WAF Policy configuration provides granular control over detected threat handling.
A WAF policy is a collection of one or more rules. Rules examine specific aspects of a transaction.
Accessing the policies interface
The Policies interface provides access to a Mitigation Policies page that organizes policies by protection mechanism. The Bot Mitigation Policies tab contains existing bot management functionality. The WAF Policies tab provides access to web application firewall configurations.
Navigation between tabs enables administrators to manage both policy types from a single interface while maintaining clear separation between different protection mechanisms.
Policy configuration parameters
Each WAF Policy supports a specific set of configuration options designed for web application security scenarios. The Policy Name and Description provide human-readable identification and documentation for each policy.
Host filtering controls policy application scope through inclusion and exclusion lists. Apply to specific hosts allows targeting policies to particular domains or applications, while Exclude specific hosts prevents policy application to designated systems. Both lists support multiple entries and can remain empty to apply policies universally or exclude nothing respectively.
Criteria selection defines what threats trigger the policy, typically corresponding to specific threat detection categories. Changes to this setting change the policy's purpose.
Policies support several action options.
- Block (prevent request processing)
- Rate Limit (throttle subsequent requests)
- Insert Header (add identification headers)
- Honeytrap (redirect to monitoring systems)
- Allow and Log (permit requests while recording events).
Policy priority and ordering
We process policies in priority order, with earlier matches preventing evaluation of lower-priority policies. Because WAF policies have the highest priorities, they are applied first, during transaction processing. Any events that trigger a WAF policy are mitigated and dropped before bot policies examine the remaining traffic.
Proper ordering ensures that critical security threats receive appropriate handling while maintaining system performance. The intent is to block traffic based on WAF expressions rather than implementing IP or fingerprint-based blocking.
Best practices for configuration
Start with logging-only actions for new policies to understand traffic patterns before implementing blocking behavior. This approach prevents inadvertent disruption of legitimate traffic while allowing analysis of threat detection accuracy.
Use host-specific targeting for applications with different security requirements or risk profiles. Critical applications may warrant more aggressive blocking policies, while development or testing environments might use more permissive configurations.
Regularly review policy effectiveness through transaction logs and adjust configurations based on observed traffic patterns and business requirements. False positive reduction often requires iterative refinement of host exclusions and action selections.
Example of a WAF Policy: SQL Injection Policy
Disabling specific WAF Policies
If you need to disable specific WAF policies due to false positives or lack of need for that threat category, edit the specific policy you need to disable from the Mitigation Policies page.
In the Policy screen, click on the pencil icon to edit Mitigation Criteria for that policy.
In the Edit Screen, disable the specific header condition that you would like to disable and click on the Delete icon corresponding to that condition.
Once the condition has been deleted, click on Save to save your changes. The specific header condition for that WAF rule will no longer trigger.
Note: If required, customize the Policy Criteria section as required to narrow down the scope of the policy as required for your application. By default, all WAF Policies are configured to trigger on ALL your applications.
Policy Descriptions
This section organizes AWS WAF policies by their primary attack types and threat categories. These policies define the detection logic that triggers when specific threat patterns are identified in web traffic. Each policy corresponds to managed rules that can be customized with additional detection signatures as needed.
User Agent and Bot Detection
These policies identify requests with suspicious or missing user agent patterns, helping distinguish legitimate traffic from automated threats and malicious crawlers.
| WAF Policy Name | Policy Description | Rules Used |
| No User Agent Header | Inspects for requests that are missing the HTTP User-Agent header |
W001 |
| User-Agent Bad Bots Header | Inspects for User-Agent header values that indicate that the request is a bad bot |
W002 |
File Inclusion Attacks
These policies identify attempts to include unauthorized local or remote files in application execution, which could lead to code execution, data exposure, or system compromise through file system manipulation.
| WAF Policy Name | Policy Description | Rules Used |
| Generic Local File Inclusion | Inspects for the presence of Local File Inclusion (LFI) exploits | W011 W012 W013 |
| Restricted Extensions | Inspects for requests whose URI paths contain system file extensions that are unsafe to read or run | W014 W015 |
| Generic Remote File Inclusion | Inspects the values of all query parameters for attempts to exploit RFI (Remote File Inclusion) in web applications | W016 W017 W018 |
Code Execution Vulnerabilities
These policies target attempts to exploit application vulnerabilities that could lead to remote code execution, including Java deserialization flaws and the critical Log4j vulnerability.
| WAF Policy Name | Policy Description | Rules Used |
| Java Deserialization | Inspects the keys and values of HTTP request headers for patterns indicating Java deserialization RCE attempts | W024 W025 W026 W027 |
| Log4J Remote Code Execution | Inspects the keys and values of request headers for the presence of the Log4j vulnerability | W031 W032 W033 W034 |
Administrative and Infrastructure Protection
These policies protect administrative interfaces and detect suspicious access patterns targeting server management functionality or infrastructure reconnaissance attempts.
| WAF Policy Name | Policy Description | Rules Used |
| Admin Protection | Inspects for URI paths that are generally reserved for administration of a web server or application | W023 |
| PropFind Method | Inspects the HTTP method in the request for PROPFIND
|
W029 |
| Exploitable Paths in URI Path | Inspects the URI path for attempts to access exploitable web application paths | W030 |
| Host matches localhost | Inspects the host header in the request for patterns indicating localhost | W028 |
Other Policies
These additional policies cover various attack vectors including request size validation, metadata exfiltration attempts, cross-site scripting, and SQL injection.
| WAF Policy Name | Policy Description | Rules Used |
| Size Restrictions Exceeded | Inspects for requests that exceed size restrictions | W003 W004 W005 W006 |
| EC2 Metadata Exfiltration | Inspects for attempts to exfiltrate Amazon EC2 metadata | W007 W008 W009 W010 |
| Cross Site Scripting | Inspects the values of cookie headers for common cross-site scripting (XSS) patterns | W019 W020 W021 W022 |
| SQL Injection | Inspects the payload for patterns that match malicious SQL code | W035 W036 W037 W038 W039 W040 |