACL dashboard and proceed with rules selection:&nbsp;<\/p>\n\n\n\n<p>Select the rules created above as shown below:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/8tDRbMquewBt9SJwwIzEUDiD_Ea37MuHg83N4kmpkmvaKWKYrtkddBl7eBYRHQ7Lp4kAespod94SRwxIn7-2fZfAukuCQhDo6-N1HuX2-X1sTsDBOgdpX4XEwxXEPJxc-1YSTlqrACdSWJ5FgvMHB6ufggScGZI8m2Nip1mRD3yiroak-H2IZ2rK\" alt=\"\"\/><\/figure>\n\n\n\n<p>Select rule priority and click Next.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/WOg9VuGkHEakVlDqg-s8lIeeGVusxkSK7Zo4pzexeOcJZX9bNqUwGux378AYOjnOmR-4gfgzD7MW_q_hsqv6RR97SHB_ylK1Zv_SuU4_qoyod12EfvG79pR1EQG7N001GBZFubWcxfnEki0ZIqvdQHr59qpQEFlZOYFJTq6rEiMxB0RSVqi9WHpj\" alt=\"\"\/><\/figure>\n\n\n\n<p>Click create web ACL.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/VZVpqyeGmjpUmfLoySMQpEpoxKn0weN-9quYbT_EBf2wJnPAvsnZbBVP1wFsSGKNzMHuCf2bKjlmqZfAZxdL7ctqpcXef8ozVEwab4JssePXGqJxwX-6ki9Z-3hjN8Ze1kVVDUL8LPnJ6fQat1uK314oOlXL-qAO8JCnmV1U6B8GkZPkRoZNUdz6\" alt=\"\"\/><\/figure>\n\n\n\n<p>AWS WAF<\/p>\n\n\n\n<p>As you can see in the image below, WEB ACL has been successfully created.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/VEig1D1OcCOFSde9Ix7NF53TcxLo739ibFadDekBmpIhrdTejqwXifD-PHe08y7m9EV1nGegK_JezyKSN4CyxuosCdtDsrJz1_XdcGvh_uIB7_Q6SHUxVCfoi58jXd9HKXlRGNal1SHscy0XqzoBSGd_SzoHOE7ZeRgWR568WVvLkxTPL229UZW7\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh4.googleusercontent.com\/C4hwNSyQojXIt5oHJpEkSPCFN7Znl8nJpTHNdtV5oRoT1e_ppcJgFNwC0-Xxu14Kv0rU6LTllQjRwglJKTWiJedZm8Dvvzu9mljG_l9ku3J7NnvPQ7t_gEFpD_di1C1esuyWTsimOOSlvV4J4rxb74PWt1teBeKlPVhyM8i1_tH8bBtnOwqjnYlJ\" alt=\"\"\/><\/figure>\n\n\n\n<p>Now we need to specify AWS resources for our WEB ACLS.&nbsp;<\/p>\n\n\n\n<p>Click on Associated AWS resources to add our CloudFront distribution:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh5.googleusercontent.com\/bi1XOSGm2JmblgLAThSLToYLZB3BUme7XKIUNK9f0X-lixaz7fnb8iHBb9FOofsdecRSoKC1Y32-V-6-yeaFEwAKiMTyWczgKIfqXcBVspYSauQvUbHYAkLtz6AFwfIAjyaNN79kMU81Q5AsHzs36GhtfRtSfRoI8ODTieJ2NGvAJBJ9eqkVKttA\" alt=\"\"\/><\/figure>\n\n\n\n<p>Select the CloudFront distribution you want to apply as shown below:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/B_KYJLX8XXT0q7_I9AYHmIsqD_RFFLbW3ESP2Vb8o4y5o20k8h461qNqdHoc30gER_Pq8chVFCXJpGZdyeSpYdCky3YMojuHiP9gcQWzSzu68nm6zyOKrpA1btKD-eWeFQbTDA8qtYm-moaLipsqnv9qZWsAc4FRTqe5mRm2_wc0cCLDhulTgmuO\" alt=\"AWS WAF \"\/><\/figure>\n\n\n\n<p>Once this is done we are ready to test our rules.&nbsp;<\/p>\n\n\n\n<p>Open the CloudFront URL and try to access \/manifests.json path, you should get access denied response as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh6.googleusercontent.com\/v7wb00PLcf9KWT_saSn0UG5oNWT5ucW21mceQ1_R72gJD_Au27Bmms4JT-nLkbBlXr4SGpw2Dw2cyqu2M1J_8LkiNFU3e0hUrxcmTn48bFsSUxpAS67BuGCG5lu1dzteQhQsfSQQqoqMj-G7p9_DJmVw9ZOrhm2MSDrJjX4py_QJ8TqGXKvMBN8y\" alt=\"\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/C8rwrwK6vSaD9ZGYX8J-CSDK124eMhEbkuHA368lak6c9TlzAnYjEyaxPli1WQoLiyZDk5UtJSAj51Ed2KMuzZHY4YgQEUZwawhclJ32PDo5ce0sA_u9HqCOpJgKQb77hsPLP9fJlPP0wdLREh3mXKEiZw6uecMzT294AUXabbSCTKxDtixV3tby\" alt=\"\"\/><\/figure>\n\n\n\n<p>You can see the sample requests and actions in the overview section as shown below:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img src=\"https:\/\/lh3.googleusercontent.com\/WizIfIpnU5i27kUj1wAlCejjl4p3RmgQrmJWfM6r9ApWoiCnkQgpIwshl15CZ2x_RD7d-0S4IsobyfvChBFVTSjTO1vq3faGxFLv754clmQFV3fGhbFZ4F1fk0BV764rcf6fesi2nz5sfk59xf8PHAuCZu8waPGqqZa0GJAXYt51mpFw_yqh0sIM\" alt=\"\"\/><\/figure>\n\n\n\n<p>So we have successfully seen AWS WAF in action and its use cases.<\/p>\n\n\n\n<h2>Conclusion<\/h2>\n\n\n\n<p>In this blog, we explored AWS WAF, how it works, how WAF handles bad requests, its logging, and monitoring, what attacks it prevents and saw how easy it is to use AWS WAF and protect our web application from threats and attacks. With our own custom rules and WEB ACLs, we can easily manipulate our traffic and allow or deny access to requests easily within a few clicks. We will discuss AWS WAF in our upcoming blogs. Stay tuned to keep getting all updates about our upcoming new blogs on AWS and relevant technologies.&nbsp;<\/p>\n\n\n\n<p>Meanwhile \u2026<\/p>\n\n\n\n<p><strong>Keep Exploring -&gt; Keep Learning -&gt; Keep Mastering<\/strong><\/p>\n\n\n\n<p>This blog is part of our effort towards building a knowledgeable and kick-ass tech community. At <a href=\"https:\/\/www.workfall.com\/\">Workfall<\/a>, we strive to provide the best tech and pay opportunities to AWS-certified talents. If you\u2019re looking to work with global clients, build kick-ass products while making big bucks doing so, give it a shot at<a href=\"https:\/\/www.workfall.com\/partner\/\"> workfall.com\/partner<\/a> today.