Security has always been, and always will be, a key concern for a lot of organizations that run their workloads and applications on the cloud. That is precisely why AWS offers a wide assortment of managed services that you, as a cloud administrator, should leverage in order to protect and safeguard your workloads from any compromises or threats. In this section, we are going to explore one such simple, yet really powerful, service, called AWS WAF, or Web Application Firewall.

AWS WAF is basically a firewall that helps you to protect your internet-facing applications from common web-based threats and exploits. It is basically a service that enables you to specify a set of web security rules or ACLs that can allow or restrict a certain type of web traffic across Amazon CloudFront as well as the Application Load Balancer (ALB). As of now, WAF can be used to create customized rules that can safeguard your applications against attacks, such as SQL injections, cross-site scripting, Distributed Denial of Services (DDoS), bad bots, scrapers, and much more! You can easily create new rules and attach them to your existing ACL list as per your requirements, enabling you to respond to and mitigate changing traffic patterns more rapidly.

WAF also comes equipped with a powerful API, by using which you can automate the deployments of ACL rules as well as manage them programmatically. Alternatively, for the UI people out there, WAF provides customization CloudFormation templates which will allow you to get started with a complete WAF-based security solution in less than a few minutes! We will be looking at how to deploy this template for securing our own WordPress application as well a bit later in this chapter.

Here is a quick summary of benefits that you can obtain by levering AWS WAF:

• Enhanced protection: Apart from your standard VPC and security groups, you can additionally safeguard your applications against commonly occurring web attacks by leveraging WAF's ACL rules.
• Advanced traffic filtering: Unlike your simple NACLs or security groups, WAFs provide you with an ability to define custom rules and conditions based on the characteristics of your incoming web request, such as values present in the headers, origin IP address of the request, whether the request has any SQL code present in it, and so on. Using these conditions, you now have the ability to basically allow, block, or filter traffic based on such preset conditions.
• Easy management: With WAF rules defined and managed in one central location, you can easily reuse and propagate your custom ACLs across multiple CloudFront CDNs as well as Application Load Balancers, and monitor the traffic as well as mitigate any issues, all using the same WAF API or web user interface.
• Cost effective security solution: One of the best parts of leveraging WAF is that there are absolutely no upfront fees or costs associated with it. You simply pay based on the number of rules you create using WAF as well as the amount of traffic your web application receives, and not a penny more!

With this basic set of information, let's have a look at how WAF actually works!