AWS recently introduced a long-awaited service: the Web Application Firewall (WAF). While there are already many WAFs on the market, they are often prohibitively expensive and can be difficult to administer. While the AWS WAF is much simpler than products such as New Relic or Imperva, it can still do quite a lot to protect your applications from malicious requests that might very well bring your entire system to its knees.

In using WAF alongside Cloudfront, S3 and Lambda, we are able to dynamically create new WAF rules according to the traffic that is being received. For example, if there is an IP address that is making a long series of calls that are returning HTTP 4xx responses, you can generally assume that someone is digging around your site looking to do something you don’t want them to do.

In this case, we leverage Cloudfront, S3 and Lambda as shown in the diagram below:

We then use Lambda to parse through those logs and look for patterns that might indicate malicious activity, such as excessive HTTP 4xx responses, or simply too many calls coming from the same IP address.

If it finds a match, it will dynamically create a new rule and insert it into the WAF, effectively blocking that traffic from passing through to the EC2 instances.

We used Python for the Lambda code, though it should also be possible using NodeJS. If you are interested in having a copy of that code, drop us a line at, letting us know who you are.