AWS Amplify introduces firewall support, strengthening hosted site security and Learn about AWS WAF Use Cases
Amazon is announcing that the AWS WAF integration with AWS Amplify Hosting is now generally available.
Owners of web apps are often trying to keep their programs safe from various dangers. Previously, you had to design designs employing Amazon CloudFront distributions with AWS WAF protection if you wanted to establish a strong security posture for your Amplify Hosted apps. This involved extra configuration steps, knowledge, and administrative overhead.
Now that AWS WAF is generally available in Amplify Hosting, you can use infrastructure as code (IaC) or a one-click integration in the Amplify dashboard to immediately connect a web application firewall to your AWS Amplify apps. You may use the entire suite of AWS WAF features through this connection, including managed rules, which offer defence against typical online threats and vulnerabilities like SQL injection and cross-site scripting (XSS). Depending on the requirements of your particular application, you can even design your own unique rules.
You can use defense-in-depth security techniques for your web apps with the aid of this new feature. AWS WAF rate-based rules can prevent DDoS attacks by limiting IP address requests. Geo-blocking can limit app access from certain countries, which is beneficial if your service is localised.
How does it works
It’s easy to set up AWS WAF protection for your Amplify app. Choose the preconfigured rules you wish to apply to your configuration by going to your app settings in the AWS Amplify dashboard, selecting the Firewall tab.
Firewall rule configuration is made easier with Amplify hosting. There are four types of protection that you can activate.
Amplify-recommended firewall protection
Amplify-recommended firewall security prevents malicious actors from finding application vulnerabilities, blocks IP addresses from potential threats based on Amazon internal threat information, and guards against the most frequent vulnerabilities observed in web apps.
Restrict access to amplifyapp.com
Limit access to the amplifyapp.com domain that is generated by AWS Amplify by default. When adding a custom domain, this helps stop search engines and bots from crawling the domain.
Turn on IP address security
By permitting or prohibiting requests from particular IP address ranges, you can limit site traffic.
Turn on national defence
Limit access according to particular nations.
In your AWS account, protections activated using the Amplify panel will generate an underlying web access control list (ACL). The AWS WAF console rule builder can be used to create fine-grained rulesets.
After a few minutes, AWS WAF stops suspicious requests and the rules are linked to your application.
Using the AWS WAF request inspection features, you may mimic an attack and keep an eye on it to see AWS WAF in action. You can send a request with an empty User-Agent value, for instance. It will cause AWS WAF to implement a blocking rule.
curl -v -H "User-Agent: MyUserAgent" https://main.d3sk5bt8rx6f9y.amplifyapp.com/
* Host main.d3sk5bt8rx6f9y.amplifyapp.com:443 was resolved.
...(redacted for brevity)...
> GET / HTTP/2
> Host: main.d3sk5bt8rx6f9y.amplifyapp.com
> Accept: */*
> User-Agent: MyUserAgent
>
* Request completely sent off
< HTTP/2 200
< content-type: text/html
< content-length: 0
< date: Mon, 10 Mar 2025 14:45:26 GMT
It can see that an HTTP 200 (OK) response was sent back by the server.
Next, submit a request with the User-Agent HTTP header empty.
curl -v -H "User-Agent: " https://main.d3sk5bt8rx6f9y.amplifyapp.com/
* Host main.d3sk5bt8rx6f9y.amplifyapp.com:443 was resolved.
... (redacted for brevity) ...
> GET / HTTP/2
> Host: main.d3sk5bt8rx6f9y.amplifyapp.com
> Accept: */*
>
* Request completely sent off
< HTTP/2 403
< server: CloudFront
... (redacted for brevity) ...
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>The server received an HTTP 403 (Forbidden) message.
AWS WAF lets you alter security settings based on request trends. Logs may be accessed via the AWS WAF dashboard or Amplify Hosting, allowing you to examine traffic patterns and adjust security rules as necessary.
Pricing and availability
Every AWS region where Amplify Hosting operates has firewall support. Like Amazon CloudFront, this integration is part of the AWS WAF global resource. Multiple Amplify Hosting apps may have web ACLs associated to them, but they must all be located in the same region.
The cost of this integration is determined on the quantity of web ACLs, rules, and requests you utilise, and it is priced according to the regular AWS WAF pricing model. Furthermore, adding a web application firewall to your application costs $15 per month with AWS Amplify Hosting. The hour is used to prorate this.
All Amplify Hosting clients, from small developers to major corporations, can now take advantage of enterprise-grade security measures with to this new functionality. Now, you can simplify your security administration and simplify your architecture by building, hosting, and protecting your web apps all within the same service.
AWS WAF can limit bot traffic and prevent XSS and SQL injection attacks.
Advantages of AWS WAF
Managed rules can save time
Managed rules allow you to spend more time developing apps.
Keep an eye on, stop, or restrict bots
Common and widespread bots can be more readily monitored, blocked, or rate-limited.
Boost the visibility of online traffic
Increase the visibility of online traffic by having fine-grained control over the metrics that are released.
AWS WAF Use cases
Sort web traffic
Using criteria like IP addresses, HTTP headers and content, or custom URIs, create rules to filter web requests.
Avoid fraud involving account takeovers
Keep an eye out for unauthorised access to user accounts using compromised credentials on the login page of your application.
Use APIs to administer AWS WAF
Rules can be automatically created, maintained, and integrated into the design and development process.
AWS WAF Pricing
The number of web access control lists (web ACLs) you build, the number of rules you add to each web ACL, and the volume of web requests you get determine how much AWS WAF costs. There are no obligations up front. Pricing for Amazon CloudFront, AWS Cognito, Application Load Balancer (ALB), Amazon API Gateway, or AWS AppSync is not included in the AWS WAF fees.
