Skip to main content

AWS Security

5 Critical WAF Rules Every Startup Should Enable on Day One

Protect your startup from common attacks without breaking the bank. Learn which AWS WAF rules to implement immediately, how to configure them properly, and avoid costly false positives.

Cloud Associates

Cloud Associates

Every startup founder faces the same dilemma: you need security, but you don’t have enterprise budgets or a dedicated security team. You know you should implement a Web Application Firewall (WAF), but AWS’s documentation is overwhelming, and you’re worried about blocking legitimate users.

Here’s the truth: you don’t need to implement every WAF rule on day one. But there are five critical rules that protect against 90% of attacks, cost almost nothing, and take under an hour to set up properly.

This guide shows you exactly which rules to enable, how to configure them without blocking real users, and the monitoring you need to sleep better at night.

Why Startups Can’t Skip WAF Protection

Before we dive into the rules, let’s address the elephant in the room: “Do we really need this now?”

Short answer: Yes, if you’re handling any user data or processing payments.

Real costs of skipping WAF:

  • SQL injection attack → Database breach → $50K+ in incident response
  • DDoS attack → Site down for 6 hours → Lost revenue + customer trust
  • Bot traffic → AWS bill explodes from 500K to 5M requests overnight
  • Credential stuffing → User accounts compromised → GDPR fines

We’ve seen all of these happen to early-stage startups. The cheapest incident response we’ve seen cost $15K. Most cost significantly more.

AWS WAF costs $5/month per web ACL plus $1 per million requests. For most startups, that’s under $20/month. It’s the best insurance policy you can buy.

The 5 Essential WAF Rules

1. AWS Managed Rules - Core Rule Set (CRS)

What it protects against: OWASP Top 10 vulnerabilities including SQL injection, cross-site scripting (XSS), and remote code execution.

Why it’s essential: These are the most common attacks. If you only enable one rule, make it this one.

Configuration:

{
  "Name": "AWS-AWSManagedRulesCommonRuleSet",
  "Priority": 1,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesCommonRuleSet"
    }
  },
  "OverrideAction": {
    "Count": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AWSManagedRulesCommonRuleSetMetric"
  }
}

Critical: Start in COUNT mode (as shown above). This logs matches without blocking. After 1-2 weeks of monitoring, switch to BLOCK mode once you’ve confirmed no false positives.

Common false positives:

  • File uploads containing SQL-like content
  • Rich text editors with HTML/JavaScript
  • API endpoints accepting JSON with special characters

Cost: Included in WAF base price ($5/month)

WCU usage: ~700 WCUs (out of 1,500 default limit)

2. AWS Managed Rules - IP Reputation List

What it protects against: Known malicious IP addresses, botnets, and compromised hosts.

Why it’s essential: These IPs are actively attacking websites right now. Blocking them is a no-brainer.

Configuration:

{
  "Name": "AWS-AWSManagedRulesAmazonIpReputationList",
  "Priority": 0,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesAmazonIpReputationList"
    }
  },
  "OverrideAction": {
    "None": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "IPReputationListMetric"
  }
}

Critical: This rule can go straight to BLOCK mode (shown above with "None": {}). The false positive rate is extremely low these IPs are definitively malicious.

False positive rate: Less than 0.01% in our experience

Cost: Included in WAF base price

WCU usage: ~25 WCUs

3. Rate Limiting Rule

What it protects against: Brute force attacks, API abuse, credential stuffing, and sudden traffic spikes that inflate your AWS bill.

Why it’s essential: Without rate limiting, a single malicious actor can drain your AWS budget overnight.

Configuration:

{
  "Name": "RateLimitRule",
  "Priority": 10,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 3000,
      "AggregateKeyType": "IP"
    }
  },
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "RateLimitMetric"
  }
}

What this does: Blocks any IP address that makes more than 3,000 requests in a 5-minute window (AWS’s rate limit window).

