Testing Professor
Testing ProfessorMulti-Cloud Guidebook · AWS
All services

Security, Identity & Compliance

AWS WAF

Web application firewall for CloudFront, ALB, API Gateway.

Official docs

Overview

WAF filters HTTP(S) requests using managed and custom rules (rate limiting, geo, SQLi/XSS, bot control).

When to use it

  • Protect public endpoints
  • Layer-7 DDoS mitigation
  • OWASP Top 10 baseline

Setup

  1. Create Web ACL → attach managed rule groups (AWSManagedRulesCommonRuleSet).
  2. Associate with CloudFront/ALB.

How to use

Sampled requests

Use the WAF console to inspect sampled requests to tune rules.

QA use cases

  • Run negative security tests (SQLi/XSS payloads) and assert WAF blocks them with 403.