WAF and DDoS Protection on AWS: Securing Your Application Layer With QuickInfra

Security groups and NACLs work at the network layer — they can block IPs and ports, but they can't inspect HTTP request content. Application layer attacks (SQL injection, XSS, SSRF, credential stuffing, bot traffic) require inspection at Layer 7. AWS WAF provides this capability.

AWS WAF Fundamentals

AWS WAF is a web application firewall that can be attached to CloudFront distributions, Application Load Balancers, and API Gateways. WAF rules inspect HTTP requests — URLs, headers, body, query parameters — and allow or block requests based on conditions you configure.

Rule groups are the core unit of WAF configuration: a set of related rules that share a capacity budget. AWS provides managed rule groups maintained by AWS and third-party vendors.

Managed Rule Groups QuickInfra Enables

For most web applications, QuickInfra configures:

• AWSManagedRulesCommonRuleSet: Protects against common web exploits including OWASP Top 10
• AWSManagedRulesKnownBadInputsRuleSet: Blocks requests with patterns known to be malicious
• AWSManagedRulesAmazonIpReputationList: Blocks traffic from AWS-known malicious IPs and botnets

For applications handling user authentication:

• AWSManagedRulesBotControlRuleSet: Detects and blocks bot traffic (at additional cost)
• Custom rate-limiting rules to block credential stuffing (too many login attempts from a single IP)

Rate-Based Rules

Rate-based rules block IPs that send more than a configurable number of requests in a 5-minute window. This is the primary defence against DDoS at the WAF layer and against brute-force authentication attacks. QuickInfra configures rate-based rules with thresholds appropriate to your application's expected traffic patterns.

AWS Shield

AWS Shield Standard is included with all AWS accounts and provides protection against common network and transport layer DDoS attacks. Shield Advanced (paid) adds protection against sophisticated application-layer DDoS, 24/7 access to the AWS DDoS Response Team, and cost protection for scaling events caused by DDoS.

For applications with significant brand or revenue exposure, QuickInfra recommends Shield Advanced and configures the CloudFront + ALB stack that provides the best DDoS surface area reduction.

Logging WAF Decisions

WAF can log every allow and block decision to CloudWatch Logs, S3, or Kinesis Data Firehose. QuickInfra enables WAF logging to S3 for audit and investigation purposes. Block logs are surfaced in the Security section as potential attack traffic.