Compliance

Protect APIs and edge with WAF

One capability across AWS WAF and Network Firewall: make sure the firewalls in front of your APIs, load balancers and VPC traffic actually contain rules and are attached to the resources they are meant to protect, rather than being deployed in name only.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: APIGateway.4 ELB.16 NetworkFirewall.3 NetworkFirewall.4 NetworkFirewall.5 NetworkFirewall.6 NetworkFirewall.9 NetworkFirewall.10 WAF.2 WAF.3 WAF.4 WAF.6 WAF.7 WAF.8 WAF.10

WAF and edge protection: the basics

Why a firewall that exists is not the same as a firewall that works

AWS gives you two managed firewall layers for inbound and inter-VPC traffic. AWS WAF (web application firewall) inspects HTTP(S) requests through a web ACL attached to an Application Load Balancer, API Gateway stage, AppSync API or CloudFront distribution; its rules match SQL injection, cross-site scripting, bad bots, rate floods and the AWS Managed Rules baseline. AWS Network Firewall is a stateful firewall that filters traffic flowing to, from and between VPCs through rule groups attached to a firewall policy. Both only protect what they are configured and attached to inspect.

AWS Security Hub turns the failure modes into separate controls, but they share one theme: a firewall that is present but inert. WAF.2, WAF.3, WAF.4, WAF.6, WAF.7, WAF.8 and WAF.10 check that web ACLs and rule groups actually contain rules; APIGateway.4 and ELB.16 check that an API stage and a load balancer are associated with a web ACL at all. On the network side, NetworkFirewall.3, NetworkFirewall.4, NetworkFirewall.5, NetworkFirewall.6 check that the policy and stateless rule groups have rules and a sane default action, and NetworkFirewall.9 and NetworkFirewall.10 check that the firewall has deletion and subnet-change protection so it cannot be removed by accident.

The reason this matters is false assurance. An empty web ACL still appears, in the console and on the architecture diagram, as a deployed firewall, while every request passes straight through on its default action. A load balancer with no associated web ACL looks fronted by WAF on paper but inspects nothing. The job is to make every firewall in the estate carry real rules, be attached to the resource it protects, and be hard to delete by mistake, so that "firewall deployed" actually means "traffic is being inspected."

In this lesson you will learn how AWS WAF and Network Firewall express protection, why an empty or unattached firewall is worse than none because it creates false assurance, and how to find and fix inert firewalls across your accounts and Regions. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The firewall that blocked nothing for a year

A SaaS team passed three consecutive security reviews on the strength of "AWS WAF protecting all public endpoints." During an incident eleven months in, a responder ran get-web-acl on the load balancer's web ACL to see which rule had blocked an attacker, and found the Rules array was simply empty. A Terraform module had commented out the rule blocks during an early debugging session and never restored them, so for nearly a year every request had sailed through on the default Allow action. The fix was four minutes: attach the AWS Managed Rules common rule set. The harder fix was explaining how it passed three reviews.

Finding inert firewalls across an estate

Diego runs cloud security at a mid-sized fintech. Security Hub flags a cluster of WAF and Network Firewall findings: empty web ACLs, a public API with no association, and a firewall missing deletion protection.

Rather than work the findings one by one, he starts by pulling each web ACL's rule count, so he can separate firewalls that inspect nothing from those that are genuinely doing their job before changing anything.

Pull a web ACL's definition and check the Rules array. An empty array with a default action of Allow means every request passes uninspected.

$ aws wafv2 get-web-acl --scope REGIONAL --name public-alb-waf --id a1b2c3d4-0000-1111-2222-3333 --query 'WebACL.{Rules:Rules,Default:DefaultAction}'

{

"Rules": [],

"Default": {

"Allow": {}

}

# Rules: [] with DefaultAction Allow means this web ACL inspects nothing. WAF.10 fails.

An empty Rules array confirms the finding: the firewall is attached but inspecting zero requests. The same pattern applies to Network Firewall policies with no rule groups.

