Basics

AWS implementation of L7 or Application Layer firewall
Web ACL by WAF for protecting AWS resources
Web ACL has Rules that are grouped under Rule Groups
WAF provides logs that can be stored in S3 or sent to CloudWatch logs or Kinesis Firehose

WebACL

A default action either allows or blocks traffick that does not match Rules
WebACL is either created for CloudFront (Global) or services like ALB,API GW,AppSync(Regional)
Rules & Rule Groups are processed in order
Rules have compute requirements. This is measured in Web ACL Capacity Units or WCU. The default limit for WCU is 1500
Associating a new WebACL with a resource takes much longer than adjusting an existing WebACL
A resource can have one WebACL but one WebACL can be associated with many resources
AWS Outposts currently do not support WebACL

Rule Groups are either managed by AWS or a marketplace vendor or by yourself or Service Owned
AWs Managed rule groups are generally free for WAF customers with some exceptions like AWA WAF Bot Control & Fraud Control Account Takeover protection groups
One needs to define WCU capacity for each rule group. 1500 is the default
Rules consist of
Rule Type - Regular or Rate Bases
Statement - What to Match, Count or Both
- WAF can only check for first 8192 bytes of the request body
Action - Allow, Block, Count, Captcha, Custom Http Response, Label
- Allow is not allowed for rate based rules
- For Block custom can be custom header or response. Allows, Counts & Captch it can be customer header only. Custom Headers are prefixed with x-awsz-waf-
- Labels can be applied & can be used in multi stage rules