• As mentioned above, WAF operates as a Layer 7 firewall. This grants it the ability to monitor granular web-based conditions like URL query string parameters. This level of detail helps to detect both foul play and honest issues with the requests getting passed onto your AWS environment.
    • With WAF, you can set conditions such as which IP addresses are allowed to make what kind of requests or access what kind of content.
    • Based off of these conditions, the corresponding endpoint will either allow the request by serving the requested content or return an HTTP 403 Forbidden status.
    • The different request characteristics that can be used to limit access:
      • The IP address that a request originates from
      • The country that a request originates from
      • Any strings that appear in the request (either specific strings or strings that match a regex pattern)
      • The length of the request
      • Any presence of SQL code (likely a SQL injection attempt)
      • Any presence of a script (likely a cross-site scripting attempt)
    • You can also use NACLs to block malicious IP addresses, prevent SQL injections / XSS, and block requests from specific countries. However, it is good form to practice defense in depth.
    • Denying or blocking malicious users at the WAF level has the added advantage of protecting your AWS ecosystem at its outermost border.