How WAF and Network Firewall enforce traffic rulesdeep dive

A WAFv2 web ACL is scoped either REGIONAL (Application Load Balancer, API Gateway, AppSync, Cognito) or CLOUDFRONT (managed from us-east-1). The scope is a required parameter on nearly every wafv2 call, and getting it wrong returns an empty list rather than an error, which is a common reason people think a web ACL is missing. Every web ACL has a DefaultAction (Allow or Block) that applies to any request no rule matches, so an empty web ACL with DefaultAction Allow is functionally open. The controls that check for rules evaluate only whether the array is non-empty; they do not judge whether the rules are good.

Updates use optimistic concurrency: update-web-acl replaces the entire Rules array (it is not additive) and requires the current LockToken, so you must supply the full desired rule set on every update, which is why most teams manage this through infrastructure-as-code. Association is a separate step: associate-web-acl binds a web ACL ARN to a resource ARN (for API Gateway, the stage ARN, not the API), and the APIGateway.4 and ELB.16 controls check that this binding exists at all.

AWS Network Firewall carries three independent protection flags (DeleteProtection, SubnetChangeProtection, FirewallPolicyChangeProtection) checked by NetworkFirewall.9, NetworkFirewall.10 and the policy-change sibling, plus checks that the firewall policy and stateless rule groups actually contain rules and define a sensible default stateless action. Network Firewall has no soft-delete and no recycle bin, so deletion protection turns an irreversible single command into a deliberate two-step action. As with WAF, the durable fix lives in the IaC template: CloudFormation and Terraform both default these flags to false, so a flag flipped by hand reverts on the next deploy unless the template encodes it.

What is the impact of an inert or unattached firewall?

The direct impact is the absence of inspection. An empty web ACL is a passthrough: with the common DefaultAction Allow, every injection attempt, scanner probe and credential-stuffing burst reaches your application as if no WAF existed. A public API with no associated web ACL has the same exposure. On the network side, a firewall policy with no rules, or a deletion-protection gap that lets the firewall vanish, leaves VPC egress flowing uninspected, which is exactly the condition that turns a routine mistake into a data-exfiltration window.

The more dangerous impact is false assurance. Unlike having no firewall, an empty or unattached one actively misleads everyone downstream: the console shows it associated, the diagram shows a firewall, the security questionnaire is answered yes, and the compliance report counts the control as present. Every one of those is technically accurate and all are wrong about what matters, whether traffic is being inspected. This is how inert firewalls survive multiple security reviews undetected.

There is a cost angle that sharpens the point. With per-request billing on API Gateway and Lambda, an automated storm against an unprotected endpoint can produce a five-figure invoice spike overnight, with no business activity behind it; a WAF rate-based rule would have capped it for a few dollars. And on the compliance side these controls map to NIST 800-53 configuration and information-flow requirements, so an inert firewall reads as a control that was funded, deployed and then left non-functional, which auditors treat harshly as a process failure rather than a mere gap.

How do you make firewalls actually inspect traffic?

Work the capability as one loop rather than chasing individual findings. The order matters: inventory inert firewalls, attach a baseline safely, promote it to enforcing once metrics are clean, then lock the baseline into infrastructure-as-code so empties cannot return.

1. Inventory empty, unattached and unprotected firewalls

Across both WAF scopes (REGIONAL in every Region, CLOUDFRONT from us-east-1) and all accounts, list web ACLs and check the rule count, list API Gateway stages and load balancers and check for an associated web ACL, and list Network Firewall firewalls and read their protection flags and policy rule counts. Prioritise resources that are internet-facing and currently passing live traffic uninspected.

2. Attach the managed baseline in Count mode first

The safest starting rule set for a web ACL is the AWS Managed Rules common rule set (AWSManagedRulesCommonRuleSet from the AWS vendor), plus a rate-based rule capping a single source IP. Add it with an OverrideAction of Count so it observes and reports matches without blocking, which guarantees you cannot break a production application by suddenly inspecting its traffic. For an unprotected API or load balancer, reuse a shared baseline web ACL rather than creating one per resource.

3. Promote to enforcing once metrics are clean

Watch the CloudWatch counted matches for a day or two. If legitimate traffic is being matched, tune with rule-group overrides before flipping the OverrideAction from Count to None so the managed rules enforce. Never flip straight to enforcing on a high-traffic production endpoint without an observation window. For Network Firewall, enable deletion and subnet-change protection (instant, no traffic impact) and confirm the policy carries real rules and a sane default stateless action.

4. Bake the baseline into infrastructure-as-code and guard it

Most inert firewalls are born in Terraform, CloudFormation or CDK where the rules block was left empty, the association step was forgotten, or the protection flags defaulted to false. Make a non-empty rules block, a web ACL association, and DeleteProtection true required parts of any firewall or API module, and enforce them with AWS Config rules or a CI policy check so a pull request that creates an inert firewall fails before it merges.

# Attach the AWS Managed Rules common baseline to an empty web ACL, in Count mode.
# update-web-acl REPLACES the entire Rules array, so supply the full desired set and the current LockToken.
aws wafv2 update-web-acl \
  --scope REGIONAL --name public-alb-waf --id a1b2c3d4-0000-1111-2222-3333 \
  --lock-token e4f5g6h7 --default-action Allow={} \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=public-alb-waf \
  --rules '[{"Name":"AWS-CommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet"}},"OverrideAction":{"Count":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"AWS-CommonRuleSet"}}]'

# Associate a baseline web ACL with an unprotected API Gateway stage (the resource ARN is the stage, not the API).
aws wafv2 associate-web-acl \
  --web-acl-arn arn:aws:wafv2:us-east-1:111122223333:regional/webacl/prod-api-baseline/1a2b3c4d \
  --resource-arn arn:aws:apigateway:us-east-1::/restapis/a1b2c3d4e5/stages/prod

# Protect a Network Firewall from accidental deletion.
aws network-firewall update-firewall-delete-protection \
  --firewall-name prod-egress-inspection --delete-protection

Quick quiz

Question 1 of 5

Security Hub shows a mix of empty WAF web ACLs, a public API with no web ACL, and a Network Firewall missing deletion protection. What is the most efficient way to think about them?

Keep learning

Go deeper on how WAF and Network Firewall enforce rules across the resources in this capability.

You can now treat WAF and edge protection as one capability rather than a scatter of findings: inventory the firewalls that are empty, unattached or unprotected, attach the managed baseline in Count mode and promote it once metrics are clean, associate web ACLs wherever they are missing, protect network firewalls from accidental deletion, and lock the whole pattern into infrastructure-as-code. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

WAF and edge protection: the cost and risk view

Paying for firewalls that filter nothing, while carrying the risk of an unprotected, billable attack surface

AWS WAF and Network Firewall are paid services. WAF bills a small monthly fee per web ACL, a smaller fee per rule and a per-request charge for inspected traffic; Network Firewall bills per hour per endpoint plus a per-GB data-processing charge. An empty web ACL or an unattached firewall is the most expensive way to have no protection, because you pay for it and trust it at the same time while it delivers nothing.

The exposure these controls mask is both a security and a cost one. An unprotected public API is exactly the kind of gap that turns into a breach, an audit finding, or a runaway bill: API Gateway and the Lambda behind it charge per request, so an automated bot storm against an unfiltered endpoint can generate millions of billable invocations overnight, with no business activity behind them. A WAF rate-based rule would have turned the whole storm away at the edge for a few dollars.

The right framing is that the dollar amounts here are small and the exposure they cap is large and unbounded. Populating an empty web ACL or attaching one to an API adds a modest per-rule and per-request charge, so the corrected state costs slightly more than the broken one. That incremental spend buys back the assurance the original line item only pretended to provide, and it is worth saying out loud at the review.

