Web Application Firewall

Question 1

Which AWS service is designed to protect web applications from attacks by using rules to allow, block, or monitor (count) web requests based on defined conditions?

Answer 1

Web Application Firewall (WAF)

Question 2

Which AWS resources can be protected using AWS WAF (layer 7 firewall product)?

Answer 2

• CloudFront
• Application Load Balancer (ALB)
• AppSync
• API Gateway

Question 3

Where can AWS WAF deliver its logs?

Answer 3

• Amazon S3 (delivered within 5 minutes)
• CloudWatch Logs
• Kinesis Data Firehose (can output data into any supported destination including S3)

All log destinations can be integrated with event-driven security response architecture (using S3 Events, Lambda, Athena, and EventBridge)

Question 4

What factors determine the pricing structure of AWS WAF?

Answer 4

• $5/month per WebACL
• $1/month per rule per ACL
• $0.60 per 1M requests
• $0.40 per 1K CAPTCHA attempts
• $10/month + $1 per 1K login attempts for fraud control
• charges for marketplace rule groups
• additional fees for intelligence threat mitigation

Question 5

What is the primary control unit of AWS WAF that is associated with supported services to control which traffic is allowed or blocked?

Answer 5

WebACL

Question 6

What two types of AWS WAF WebACLs are available?

Answer 6

• Global (CloudFront)
• Regional (service-specific)

Question 7

Can a global WAF WebACL be associated with a regional resource?

Answer 7

No, Global WebACLs are for CloudFront only; Regional WebACLs are for regional resources

Question 8

What functionality does a WAF WebACL provide by default?

Answer 8

None, rules or rule groups must be created

Question 9

What types of rules are available for WAF WebACLs?

Answer 9

• AWS managed rule groups
• Allow / Deny lists
• SQL injection (SQLi) protection
• Cross-site scripting (XSS) protection
• HTTP flood protection (rate limiting)
• IP reputation lists
• Bot protection

Question 10

How are WAF WebACL rules processed?

Answer 10

Processed in order, compute cost depends on rule complexity

Question 11

What unit quantifies the resources required to process WAF WebACL rules and rule groups?

Answer 11

WebACL Capacity Units (WCU)

Question 12

What is the default maximum WAF WebACL Capacity Units (WCU)?

Answer 12

1500 WCU (limit can be increased with a support ticket)

Question 13

What attributes does WAF WebACL rule have?

Answer 13

• Type: defines the rule category (regular or rate-based)
• Statement: the main logic that defines what the rule checks for
• Action: the outcome when the rule matches (Allow, Block, Count, Captcha)

Question 14

What WAF WebACL rule types are available?

Answer 14

• Regular: matches specified conditions
• Rate-based: matches when request rate exceeds a defined threshold

Question 15

What WAF WebACL rule statements are available?

Answer 15

• WHAT to match (for Regular rules)
• COUNT ALL (for Rate-based rules)

Question 16

What can a WAF WebACL rule statement match against?

Answer 16

• Origin country
• IP
• Label
• Query
• Cookie
• Query parameter
• URI path
• Query string
• Body (first 8192 bytes only)
• HTTP method

Matching options include startsWith, endsWith, contains, regex, and more

Question 17

Can a WAF WebACL rule contain only a single statement?

Answer 17

No, a rule can have either a single or multiple statements, when multiple statements are used, logical operators such as NOT, AND, OR can be applied

Question 18

What actions can be defined for WAF WebACL rules?

Answer 18

• For Regular rules: allow, block, count, and run CAPTCHA
• For Rate-based rules: block, count, and run CAPTCHA

Question 19

For which WAF WebACL rule action can both a custom response and custom header be added?

Answer 19

Block action

Question 20

For which WAF WebACL rule actions can a custom header be added?

Answer 20

Allow, count, and CAPTCHA actions

Question 21

For which WAF WebACL rule actions does processing stop?

Answer 21

Allow and block actions

Question 22

For which WAF WebACL rule actions does processing continue?

Answer 22

Count and CAPTCHA actions

Question 23

What internal WAF WebACL feature allows rules to react differently based on its presence?

Answer 23

Labels, which can be referenced later within the same WebACL or across multi-stage rule flows

Question 24

What WAF feature allows creating a set of rules that can be reused across multiple WebACLs?

Answer 24

Rule groups

Question 25

What WAF WebACL rule group types are available?

Answer 25

- AWS-managed - Marketplace vendor-managed - Service-managed (e.g., Shield, Firewall Manager) - Customer-managed

Question 26

When are WAF WebACL Capacity Units (WCU) defined for a rule group?

Answer 26

Defined upfront when creating the rule group (default max 1500 WCU)

Question 27

What are AWS Managed Rules in AWS WAF?

Answer 27

Pre‑defined, ready‑to‑use rule groups created by AWS or third‑party vendors

Question 28

If a managed rule is blocking legitimate traffic, how can it be configured to allow the traffic while still monitoring?

Answer 28

Set the rule’s action to Count mode

Question 29

What kind of logs should be analyzed to determine which AWS WAF rule is dropping traffic?

Answer 29

AWS WAF logs

Question 30

How can new AWS WAF WebACLs be tested without impacting production traffic?

Answer 30

Configure all rules to count requests and set the WebACL default action to allow