This article for ?

someone who want to protect your web service avoid DDOS, and you are using aws service

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.

you can mention it — it depends on CloudFront or Application Load Balancer.

Prerequisite

• cloudfront or application load balance

Flow with CloudFront

CloudFront — forward request to API Gateway

WAF — according to the request and response to let cloudfront block request, ex:
- according to request IP to block request
- according to too many bad response block from this IP to block this request

What can we set in WAF?

• Condition
• Rule
• Action : Allow / Block

Condition: define the basic characteristics that you want AWS WAF to watch for in web requests

Rule: Combine `conditions` into rules target the requests that you want to trigger. ex: this IP match X condition, it should be blocked.

over all ACL look like:

more info you can find more detail in https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html

Some tips:

• CloudFront can customer your error response — you set a JSON file in S3 to be api response if block request
• CloudFront cache error default 5 min － you need set error handle to override the default cache time（for example ， when you get some resource ,1st you get 404 resource not found, and you create it , and get resource again , you also get the resource not found response :( )