AWS has been gaining traction in recent years as an all-in-one solution for cloud solutions. Their strength is that you only pay for what you run and that you can scale really quickly in case of a spike in traffic. Recently for example, lambdas are taking over but this is not without risk. A lambda can be spun up quickly to catch any traffic spikes. The problem is that this is new technology and it is often misconfigured which allows attackers to run a companies bill sky-high.
We need protection from these mistakes but we also can not trade in any responsiveness. This is hard task as any inspection consumes resources and time. Meet the AWS WAF.
To protect all these GraphQL endpoints, load balancers, API Rest gateway and cloudfronts we need to have a solution. AWS created a WAF for this purpose to complete it's one-stop-shop reputation.
These WAF's consist of Web ACLs, rules and rulesets. This is also how amazon sets up it's pricing. AWS calculates cost in "Capacity units" such as rules which are created or updated and number of requests coming in.
These WAFs consist of ACLs. An ACL is an access control list that is just a collection of rulesets. These rulesets contain rules in their turn. This ensures maintainability as the structure is very hierarchical.
All of this is not very important when hacking but it's good to know as some rules under different rulesets may contradict each other.
When a request comes in, it first needs to get inspected by every ruleset in the web ACL. An inspection occurs and the engine decides which action to take. It can either allow, block or count the request. The counting of a request is not blocking.