AWS re:Invent 2025 - A day in the life of an AWS WAF administrator (NET317)

Protecting Web Applications with AWS WAF: A Day in the Life of an Administrator

Architecting WAF Protection

• Determining where to apply WAF protection:
  • Edge-level WAF on CloudFront for blocking attacks early
  • Granular WAF policies on individual application components (ALB, API Gateway)
  • Balancing management complexity with security coverage
• Ensuring origin protection with techniques like VPC origins and origin access control
• Implementing IP-based access control and secret headers to prevent origin bypassing

Getting Started with WAF

• Leveraging pre-configured WAF protection packs in the CloudFront and WAF consoles
  • Includes managed rules for common security controls like rate limiting, bot mitigation, and known vulnerabilities
  • Allows quick deployment of a "good enough" baseline WAF policy
• Customizing the pre-configured policies by enabling/disabling specific rules and tuning thresholds
• Importance of enabling logging to CloudWatch for visibility and troubleshooting

Monitoring and Tuning WAF

• Using the WAF dashboard to analyze traffic patterns, top threats, and rule hits
  • Ability to drill down into individual requests and filter by various attributes
• Mitigating false positives by identifying the root cause and creating targeted exceptions
  • Disabling or switching rules to "count" mode to avoid blocking legitimate traffic
  • Adding custom rules to exempt specific URIs or parameters from blocking
• Continuously tuning the WAF policy based on evolving traffic and attack patterns
  • Gradually adding new rules and controls rather than a "big bang" approach

Optimizing WAF Cost and Performance

• Ensuring the layer 7 DDoS rule is at the top of the policy to block attacks for free
• Leveraging labels to filter out noisy log data and reduce CloudWatch costs
• Exploring alternative logging destinations like Kinesis Data Firehose or S3 for high-volume traffic
• Monitoring usage against any pre-paid WAF plan thresholds to avoid unexpected overages

Evolving WAF Capabilities

• Enhancing bot mitigation with the latest bot control features
  • Identifying and allowing good bots (search engines, health checks)
  • Detecting and blocking sophisticated targeted bots
  • Leveraging WebBOT-O for verifying and allowing legitimate AI-driven agents
• Utilizing the new layer 7 DDoS mitigation rule to automatically protect against volumetric attacks
• Continuously adding custom and managed rules to address evolving attack patterns
  • Tracking traffic changes and rule hit patterns to identify gaps
  • Balancing security coverage with manageability of the WAF policy

Real-World WAF Journey at HSBC

• Challenges of protecting a large, diverse, and highly-regulated banking application landscape
  • Operating across multiple cloud providers to meet data residency requirements
  • Securing hundreds of CloudFront distributions and load balancers
  • Handling billions of requests per month and constant attacks
• Adopting a serverless, edge-based WAF architecture using CloudFront and Lambda@Edge
  • Abstracting security away from application teams to focus on core capabilities
  • Overcoming logging and scaling challenges during DDoS attacks
• Lessons learned:
  • Continuously evolve WAF policies to stay ahead of attackers
  • Leverage WAF automation and APIs for better change management
  • Collaborate closely with AWS teams to access the latest features and previews

Key Takeaways

• WAF is an ongoing effort, not a one-time deployment
• Leverage pre-configured WAF policies as a starting point, then gradually customize
• Use labels extensively to enhance visibility, cost control, and policy management
• Automate WAF configuration management using infrastructure as code principles
• Collaborate with AWS teams to stay ahead of the evolving threat landscape