AWScloud~5 mins

AWS WAF for web application firewall - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Web applications can be attacked by bad traffic that tries to break them or steal data. AWS WAF helps protect your web apps by blocking harmful traffic before it reaches your servers.

When you want to block common attacks like SQL injection or cross-site scripting on your website.

When you need to control which IP addresses can access your web application.

When you want to monitor and log web traffic to detect suspicious activity.

When you want to protect your app from bots or automated attacks.

When you want to set rules that allow or block traffic based on specific patterns.

Config File - waf-web-acl.json

waf-web-acl.json

{
  "Name": "example-web-acl",
  "Scope": "REGIONAL",
  "DefaultAction": { "Allow": {} },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "exampleWebACL"
  },
  "Rules": [
    {
      "Name": "BlockSQLInjection",
      "Priority": 1,
      "Statement": {
        "SqliMatchStatement": {
          "FieldToMatch": { "UriPath": {} },
          "TextTransformations": [
            { "Priority": 0, "Type": "URL_DECODE" }
          ]
        }
      },
      "Action": { "Block": {} },
      "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "blockSQLInjection"
      }
    }
  ]
}

This JSON file defines a Web ACL (Access Control List) named example-web-acl for regional resources like an Application Load Balancer.

The DefaultAction allows all traffic unless blocked by rules.

The Rules section includes one rule that blocks requests with SQL injection attempts in the URL path.

VisibilityConfig enables monitoring and logging for the ACL and its rules.

Commands

This command creates the Web ACL in AWS WAF using the JSON configuration file. It sets up the firewall rules to protect your web app.

Terminal

aws wafv2 create-web-acl --cli-input-json file://waf-web-acl.json

Expected OutputExpected

{ "Summary": { "Name": "example-web-acl", "Id": "12345678-1234-1234-1234-123456789012", "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/example-web-acl/12345678-1234-1234-1234-123456789012" } }

→

--cli-input-json - Specifies the JSON file with the Web ACL configuration

This command lists all Web ACLs in the regional scope to verify that your Web ACL was created successfully.

Terminal

aws wafv2 list-web-acls --scope REGIONAL

Expected OutputExpected

{ "WebACLs": [ { "Name": "example-web-acl", "Id": "12345678-1234-1234-1234-123456789012" } ] }

→

--scope - Specifies the scope of the Web ACLs to list (REGIONAL for ALB, CLOUDFRONT for global)

This command retrieves details of the Web ACL to check its rules and settings.

Terminal

aws wafv2 get-web-acl --name example-web-acl --scope REGIONAL --id 12345678-1234-1234-1234-123456789012

Expected OutputExpected

{ "WebACL": { "Name": "example-web-acl", "Id": "12345678-1234-1234-1234-123456789012", "DefaultAction": { "Allow": {} }, "Rules": [ { "Name": "BlockSQLInjection", "Priority": 1, "Action": { "Block": {} } } ] } }

→

--name - Specifies the name of the Web ACL

→

--scope - Specifies the scope of the Web ACL

→

--id - Specifies the ID of the Web ACL

Key Concept

If you remember nothing else from this pattern, remember: AWS WAF lets you create rules that block bad web traffic before it reaches your app.

Common Mistakes

Using the wrong scope value when creating or listing Web ACLs.

AWS WAF has two scopes: REGIONAL for resources like Application Load Balancers and CLOUDFRONT for global CloudFront distributions. Using the wrong scope causes commands to fail or not find your Web ACL.

Always use --scope REGIONAL for ALB and --scope CLOUDFRONT for CloudFront when creating, listing, or getting Web ACLs.

Not enabling visibility configuration in the Web ACL JSON.

Without visibility settings, you cannot monitor or log the traffic that matches your rules, making it hard to know if your firewall is working.

Always include VisibilityConfig with SampledRequestsEnabled and CloudWatchMetricsEnabled set to true.

Forgetting to specify the correct Web ACL ID when retrieving or updating it.

The ID uniquely identifies the Web ACL. Without it, AWS CLI commands will fail or target the wrong resource.

Use the ID returned when you create the Web ACL or list existing Web ACLs.

Summary

Create a Web ACL using a JSON file that defines rules to block harmful web traffic.

Use AWS CLI commands to create, list, and get details of your Web ACL to verify it is set up correctly.

Remember to use the correct scope and enable visibility to monitor your firewall's activity.