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\">Reading Time: <\/span> <span class=\"rt-time\">9<\/span> <span class=\"rt-label rt-postfix\">minutes<\/span><\/span> The world now runs on applications, from internet banking and remote work applications to entertainment delivery and e-commerce. It&#8217;s no surprise that attackers target programs as a key target, exploiting design flaws as well as gaps in APIs, open-source code, third-party widgets, and access control. Modern cybersecurity attacks are undetectable and uncounterable by network layer [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":820,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":""},"categories":[2],"tags":[3,239,238,6],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v19.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to secure web applications using AWS WAF and AWS Shield? - The Workfall Blog<\/title>\n<meta name=\"description\" content=\"AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to secure web applications using AWS WAF and AWS Shield? - The Workfall Blog\" \/>\n<meta property=\"og:description\" content=\"AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/\" \/>\n<meta property=\"og:site_name\" content=\"The Workfall Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/workfall\" \/>\n<meta property=\"article:published_time\" content=\"2021-12-16T10:29:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-20T10:02:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@workfall\" \/>\n<meta name=\"twitter:site\" content=\"@workfall\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Workfall\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#organization\",\"name\":\"Workfall - Hire #Kickass Coders On Demand\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/\",\"sameAs\":[\"https:\/\/www.instagram.com\/workfall\/\",\"https:\/\/www.linkedin.com\/company\/workfall\/\",\"https:\/\/facebook.com\/workfall\",\"https:\/\/twitter.com\/workfall\"],\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400\",\"contentUrl\":\"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400\",\"width\":400,\"height\":400,\"caption\":\"Workfall - Hire #Kickass Coders On Demand\"},\"image\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#website\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/\",\"name\":\"The Workfall Blog\",\"description\":\"#Tech #Remote #Jobs\",\"publisher\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/learning.workfall.com\/learning\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#primaryimage\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png\",\"contentUrl\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png\",\"width\":1200,\"height\":628,\"caption\":\"Applications using AWS WAF - Workfall\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#webpage\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/\",\"name\":\"How to secure web applications using AWS WAF and AWS Shield? - The Workfall Blog\",\"isPartOf\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#primaryimage\"},\"datePublished\":\"2021-12-16T10:29:11+00:00\",\"dateModified\":\"2025-08-20T10:02:18+00:00\",\"description\":\"AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront.\",\"breadcrumb\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/learning.workfall.com\/learning\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to secure web applications using AWS WAF and AWS Shield?\"}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#webpage\"},\"author\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a\"},\"headline\":\"How to secure web applications using AWS WAF and AWS Shield?\",\"datePublished\":\"2021-12-16T10:29:11+00:00\",\"dateModified\":\"2025-08-20T10:02:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#webpage\"},\"wordCount\":1898,\"publisher\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png\",\"keywords\":[\"AWS\",\"firewall\",\"WAF\",\"workfall\"],\"articleSection\":[\"AWS Cloud Computing\"],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a\",\"name\":\"Workfall\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png\",\"contentUrl\":\"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png\",\"caption\":\"Workfall\"},\"sameAs\":[\"https:\/\/www.workfall.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to secure web applications using AWS WAF and AWS Shield? - The Workfall Blog","description":"AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/","og_locale":"en_US","og_type":"article","og_title":"How to secure web applications using AWS WAF and AWS Shield? - The Workfall Blog","og_description":"AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront.","og_url":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/","og_site_name":"The Workfall Blog","article_publisher":"https:\/\/facebook.com\/workfall","article_published_time":"2021-12-16T10:29:11+00:00","article_modified_time":"2025-08-20T10:02:18+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_creator":"@workfall","twitter_site":"@workfall","twitter_misc":{"Written by":"Workfall","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Organization","@id":"https:\/\/learning.workfall.com\/learning\/blog\/#organization","name":"Workfall - Hire #Kickass Coders On Demand","url":"https:\/\/learning.workfall.com\/learning\/blog\/","sameAs":["https:\/\/www.instagram.com\/workfall\/","https:\/\/www.linkedin.com\/company\/workfall\/","https:\/\/facebook.com\/workfall","https:\/\/twitter.com\/workfall"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400","contentUrl":"https:\/\/i1.wp.com\/18.141.20.153\/learning\/blog\/wp-content\/uploads\/2021\/10\/cropped-WF_logo.png?fit=400%2C400","width":400,"height":400,"caption":"Workfall - Hire #Kickass Coders On Demand"},"image":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/logo\/image\/"}},{"@type":"WebSite","@id":"https:\/\/learning.workfall.com\/learning\/blog\/#website","url":"https:\/\/learning.workfall.com\/learning\/blog\/","name":"The Workfall Blog","description":"#Tech #Remote #Jobs","publisher":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/learning.workfall.com\/learning\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#primaryimage","url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png","contentUrl":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png","width":1200,"height":628,"caption":"Applications using AWS WAF - Workfall"},{"@type":"WebPage","@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#webpage","url":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/","name":"How to secure web applications using AWS WAF and AWS Shield? - The Workfall Blog","isPartOf":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#primaryimage"},"datePublished":"2021-12-16T10:29:11+00:00","dateModified":"2025-08-20T10:02:18+00:00","description":"AWS WAF offers a number of components, including WEB ACLs, which you may construct and associate with your AWS services like CloudFront.","breadcrumb":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/learning.workfall.com\/learning\/blog\/"},{"@type":"ListItem","position":2,"name":"How to secure web applications using AWS WAF and AWS Shield?"}]},{"@type":"Article","@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#article","isPartOf":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#webpage"},"author":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a"},"headline":"How to secure web applications using AWS WAF and AWS Shield?","datePublished":"2021-12-16T10:29:11+00:00","dateModified":"2025-08-20T10:02:18+00:00","mainEntityOfPage":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#webpage"},"wordCount":1898,"publisher":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/#organization"},"image":{"@id":"https:\/\/learning.workfall.com\/learning\/blog\/secure-web-applications-using-aws-waf-and-aws-shield\/#primaryimage"},"thumbnailUrl":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png","keywords":["AWS","firewall","WAF","workfall"],"articleSection":["AWS Cloud Computing"],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/person\/cab8236044692bc5b27606b13167794a","name":"Workfall","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/learning.workfall.com\/learning\/blog\/#\/schema\/person\/image\/","url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png","contentUrl":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2023\/09\/avatar_user_1_1693914404-96x96.png","caption":"Workfall"},"sameAs":["https:\/\/www.workfall.com"]}]}},"jetpack_featured_media_url":"https:\/\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/12\/CoverImages_1200x628px-3.png","jetpack-related-posts":[{"id":675,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-set-up-a-continuous-deployment-pipeline-to-deploy-versions-of-an-application-on-aws-elastic-beanstalk-using-aws-codepipeline-part-1\/","url_meta":{"origin":819,"position":0},"title":"How to set up a continuous deployment pipeline to deploy versions of an application on AWS Elastic Beanstalk using AWS CodePipeline (Part 1)?","date":"November 24, 2021","format":false,"excerpt":"Do you have concerns about managing and deploying web applications? With AWS Elastic Beanstalk, you can launch your full web application in just a few minutes by simply uploading the code. Starting with capacity provisioning, load balancing, auto-scaling, and application health monitoring, this service will take care of the whole\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"AWS Elastic Beanstalk - Workfall","src":"https:\/\/i2.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/CoverImages_1200x628px-6.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":562,"url":"https:\/\/learning.workfall.com\/learning\/blog\/secure-containerized-web-applications-aws-apprunner-part-1\/","url_meta":{"origin":819,"position":1},"title":"How to build and run scalable, secure & containerized Web Applications in minutes using AWS App Runner (Part 1)?","date":"November 10, 2021","format":false,"excerpt":"Developing apps is where you build value, not manage how they're delivered. Rather than wrestling\/bickering infrastructure, why not just write your code and leave the rest to someone else? Over time, cloud providers have made this process progressively easier. AWS may have just made a significant jump for many of\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"AWS AppRunner - Workfall","src":"https:\/\/i1.