How Amazon WAF works - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

How Amazon WAF works

You use Amazon WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to Amazon WAF for inspection by the web ACL.

In your web ACL, you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following:

  • Allow the requests to go to the protected resource for processing and response.

  • Block the requests.

  • Count the requests.

  • Run CAPTCHA or challenge checks against requests to verify human users and standard browser use.

Amazon WAF components

The following are the central components of Amazon WAF:

  • Web ACLs – You use a web access control list (ACL) to protect a set of Amazon resources. You create a web ACL and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the web ACL that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about web ACLs, see Using web ACLs in Amazon WAF.

    A web ACL is an Amazon WAF resource.

  • Rules – Each rule contains a statement that defines the inspection criteria, and an action to take if a web request meets the criteria. When a web request meets the criteria, that's a match. You can configure rules to block matching requests, allow them through, count them, or run bot controls against them that use CAPTCHA puzzles or silent client browser challenges. For more information about rules, see Amazon WAF rules.

    A rule is not an Amazon WAF resource. It only exists in the context of a web ACL or rule group.

  • Rule groups – You can define rules directly inside a web ACL or in reusable rule groups. Amazon Managed Rules and Amazon Web Services Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see Amazon WAF rule groups.

    A rule group is an Amazon WAF resource.

  • Web ACL capacity units (WCUs) – Amazon WAF uses WCUs to calculate and control the operating resources that are required to run your rules, rule groups, and web ACLs.

    A WCU is not an Amazon WAF resource. It only exists in the context of a web ACL, rule, or rule group.