Why 3,000? For most startup applications:

  • Legitimate users make 10-50 requests/minute
  • Even aggressive API consumers stay under 500 requests/minute
  • 3,000/5min = 600 requests/minute is generous

Tuning for your application:

  • API-heavy apps: Start at 5,000, monitor, adjust down
  • Static sites: Can go as low as 1,000
  • E-commerce: 2,000-3,000 is usually right

Advanced configuration: Add scope-down statements to exclude legitimate high-volume endpoints:

{
  "Name": "RateLimitRuleWithExceptions",
  "Priority": 10,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 3000,
      "AggregateKeyType": "IP",
      "ScopeDownStatement": {
        "NotStatement": {
          "Statement": {
            "ByteMatchStatement": {
              "SearchString": "/healthcheck",
              "FieldToMatch": {
                "UriPath": {}
              },
              "TextTransformations": [{
                "Priority": 0,
                "Type": "NONE"
              }],
              "PositionalConstraint": "EXACTLY"
            }
          }
        }
      }
    }
  },
  "Action": {
    "Block": {}
  }
}

Cost: Included in WAF base price

WCU usage: ~2 WCUs (very efficient)

4. Geographic Blocking (If Applicable)

What it protects against: Traffic from regions where you have no customers, reducing attack surface and costs.

Why it’s essential: If you only serve customers in specific countries, blocking other regions is free security and cost savings.

Configuration:

{
  "Name": "GeoBlockRule",
  "Priority": 5,
  "Statement": {
    "NotStatement": {
      "Statement": {
        "GeoMatchStatement": {
          "CountryCodes": ["AU", "NZ", "US", "GB", "CA", "SG"]
        }
      }
    }
  },
  "Action": {
    "Block": {}
  },
  "VisibilityConfig": {
    "SambpledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "GeoBlockMetric"
  }
}

This example allows: Australia, New Zealand, US, UK, Canada, Singapore. All other countries are blocked.

When to use this:

  • B2B SaaS serving specific markets
  • Compliance requirements (e.g., blocking EU for GDPR reasons)
  • Cost control (blocking expensive regions like India where you have no customers)

When NOT to use this:

  • Global consumer applications
  • Developer tools
  • APIs with international users

Important: Add monitoring to detect legitimate traffic from blocked regions. You might discover customers you didn’t know you had.

Cost: Included in WAF base price

WCU usage: ~1 WCU

5. AWS Managed Rules - Anonymous IP List (With Caution)

What it protects against: Traffic from VPNs, proxies, Tor exit nodes, and hosting providers commonly used by attackers.

Why it’s essential (but tricky): Many attacks come from anonymised sources, but so do legitimate privacy-conscious users.

Configuration:

{
  "Name": "AWS-AWSManagedRulesAnonymousIpList",
  "Priority": 20,
  "Statement": {
    "ManagedRuleGroupStatement": {
      "VendorName": "AWS",
      "Name": "AWSManagedRulesAnonymousIpList"
    }
  },
  "OverrideAction": {
    "Count": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "AnonymousIpListMetric"
  }
}

Critical: Start in COUNT mode and monitor for at least 2 weeks. This rule has the highest false positive rate.

False positives come from:

  • Corporate VPN users (Netskope, Zscaler, etc.)
  • Privacy-conscious users (especially in tech/security industries)
  • Users in countries with restrictive internet policies
  • Cloud-based testing tools

Our recommendation:

  1. Run in COUNT mode for 2-4 weeks
  2. Analyse blocked requests in CloudWatch Logs
  3. If false positive rate is under 1%, consider BLOCK mode
  4. If higher, keep in COUNT mode and use it for alerting only

Cost: Included in WAF base price

WCU usage: ~50 WCUs

Implementation Strategy

Don’t enable all rules at once. Here’s our proven rollout strategy:

Week 1: Foundation

  1. Enable IP Reputation List in BLOCK mode
  2. Enable Rate Limiting at 3,000 req/5min in BLOCK mode
  3. Set up CloudWatch dashboard for monitoring

Week 2: Core Protection

  1. Enable Core Rule Set in COUNT mode
  2. Monitor for false positives daily
  3. Document any legitimate traffic being flagged

Week 3: Refinement

  1. Switch Core Rule Set to BLOCK mode if clean
  2. Add overrides for any necessary exceptions
  3. Enable Geo Blocking if applicable

Week 4: Advanced Protection

  1. Enable Anonymous IP List in COUNT mode
  2. Review 2 weeks of data before blocking
  3. Tune rate limits based on actual traffic patterns

Monitoring and Tuning

Enabling rules is only half the battle. You need monitoring to catch false positives and real attacks.

Essential CloudWatch Metrics

Create a dashboard with these metrics:

1. BlockedRequests (by rule)
2. CountedRequests (rules in COUNT mode)
3. AllowedRequests
4. SampledRequests (drill into specific blocked requests)

CloudWatch Alarms to Set Up

High priority:

- BlockedRequests > 1,000 in 5 minutes → Potential attack
- BlockedRequests = 0 for 24 hours → Rules might be misconfigured

Medium priority:

- WAF processing errors > 10 → Configuration issues
- Sudden spike in CountedRequests → Potential false positive

Log Analysis

Enable WAF logging to S3 or CloudWatch Logs. This costs extra but is essential for tuning.

