Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

License: Apache2 cdk latest

gdn dakn

Web Application Firewalls at Scale

AWS Web Application Firewalls (WAFs) protect web applications and APIs from typical attacks from the Internet that can compromise security and availability, and put undue strain on servers and resources. The AWS WAF provides prebuilt security rules that help control bot traffic and block attack patterns. However, with its help, you can also create your own rules based on your specific requirements. In simple scenarios and for smaller applications, this is very easy to implement on an individual basis. However, in larger environments with tens or even hundreds of applications, it is advisable to aim for central governance and automation. This simple solution helps you deploy, update, and stage your Web Application Firewalls while managing them centrally via AWS Firewall Manager.

Releases Author
Changelog - Features David Krohn
Linkedin - Blog




  1. An central S3 Bucket with write permission for security account needs to be in place.


  1. Automated Capactiy Calculation via API - CheckCapacity
  2. Algorithm to split Rules into RuleGroups
  3. Automated Update of RuleGroup if Capacity Changed
  4. Add ManagedRuleGroups via configuration file
  5. Automated Generation of diagram for each WAF
  6. Checking of the softlimit quota for WCU set in the AWS Account (Stop deployment if Caluclated WCU is above the quota)
  7. Easy configuration of WAF Rules trough json file.
  8. Deployment Hash to deploy same WAF more than one time for testing and/or blue/green deployments.
  9. Stopping deployment if soft limit will be exceeded: Firewall Manager policies per organization per Region (L-0B28E140) - Maximum number of web ACL capacity units in a web ACL in WAF for regional (L-D9F31E8A)
  10. NEW RegexMatchStatement and IPSetReferenceStatement is working now 🚀
  11. NEW You can now name your Rules. If you define a Name in your RulesArray the Name + a Base36 Timestamp will be used for creation of your Rule - otherwise a name will be generated. This will help you to query your logs in Athena. The same Rulename also apply to the metric just with adding "-metric" to the name.
  12. New Support for Captcha - You can now add Captcha as Action to your WAFs. This help you to block unwanted bot traffic by requiring users to successfully complete challenges before their web request are allowed to reach AWS WAF protected resources. AWS WAF Captcha is available in the US East (N. Virginia), US West (Oregon), Europe (Frankfurt), South America (Sao Paulo), and Asia Pacific (Singapore) AWS Regions and supports Application Load Balancer, Amazon API Gateway, and AWS AppSync resources.

Coming soon:

  1. Deployment via Teamcity

Deployment via Taskfile

  1. Create new json file for you WAF and configure Rules in the JSON (see example.json to see structure)
  2. Set PROCESS_PARAMETERS in Taskfile.yml for new json file
  3. Assume AWS Profile awsume PROFILENAME
  4. Enter task deploy

Example Deployment


Deploy, update, and stage your WAFs while managing them centrally via FMS.








No packages published