Cyber Notes

Cyber Notes

AWS Firewall Project: 100% Do this one 🔥🧱

Back to Basics

W J Pearce's avatar
W J Pearce
Jul 12, 2026
∙ Paid

Last Issue: Are Cloud Security Certs Still even worth it? 📜

Next Issue: TechTwoForty Update 🔊🔊


Let’s get back to basics. We’ve been upskilling with AI tools recently, but this week it’s time to return to a core skill that hasn’t changed and isn’t going anywhere.

Cloud Based Firewalls: AWS WAF

Setting up AWS WAF early in my career was one of those real "Oh, cool... I can actually do this." moments.

AWS WAF: Protecting Web Applications from Common Threats | by Alice the  Architect | AWS in Plain English

What is it?

Chances are you know this but if not. A web application firewall sits in front of your app and checks every HTTP request before it reaches your code. Anything that looks like SQL injection, cross-site scripting, or a flood from a single address gets stopped. Everything else carries on as normal.

AWS WAF is Amazon’s version of that. In this project you’ll build one, or I should say enable the service: Create the firewall, give it a rule set, point it at a live endpoint, and then throw traffic at it to prove it works. By the end you’ll have watched a request get blocked and seen exactly which rule caught it - not something you’ll do everyday but something you need to understand.

What we are going to deploy?

This project has three moving parts, and it helps to picture how they fit before you start clicking.

WAF attaches to a public facing AWS resource: a CloudFront distribution, an Application Load Balancer, or an API Gateway stage. Every request to that resource gets routed through a web ACL (this is an access control list) first. The web ACL is just a container of rules. Each request is checked against those rules in order, and the first rule that matches decides what happens: allow it, block it, or count it. If nothing matches, a default action you set takes over.

Where WAF sits. Legit traffic passes the web ACL and reaches the app (200). A malicious request is turned away at the firewall and never touches your code (403).

Simple…Sorta.

As usual, I reserve the Projects for community members…Come join the fun! 🌍

User's avatar

Continue reading this post for free, courtesy of W J Pearce.

Or purchase a paid subscription.
© 2026 W J Pearce · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture