AWS 宣布 AWS WAF 与 AWS Amplify Hosting 集成，为托管网站提供更强大的安全防护。通过一键式集成，用户可以轻松在 Amplify 控制台中或使用基础架构即代码 (IaC) 直接添加 Web 应用程序防火墙。新功能提供对常见 Web 漏洞的保护，例如 SQL 注入和跨站点脚本 (XSS)，并支持基于 IP 地址和地理位置的访问限制。用户可以利用 AWS WAF 的速率限制规则来防御 DDoS 攻击，从而简化安全管理，降低架构复杂性。

🛡️ 轻松集成 AWS WAF：通过 Amplify 控制台一键式集成 AWS WAF，简化了 Web 应用程序的安全性配置。

🛡️ 提供多种保护选项：Amplify 提供多种保护选项，包括推荐的防火墙保护，限制对 amplifyapp.com 的访问，以及基于 IP 地址和国家/地区的访问控制。

🛡️ 细粒度规则设置：用户可以使用 AWS WAF 控制台规则构建器创建自定义规则集，实现更精细的安全性控制。

🛡️ 实时监控和分析：AWS WAF 提供对请求模式的可见性，帮助用户随着时间的推移微调其安全设置。用户可以通过 Amplify Hosting 或 AWS WAF 控制台访问日志，分析流量趋势并优化安全规则。

