WAF (Web Application Firewall)
Quick Reference
# List WebACLs
aws wafv2 list-web-acls --scope REGIONAL --query 'WebACLs[].[Name,Id]' --output table
# Get WebACL details
aws wafv2 get-web-acl --name staging-MonolithWebACL --scope REGIONAL --id {id}
# Get sampled requests (recent blocked/allowed)
aws wafv2 get-sampled-requests --web-acl-arn {arn} --rule-metric-name IPRateLimitRule \
--scope REGIONAL --time-window StartTime=$(date -v-1H +%s),EndTime=$(date +%s) --max-items 10
WebACLs
Both the Console API Gateway and the Controller ALB have WAF WebACLs attached.
Rules (Priority Order)
| Priority | Rule | Type | Action | Threshold |
|---|---|---|---|---|
| 0 | IPRateLimitRule | Rate-based | Block (429) | 2000 req/5min per IP |
| 1 | APIKeyRateLimitRule | Rate-based | Block (429) | 2000 req/5min per X-API-Key |
| 2 | AWSManagedRulesBotControlRuleSet | Managed | Monitor | Bot detection (HttpLibrary, SocialMedia, Monitoring allowed) |
| 3-7 | AWS Managed Rules | Managed | Monitor | Linux, KnownBadInputs, Common, Unix, SQLi |
What to Look For
| Symptom | Check |
|---|---|
| Legitimate traffic blocked | Check sampled requests for the rate limit rules |
| Bot traffic spike | Check BotControl rule metrics in CloudWatch |
| Attack patterns | Check KnownBadInputs and SQLi rule match counts |