Logo officiel d'AWS Web Application Firewall

AWS Web Application Firewall

by Amazon Web Services

4.3
WAFPlanet Rating

Native AWS security service providing scalable WAF protection for applications hosted on AWS infrastructure with pay-per-use pricing.

Visit Website Documentation View Pricing
Company: Amazon Web Services
Pricing: Pay-per-use (rules + requests)
Founded: 2006

Overview

AWS WAF is Amazon Web Services' cloud-native web application firewall, designed to protect applications running on AWS infrastructure. It integrates seamlessly with Amazon CloudFront, Application Load Balancer, Amazon API Gateway, and AWS AppSync.

Unlike traditional WAFs with fixed pricing, AWS WAF uses a pay-per-use model based on the number of rules and web requests processed. This makes it cost-effective for varying traffic loads but requires careful monitoring to avoid unexpected costs.

Ratings Breakdown

Ease of Use 3.5/5
Value for Money 4.0/5
Customer Support 4.0/5
Features 4.5/5

Key Features

AWS Managed Rules

Pre-configured rule groups maintained by AWS and AWS Marketplace sellers for common threats.

Custom Rules

Build your own rules using conditions like IP addresses, HTTP headers, URI strings, and more.

Rate-Based Rules

Automatically block IPs that exceed defined request thresholds.

Bot Control

Managed rule group for detecting and managing bot traffic (additional cost).

Fraud Control

Account takeover prevention and creation fraud detection for login/signup pages.

Firewall Manager Integration

Centrally configure and manage WAF rules across multiple AWS accounts.

Pros & Cons

Pros

  • Native AWS integration

    Seamless integration with AWS services - deploy alongside your infrastructure with CloudFormation or Terraform.

  • Pay-per-use pricing

    Only pay for what you use - great for variable traffic patterns and cost optimization.

  • AWS Managed Rules

    Pre-built rule groups for common threats including OWASP, known bad inputs, and bot control.

  • Highly scalable

    Automatically scales with your AWS infrastructure without capacity planning.

  • Centralized management

    Use AWS Firewall Manager to deploy WAF rules across multiple accounts and resources.

Cons

  • AWS-only deployment

    Cannot protect applications outside of AWS infrastructure.

  • Complex pricing model

    Pay-per-use can lead to unexpected costs; requires monitoring and budgeting.

  • Steeper learning curve

    Requires AWS knowledge and understanding of WAF concepts to configure effectively.

  • Limited managed rules on base tier

    Many useful managed rule groups (like Bot Control) cost extra.

Pricing

Pricing model: Pay-per-use (rules + requests)

Small (1 ACL, 10 rules)

$15/month + $0.60/M requests

Typical small deployment with 1 Web ACL and 10 managed rules

  • 1 Web ACL ($5/mo)
  • 10 rules ($10/mo)
  • Request-based pricing

Medium (2 ACL, 25 rules)

$35/month + $0.60/M requests

Medium deployment with 2 Web ACLs and 25 managed rules

  • 2 Web ACLs ($10/mo)
  • 25 rules ($25/mo)
  • Bot Control ready

Large (5 ACL, 50 rules)

$75/month + $0.60/M requests

Large deployment with multi-account WAF management

  • 5 Web ACLs ($25/mo)
  • 50 rules ($50/mo)
  • Firewall Manager recommended

Our Verdict

AWS WAF is the natural choice for organizations running applications on AWS. Its deep integration with AWS services and infrastructure-as-code support makes it easy to deploy alongside your applications.

The pay-per-use pricing model is both a strength and weakness - it's cost-effective for variable workloads but requires careful monitoring. The learning curve is steeper than competitors like Cloudflare, but AWS expertise pays dividends across your security stack.

Our verdict: Best WAF for AWS-native applications, especially when using infrastructure as code.

CVE Coverage

AWS Web Application Firewall can detect and block attacks matching 90K+ known CVEs based on its supported rule sets.

14K+
Critical
19K+
High
34K+
Medium
518
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
37K+ CVEs
SQL Injection High
15K+ CVEs
Improper Input Validation Medium
8.7K+ CVEs
Path Traversal High
6.9K+ CVEs
OS Command Injection High
5.4K+ CVEs
Code Injection Medium
4.2K+ CVEs
Unrestricted File Upload Medium
4K+ CVEs
Command Injection High
3.2K+ CVEs
Insecure Deserialization Medium
2.6K+ CVEs
Server-Side Request Forgery (SSRF) Medium
2.4K+ CVEs
Open Redirect Medium
1.4K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs
PHP Remote File Inclusion High
1.1K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-6606 HIGH
CVE-2026-6605 HIGH
CVE-2026-6604 HIGH
CVE-2026-6603 HIGH
CVE-2026-6602 HIGH
CVE-2026-6600 LOW
CVE-2026-32963 UNKNOWN
CVE-2026-6596 HIGH
CVE-2026-6595 HIGH
CVE-2026-6594 HIGH
Browse all CVEs →

Frequently Asked Questions

Can AWS WAF protect non-AWS applications?

AWS WAF can only directly protect AWS resources (CloudFront, ALB, API Gateway). However, you could route external traffic through CloudFront to gain WAF protection, though this adds complexity and latency.

How does AWS WAF pricing compare to Cloudflare?

AWS WAF uses pay-per-use pricing while Cloudflare has fixed monthly tiers. For low-traffic sites, AWS WAF can be cheaper. For high-traffic sites with predictable patterns, Cloudflare's fixed pricing often provides better value.

Ready to try AWS Web Application Firewall?

Visit the website to learn more or request a demo.

Visit Website View Pricing