Explanation of WAF?

[jtatum]

I consider myself relatively smart about AWS but I'm having trouble understanding what WAF will do for a static site. I see there are three rules enabled, the first blocking IPs by reputation which may help reduce costs. The second, bad inputs are meaningless to a static site, and the bot control rule set doesn't block anything, just tags traffic from bots in the panel. Maybe the docs could explain a little more about why you might want this option?

[petewilcock]

Hi James - there are a few benefits of WAF but it's a judgement call on whether you want to enable them. I very nearly didn't include WAF, but due to the configuration requirements of CloudFront in Terraform, I didn't want to exclude it and make it difficult to add later.

• Blocking bad inputs would be relevant if you didn't want these requests to appear on some downstream tracking, like Google Analytics, and pollute your data with junk that you'd have to work to filter out.
• I haven't been opinionated about the blocking of bots, but the data on bot visits would be a good starting point for making this decision later.

Given WAF's relatively large cost vs. the aim of this being for minimal expenses, I haven't expended too much effort making it configurable, but agree this could be improved in future.