WAF is a Web Application Firewall
You can use AWS WAF to block, allow, or monitor HTTP/HTTPS requests based on various conditions such as IP address, request headers, and query strings.
Its rule allow to block web exploits like SQL injection and XSS (cross site scripting).
WAF can be put in front of CloudFront Distributions, ALBs, API Gateways and AppSync/GraphQL APIs.
WAF Concepts:
Web ACLs ( Access Control Lists ) are used to protect a set of AWS resources
Rules are statements that define the criteria to inspect the request and the action to be taken (Allow, Block - or Count)
Rule Groups allow reuse of rules, or logically grouping
Managed Rule Groups are a set of predefined rules that have been created by AWS and other AWS Marketplace sellers (like for example the rule group to protect against OWASP Top 10 vulnerabilities)
Managed rules, are ready to use, tried and tested and can save you a lot of time and effort.
Web ACL Capacity Units ( WCUs) are the measure of the rule/statements complexity. The more intricate the rule from the inspection perspective, the more WCUs will be consumed.
WebACLs have a limit of 1500 WCUs that can be used by their rules and rule groups. If a WebACL uses rules or rulegroups that exceed the WCU limit, they will fail - that's why a rule group - which is shareable across different Web ACLs, must have an immutable WCU limit set ( to prevent later changes could break WebACLs already using that group )
Custom rules are rules and rule groups that you define yourself.
IP Sets are collections of ID address and ranges to be used in a rule statement
RegEx pattern set is a collection of regular exceptions
Match statements compare the request or its origin against specific conditions, to determine if allowing or blocking the request from being forwarded to the origin.
You can build your rules combining AND, OR and NOT arguments between nested statements.
Rules can be regular or rate-based ( which will count the number of requests over a 5min period)
Rules have a priority which you need to properly define so that the order of execution is correct.
Rule priorities
At the time of writing ( for Ireland region ) these are the costs for using WAF features:
5 $ per month for each Web ACL
1 $ per month per Rule
0.60$ per million requests