WAF (Web Application Firewall)
Quick Reference
# List WebACLs
aws wafv2 list-web-acls --scope REGIONAL --query 'WebACLs[].[Name,Id]' --output table
# Get WebACL details
aws wafv2 get-web-acl --name staging-MonolithWebACL --scope REGIONAL --id {id}
# Get sampled requests (recent blocked/allowed)
aws wafv2 get-sampled-requests --web-acl-arn {arn} --rule-metric-name IPRateLimitRule \
--scope REGIONAL --time-window StartTime=$(date -v-1H +%s),EndTime=$(date +%s) --max-items 10
WebACLs
Both the Console API Gateway and the Controller ALB have WAF WebACLs attached.
Rules (Priority Order)
| Priority |
Rule |
Type |
Action |
Threshold |
| 0 |
IPRateLimitRule |
Rate-based |
Block (429) |
2000 req/5min per IP |
| 1 |
APIKeyRateLimitRule |
Rate-based |
Block (429) |
2000 req/5min per X-API-Key |
| 2 |
AWSManagedRulesBotControlRuleSet |
Managed |
Monitor |
Bot detection (HttpLibrary, SocialMedia, Monitoring allowed) |
| 3-7 |
AWS Managed Rules |
Managed |
Monitor |
Linux, KnownBadInputs, Common, Unix, SQLi |
What to Look For
| Symptom |
Check |
| Legitimate traffic blocked |
Check sampled requests for the rate limit rules |
| Bot traffic spike |
Check BotControl rule metrics in CloudWatch |
| Attack patterns |
Check KnownBadInputs and SQLi rule match counts |