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/apprunner1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":239,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-set-up-aws-copilot-to-build-release-and-operate-containerized-applications-on-ecs-and-fargate-using-a-cli\/","url_meta":{"origin":819,"position":2},"title":"How to set up AWS Copilot to build, release and operate containerized applications on ECS and Fargate using a CLI?","date":"October 28, 2021","format":false,"excerpt":"AWS Copilot is a command line interface (CLI) that allows users to launch and manage containerized apps on AWS fast and efficiently. AWS Copilot offers a simple declarative set of commands, as well as examples and guided experiences to assist clients in deploying quickly. Copilot automates each stage of the\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"How to deploy a containerized Web Application using AWS Copilot","src":"https:\/\/i2.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/Amazon_Copilot-1200-x-628-px.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":205,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-deploy-a-scalable-and-secure-web-application-in-minutes-using-aws-app-runner\/","url_meta":{"origin":819,"position":3},"title":"How to deploy a scalable and secure web application in minutes using AWS App Runner?","date":"October 27, 2021","format":false,"excerpt":"In our previous blog, How to build and run scalable, secure & containerized Web Applications in minutes using AWS App Runner (Part 1)? We have discussed the recently launched AWS service App Runner, its benefits, use cases, features, architecture, etc. Refer to the following image for a quick recap: AWS\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"Build and Run AWS App Runner - Workfall","src":"https:\/\/i1.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/10\/Apprunner-1200-x-628-px.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":358,"url":"https:\/\/learning.workfall.com\/learning\/blog\/how-to-build-an-angular-authentication-application-using-aws-amplify\/","url_meta":{"origin":819,"position":4},"title":"How to build an Angular Authentication Application using AWS Amplify?","date":"November 3, 2021","format":false,"excerpt":"In this blog, we will discuss how to build an Angular Application using AWS Amplify and will demonstrate how to build an Authentication Application using AWS Amplify and Angular web framework without configuring the backend manually. In this blog, we will cover: Need for Serverless FrameworksBenefits of Serverless FrameworksPopular Serverless\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"Build an Angular Authentication Application using AWS Amplify","src":"https:\/\/i1.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/amplify.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]},{"id":639,"url":"https:\/\/learning.workfall.com\/learning\/blog\/ros-ci-pipeline-using-aws-robomaker-and-codepipelinepart-1\/","url_meta":{"origin":819,"position":5},"title":"How to build a ROS CI Pipeline using AWS RoboMaker and CodePipeline(Part 1)?","date":"November 11, 2021","format":false,"excerpt":"Robots are being used more widely in society for increasingly sophisticated functions like picking and packing, last-mile delivery, complex assembly, search and rescue, environmental monitoring, and assisted surgery. Robots are utilized for commercial logistics and consumer cleaning, distribution, and companionship in the autonomous mobile robot (AMR) and autonomous ground vehicle\u2026","rel":"","context":"In &quot;AWS Cloud Computing&quot;","img":{"alt_text":"AWS RoboMaker - Workfall","src":"https:\/\/i2.wp.com\/learning.workfall.com\/learning\/blog\/wp-content\/uploads\/2021\/11\/RoboMaker1.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"_links":{"self":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts\/819"}],"collection":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/comments?post=819"}],"version-history":[{"count":8,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts\/819\/revisions"}],"predecessor-version":[{"id":2510,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/posts\/819\/revisions\/2510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/media\/820"}],"wp:attachment":[{"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/media?parent=819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/categories?post=819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/learning.workfall.com\/learning\/blog\/wp-json\/wp\/v2\/tags?post=819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}