What to look for:

  • Blocked requests from your own IP (false positive!)
  • Legitimate-looking requests being blocked (review rule overrides)
  • Patterns in blocked traffic (might indicate targeted attack)

Common Pitfalls and How to Avoid Them

Pitfall #1: Enabling BLOCK mode too quickly

Symptom: Customer support tickets about users unable to access your application.

Fix: Always start in COUNT mode, monitor for 1-2 weeks, then switch to BLOCK.

Pitfall #2: Not excluding health checks from rate limiting

Symptom: Your monitoring systems or load balancers get blocked.

Fix: Add scope-down statements to exclude /healthcheck, /ping, or similar endpoints.

Pitfall #3: Geo-blocking your own team

Symptom: Team members traveling internationally can’t access the application.

Fix: Maintain an IP allowlist for your team, or exclude authenticated sessions from geo-blocking.

Pitfall #4: Ignoring WCU limits

Symptom: Can’t add more rules, WAF stops working.

Fix: Monitor your WCU usage. You get 1,500 WCUs by default. Our recommended rules use ~780 WCUs, leaving room for custom rules.

Pitfall #5: Not testing before production

Symptom: Production outage because WAF blocks everything.

Fix: Test in a staging environment first. Use COUNT mode in production initially.

Real-World Example: SaaS Application

Here’s how we implemented WAF for a B2B SaaS startup serving Australian and US customers:

Before WAF:

  • 2-3 credential stuffing attempts per week
  • Bot traffic consuming 15% of compute resources
  • One SQL injection attempt that almost succeeded

After WAF (4 weeks):

  • IP Reputation List: Blocked 12,000 requests (known bad actors)
  • Rate Limiting: Blocked 8,500 requests (bot traffic)
  • Core Rule Set: Blocked 47 SQL injection attempts
  • Geo Blocking: Blocked 25,000 requests from non-customer regions

Cost: $18/month for WAF

Savings: ~$80/month in reduced compute costs from bot traffic

Security improvement: Immeasurable, but sleep quality improved significantly.

Cost Breakdown

Let’s look at real costs for a startup with 500K requests/month:

WAF Base Cost: $5/month (web ACL)

Request Charges: $0.50 (500K × $1/million)

Rule Costs:

  • IP Reputation List: Free (AWS Managed)
  • Core Rule Set: Free (AWS Managed)
  • Rate Limiting: Free (Standard WAF feature)
  • Geo Blocking: Free (Standard WAF feature)
  • Anonymous IP List: Free (AWS Managed)

Total: $5.50/month

As you scale:

  • 1M requests/month: ~$6/month
  • 5M requests/month: ~$10/month
  • 10M requests/month: ~$15/month

Compare this to the cost of a single security incident (minimum $15K for incident response), and WAF is one of the highest ROI investments you can make.

Getting Started Checklist

Ready to implement? Here’s your action plan:

  • Create AWS WAF Web ACL in your CloudFront or ALB
  • Enable IP Reputation List in BLOCK mode
  • Enable Rate Limiting at 3,000 req/5min
  • Enable Core Rule Set in COUNT mode
  • Set up CloudWatch dashboard for monitoring
  • Enable WAF logging to S3 or CloudWatch
  • Create CloudWatch alarms for blocked requests
  • Review logs daily for first week
  • Switch Core Rule Set to BLOCK after 2 weeks clean
  • Consider Geo Blocking if applicable
  • Add Anonymous IP List in COUNT mode
  • Schedule monthly reviews of WAF metrics

Conclusion

You don’t need to be a security expert to protect your startup. These five WAF rules provide comprehensive protection against the most common attacks:

  1. IP Reputation List - Block known bad actors (enable immediately)
  2. Rate Limiting - Prevent abuse and cost overruns (enable immediately)
  3. Core Rule Set - Stop OWASP Top 10 attacks (enable in COUNT, switch to BLOCK after monitoring)
  4. Geo Blocking - Reduce attack surface if applicable
  5. Anonymous IP List - Extra protection with careful tuning

Total cost: Under $20/month for most startups. Setup time: Under 2 hours. Peace of mind: Priceless.

Need help implementing WAF or want a comprehensive security audit? Our CDN/WAF Services include CloudFront setup, WAF configuration with all recommended rules, and ongoing monitoring delivered in 4 weeks from $3,500.