Protecting Serverless Applications with AWS WAF
profile picture Vishwasa Navada K
4 min read Jun 7, 2023

Protecting Serverless Applications with AWS WAF

Since serverless is designed to scale to infinity, one of the questions we get asked very often is whether a DDoS attack on the serverless application can result in a hefty Cloud Bill. One way to prevent this is to have rate limiting on API Gateway in place so that the serverless application doesn’t scale to unexpected levels and end up using all underlying resources.

Other than rate limiting at the API Gateway level, AWS offers a service called WAF (Web Application Firewall) that is dedicated to protecting the internet-facing services of AWS like API Gateway, AppSync, App Runner, Application Load Balancer, CloudFront, and Cognito.

WAF offers various predefined configurations to protect the applications from known threats like DDoS, SQL Injection, and XSS. WAF calls these configurations Managed Rules. You could write up your own Rules, or use various rules that are available to use on the WAF Console. A few of these are free to use and provided by AWS, while you could find advanced rules from third-party providers through AWS Marketplace.


Custom WAF Rules allow us to build for the use cases like Geographical and IP Based Restrictions for AWS Serverless applications. Even though scaling is the main feature of serverless architecture, an underrated feature of serverless is pay-per-use. This makes serverless go-to architectural patterns for building internal applications that might not expect a large amount of traffic. In a few such use cases, due to security and privacy reasons, users would expect the applications to be limited to their private networks. That can be achieved by creating an IP-based rule on WAF.


First, we create an IP Set that lists the IP Range where requests are expected to originate. This could be the IP range from a VPN Service, Private network, etc. Once that is created, we add a custom rule on the WAF Web ACL that enables only requests from the IP Set to be forwarded to the service and block the rest of the requests.


As a last step, we have to associate the WAF Web ACL with any of the services that need to be restricted. Once the setup is complete, we can continue to monitor the requests coming in and what percentage of requests are allowed or blocked on the WAF console or the CloudWatch Logs. If you want to handle the errors thrown from WAF for blocking the requests separately, you can configure the WAF Rule to add additional headers and responses when it rejects the request.

An additional scenario where WAF proves beneficial for serverless applications is in protecting against web scraping and automated bots. The AWS Managed Rule - Bot Control can effectively block such activities. Further bolstering these defenses is WAF’s new feature, Application Integration. By incorporating the WAF SDK into client applications (web or mobile), you can ensure API requests originate from authenticated clients, analyze usage patterns, and gather valuable telemetry. This feature also facilitates seamless CAPTCHA integration into your application’s forms or functions.

It’s worth noting that AWS WAF pricing is based on the number of Web ACLs and requests processed. The cost structure includes a fixed rate of $5 per month per Web ACL and $0.60 per million requests. To help you plan your expenses, make sure to estimate your application’s traffic and the number of Web ACLs needed. For up-to-date pricing information, you can check out the AWS WAF Pricing page

You can find SAM Template for the whole setup on this GitHub Repository.

For more security best practices about Serverless on AWS, you can watch our past webinar - Demystifying Serverless Security on AWS: Increase your Serverless Application Security

Application Modernization Icon

Innovate faster, and go farther with serverless-native application development. Explore limitless possibilities with AntStack's serverless solutions. Empowering your business to achieve your most audacious goals.

Build with us



Share this blog

Your Digital Journey deserves a great story.

Build one with us.

Recommended Blogs

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors on this website.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.

Build With Us