AWS WAF Best Practices

As of July 2025, AWS WAF released a new console experience which renamed web ACls to protection packs. APIs, ARNs, and CLI commands still use the term web_acl/webacl, as does the legacy console. This was a UI and documentation change only — the terms are interchangeable. The only distinction is that the new console introduces concepts that are exclusive to the new UI and only refer to protection packs.

Future Content Updates in progress

We are actively working to revamp the AWS WAF best practices. Most of the content has been updated but we are still working on several sections. Content that is incomplete or not yet updated has been marked as such

Introduction

Welcome to the AWS WAF Best Practices Guide. The purpose of this guide is to provide prescriptive guidance for deploying, configuring, and managing AWS WAF to protect your web applications and APIs. Publishing this guidance via GitHub will allow for quick iterations to enable timely recommendations that include service enhancements, as well as, the feedback of the user community. This guide is designed to provide value whether you are deploying AWS WAF for the first time on a single resource, or looking for ways to optimize AWS WAF in an existing multi-account deployment managed by AWS Firewall Manager.

How to use this guide

This guide is geared towards security practitioners, solutions architects, and application teams who are responsible for protecting web applications and APIs from common web exploits, bot traffic, and Layer 7 DDoS. The best practices are organized into focused sections for easier consumption. Each section includes a set of corresponding best practices that begin with a brief overview, followed by detailed guidance for implementing the recommendations. The topics do not need to be read in a particular order:

• Prerequisites and Fundamentals — Fundamental concepts and planning for a new or updating an AWS WAF deployment
• Recommended HTTP Architecture on AWS — Architect HTTP workloads with CloudFront for maximum WAF effectiveness
• Operationalizing — Operational guidance for managing AWS WAF at scale
• AWS Managed Rules — Baseline and use-case specific Amazon Manged Rule Groups
• Custom Rules — Custom rules for application-specific threats
• Recommended WAF Rule Order — Arrange rules in your protection pack for optimal protection and cost efficiency
• Bot Management — Detect and control bot traffic with Bot Control
• Fraud Prevention — Detect fraudulent sign up and sign in attempts
• CAPTCHA and Challenge — Use token-based mitigation actions effectively
• Deployment Strategy — Safely deploy WAF for the first time and update managed rule versions
• WAF Costs — Understand AWS WAF pricing, WCU capacity, and Shield Advanced cost protection
• Logging Approaches — Configure log destinations, filtering, and cost optimization for AWS WAF logs
• Monitoring WAF Rules — Observe rule behavior with CloudWatch metrics and WAF log analysis
• Using WAF with Other AWS Services — Integrate with Firewall Manager and Shield Advanced
• Additional References — Supplementary topics including known differences from WAF Classic

What is AWS WAF?

AWS WAF is a web application firewall that lets you monitor and control the HTTP(S) requests that are forwarded to your protected web application resources. You can protect Amazon CloudFront distributions, Amazon API Gateway REST APIs, Application Load Balancers, AWS AppSync GraphQL APIs, Amazon Cognito user pools, AWS App Runner services, AWS Verified Access instances, and AWS Amplify applications. AWS WAF lets you create rules that can block, allow, count, or apply CAPTCHA and Challenge actions to web requests based on conditions that you specify, such as IP addresses, HTTP headers, HTTP body, URI strings, SQL injection, and cross-site scripting. For more information, see What is AWS WAF? in the AWS WAF Developer Guide.

What are the benefits of enabling AWS WAF?

AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns and filter out specific traffic patterns you define. Key benefits include:

• Protection against common web exploits such as SQL injection and cross-site scripting (XSS) using AWS Managed Rules maintained AWS without needing to write and maintain rules yourself.
• Flexible custom rules that let you define application-specific conditions to allow, block, count, or challenge requests based on IP addresses, HTTP headers, request body, URI paths, geographic origin, and more.
• Rule labels that let you use signals from AWS Managed Rules and other rule groups to customize how protection is applied — for example, switching a managed rule to Count mode and writing a custom rule that uses the label to block with additional conditions, enabling fine-grained false positive handling without losing protection.
• Rate-based rules that automatically block request floods from individual clients, protecting against volumetric attacks and reducing the impact of DDoS events.
• Application layer DDoS protection through the Anti-DDoS managed rule group (AWSManagedRulesAntiDDoSRuleSet) that automatically detects and mitigates layer 7 DDoS attacks within seconds using machine learning-based anomaly detection. This is available to all AWS WAF customers, with an advanced tier included for AWS Shield Advanced subscribers.
• Bot management capabilities through Bot Control that detect and manage bot traffic ranging from self-identifying crawlers to sophisticated automated threats, including AI bots and Web Bot Authentication (WBA) for detecting headless browsers and automation frameworks.
• Fraud prevention through Account Takeover Prevention (ATP) and Account Creation Fraud Prevention (ACFP) managed rule groups that detect and block credential stuffing, stolen credential usage, and fraudulent account creation attempts.
• Guided setup and preconfigured protection packs that reduce configuration complexity, with continuous security recommendations based on real-time traffic analysis.
• Centralized WAF policy management across your AWS Organization using AWS Firewall Manager.
• Real-time visibility into web traffic through CloudWatch metrics and detailed WAF logs that can be analyzed with CloudWatch Logs Insights, Amazon Athena, or Amazon QuickSight.
• Pay only for what you use with no upfront commitments. Pricing is based on the number of protection packs, rules, and requests inspected. See AWS WAF Pricing for details.

Guide Sections

• Prerequisites and Fundamentals
• Recommended HTTP Architecture on AWS
• Operationalizing
• AWS Managed Rules
• Custom Rules
• Bot Management
• Fraud Prevention
• Recommended WAF Rule Order
• CAPTCHA and Challenge
• WAF Costs
• Logging Approaches
• Monitoring WAF Rules
• Using WAF with Other AWS Services
• Additional References

Related Guides

• AWS WAF User Guide
• Best practices for intelligent threat mitigation
• Best practices for using the CAPTCHA and Challenge actions
• Discover the benefits of AWS WAF advanced rate-based rules
• How to configure block duration for IP addresses rate limited by AWS WAF