<section class="blog-post-content lb-rtxt"><table><tbody><tr><td><p></p></td></tr></tbody></table><p>Today, we’re announcing the general availability of the <a href="https://aws.amazon.com/waf&quot;&gt;AWS WAF</a> integration with <a href="https://aws.amazon.com/amplify/hosting/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;AWS Amplify Hosting</a>.</p><p>Web application owners are constantly working to protect their applications from a variety of threats. Previously, if you wanted to implement a robust security posture for your Amplify Hosted applications, you needed to create architectures using <a href="https://aws.amazon.com/cloudfront/&quot;&gt;Amazon CloudFront</a> distributions with AWS WAF protection, which required additional configuration steps, expertise, and management overhead.</p><p>With the general availability of AWS WAF in Amplify Hosting, you can now directly attach a web application firewall to your <a href="https://aws.amazon.com/amplify/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;AWS Amplify</a> apps through a one-click integration in the <a href="https://console.aws.amazon.com/amplify/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;Amplify console</a> or using infrastructure as code (IaC). This integration gives you access to the full range of AWS WAF capabilities including managed rules, which provide protection against common web exploits and vulnerabilities like SQL injection and cross-site scripting (XSS). You can also create your own custom rules based on your specific application needs.</p><p>This new capability helps you implement defense-in-depth security strategies for your web applications. You can take advantage of AWS WAF rate-based rules to protect against distributed denial of service (DDoS) attacks by limiting the rate of requests from IP addresses. Additionally, you can implement geo-blocking to restrict access to your applications from specific countries, which is particularly valuable if your service is designed for specific geographic regions.</p><p><strong>Let’s see how it works<br /></strong> Setting up AWS WAF protection for your Amplify app is straightforward. From the Amplify console, navigate to your app settings, select the <strong>Firewall</strong> tab, and choose the predefined rules you want to apply to your configuration. <a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/03/10/2025-03-10_14-58-20.png&quot;&gt;&lt;img class="aligncenter wp-image-94093" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/03/10/2025-03-10_14-58-20-1024x656.png&quot; alt="AWS WAF integration in AWS Amplify Hosting" width="800" height="512" /></a></p><p>Amplify hosting simplifies configuring firewall rules. You can activate four categories of protection.</p><ul><li><strong>Amplify-recommended firewall protection</strong> – Protect against the most common vulnerabilities found in web applications, block IP addresses from potential threats based on Amazon internal threat intelligence, and protect against malicious actors discovering application vulnerabilities.</li><li><strong>Restrict access to amplifyapp.com</strong> – Restrict access to the default Amplify generated amplifyapp.com domain. This is useful when you add a custom domain to prevent bots and search engines from crawling the domain.</li><li><strong>Enable IP address protection</strong> – Restrict web traffic by allowing or blocking requests from specified IP address ranges.</li><li><strong>Enable country protection</strong> – Restrict access based on specific countries.</li></ul><p>Protections enabled through the Amplify console will create an underlying <a href="https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;web access control list (ACL)</a> in your AWS account. For fine-grained rulesets, you can use the AWS WAF console rule builder.</p><p>After a few minutes, the rules are associated to your app and AWS WAF blocks suspicious requests.</p><p>If you want to see AWS WAF in action, you can simulate an attack and monitor it using the AWS WAF request inspection capabilities. For example, you can send a request with an empty User-Agent value. It will trigger a blocking rule in AWS WAF.</p><p>Let’s first send a valid request to my app.</p><pre class="lang-curl">curl -v -H "User-Agent: MyUserAgent" https://main.d3sk5bt8rx6f9y.amplifyapp.com/ Host main.d3sk5bt8rx6f9y.amplifyapp.com:443 was resolved....(redacted for brevity)...&gt; GET / HTTP/2&gt; Host: main.d3sk5bt8rx6f9y.amplifyapp.com&gt; Accept: /&gt; User-Agent: MyUserAgent&gt; Request completely sent off&lt; HTTP/2 200 &lt; content-type: text/html&lt; content-length: 0&lt; date: Mon, 10 Mar 2025 14:45:26 GMT</pre><p>We can observe that the server returned an HTTP 200 (OK) message.</p><p>Then, send a request with no value associated to the User-Agent HTTP header.</p><pre class="lang-curl"> curl -v -H "User-Agent: " https://main.d3sk5bt8rx6f9y.amplifyapp.com/ Host main.d3sk5bt8rx6f9y.amplifyapp.com:443 was resolved.... (redacted for brevity) ...&gt; GET / HTTP/2&gt; Host: main.d3sk5bt8rx6f9y.amplifyapp.com&gt; Accept: /&gt; Request completely sent off&lt; HTTP/2 403 &lt; server: CloudFront... (redacted for brevity) ...&lt;TITLE&gt;ERROR: The request could not be satisfied&lt;/TITLE&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;H1&gt;403 ERROR&lt;/H1&gt;&lt;H2&gt;The request could not be satisfied.&lt;/H2&gt;</pre><p>We can observe that the server returned an HTTP 403 (Forbidden) message.</p><p>AWS WAF provide visibility into request patterns, helping you fine-tune your security settings over time. You can access logs through Amplify Hosting or the AWS WAF console to analyze traffic trends and refine security rules as needed.</p><p><a href="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/03/10/2025-03-10_15-52-58.png&quot;&gt;&lt;img class="aligncenter size-large wp-image-94096" src="https://d2908q01vomqb2.cloudfront.net/da4b9237bacccdf19c0760cab7aec4a8359010b0/2025/03/10/2025-03-10_15-52-58-1024x422.png&quot; alt="AWS WAF integration in AWS Amplify Hosting - Dashboard" width="1024" height="422" /></a></p><p><strong>Availability and pricing<br /></strong> Firewall support is available in all <a href="https://aws.amazon.com/about-aws/global-infrastructure/regions_az/&quot;&gt;AWS Regions</a> in which Amplify Hosting operates. This integration falls under an AWS WAF global resource, similar to Amazon CloudFront. Web ACLs can be attached to multiple Amplify Hosting apps, but they must reside in the same Region.</p><p>The pricing for this integration follows the standard <a href="https://aws.amazon.com/waf/pricing/?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;AWS WAF pricing model</a>, You pay for the AWS WAF resources you use based on the number of web ACLs, rules, and requests. On top of that, AWS Amplify Hosting adds $15/month when you attach a web application firewall to your application. This is prorated by the hour.</p><p>This new capability brings enterprise-grade security features to all Amplify Hosting customers, from individual developers to large enterprises. You can now build, host, and protect your web applications within the same service, reducing the complexity of your architecture and streamlining your security management.</p><p>To learn more, visit the <a href="https://docs.aws.amazon.com/amplify/latest/userguide/WAF-integration.html?trk=4b29643c-e00f-4ab6-ab9c-b1fb47aa1708&amp;amp;sc_channel=el&quot;&gt;AWS WAF integration documentation for Amplify</a> or try it directly in the Amplify console.</p><a href="https://linktr.ee/sebsto&quot;&gt;— seb</a><hr /><p>How is the News Blog doing? Take this <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;1 minute survey</a>!</p><p><em>(This <a href="https://amazonmr.au1.qualtrics.com/jfe/form/SV_eyD5tC5xNGCdCmi&quot;&gt;survey&lt;/a&gt; is hosted by an external company. AWS handles your information as described in the <a href="https://aws.amazon.com/privacy/&quot;&gt;AWS Privacy Notice</a>. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)</em></p></section><aside class="blog-comments"><div data-lb-comp="aws-blog:cosmic-comments" data-env="prod" data-content-id="81525302-ecb3-4c4a-9cbd-109b45fcc819" data-title="Firewall support for AWS Amplify hosted sites" data-url="https://aws.amazon.com/blogs/aws/firewall-support-for-aws-amplify-hosted-sites/&quot;&gt;&lt;p data-failed-message="Comments cannot be loaded… Please refresh and try again.">Loading comments…</p></div></aside>