This lesson is for the finance partner who sees AWS WAF and Network Firewall on both the bill and the compliance report and assumes the two line up. It covers why an empty web ACL means paying for a control that delivers nothing, why an unprotected API is a tail-risk on the cloud bill as much as a compliance gap, and the governance levers that make "firewall deployed" mean "firewall inspecting."

Fun fact

The firewall that blocked nothing for a year

How a finance partner frames the inert-firewall decision

Maya is the finance partner for a mid-sized fintech. Security Hub has flagged a cluster of WAF and Network Firewall findings: a couple of empty web ACLs, a public API with no association at all, and a firewall missing deletion protection. At the review she does not lead with what the fix costs, because she knows the answer is a few dollars a month. She leads with the assurance problem: the company is paying for these firewalls and counting them as satisfied controls on the security questionnaire, yet several of them inspect nothing. The line item is real and the protection is fictional at the same time.

The team pulls the rule counts. Two web ACLs have empty Rules arrays with a default action of Allow, so every request sails through, and a public API Gateway stage has no web ACL bound to it. Maya's framing for the finance pack is that the dollar amounts here are small and the exposure they cap is large and unbounded: that unprotected API bills per request, so an automated bot storm could turn into a five-figure invoice spike overnight with no business activity behind it, when a WAF rate-based rule would have turned the storm away at the edge for a few dollars. She approves the modest per-rule and per-request increment without debate, and asks for the count of empty or unattached firewalls to become a standing zero-target metric so the company stops paying for protection it does not have.

Why this matters to assurance and the bill

The direct cost of an inert firewall is negligible, a few dollars a month for a web ACL or the hourly Network Firewall charge, so the finding looks like rounding error and gets deprioritised. That is the wrong read. The real impact is on the integrity of your control reporting: when "WAF deployed" appears as a satisfied control but the web ACL is empty or unattached, the posture you are attesting to is materially misstated.

There is also a genuine cost tail. An unprotected public API is a tail-risk on the cloud bill: per-request billing means an automated attack can become a surprise invoice overnight, and a WAF rate-based rule is the cheap insurance that caps it. The expected monthly cost of an unprotected API is near zero right up until the night a storm hits it, which is exactly the kind of unbudgeted spike finance most wants to avoid.

The budgeting move is to treat WAF and Network Firewall as funded baseline infrastructure rather than per-project line items to argue about, and to make the count of empty or unattached firewalls a standing zero-target metric. A non-zero and growing count means firewalls are being created faster than they are configured, which usually points to IaC templates or review gates that do not enforce a rules baseline.

What finance can do about inert firewalls

Finance cannot populate a web ACL, but it owns the framing that turns a near-rounding-error finding into a governed baseline and a zero-target metric. Three levers.

1. Separate the trivial cost from the unbounded exposure

The direct cost of fixing an inert firewall is small: a modest per-rule and per-request charge on a web ACL, or the hourly Network Firewall fee. The exposure it caps is large and unbounded, an unprotected public API is a tail-risk on the bill because per-request billing means an automated storm can become a surprise invoice overnight. Make that asymmetry explicit so the corrected state, which costs slightly more than the broken one, is understood as buying back the assurance the original line item only pretended to provide.

2. Treat WAF and Network Firewall as funded baseline, not per-project line items

An empty web ACL or an unattached firewall is the most expensive way to have no protection, because you pay for it and trust it at the same time while it delivers nothing. Budget WAF and Network Firewall as standing baseline infrastructure rather than per-project costs to argue about resource by resource, so the question shifts from 'can we afford a firewall here' to 'why is this one not inspecting traffic.'

3. Make the empty-or-unattached count a standing zero-target metric

Put the count of empty or unattached firewalls on the cost-and-security review as a number whose target is always zero. A non-zero and growing count means firewalls are being created faster than they are configured, which usually points to IaC templates or review gates that do not enforce a rules baseline. That is a process signal finance can escalate before it becomes either a breach or a runaway bill, and it is more useful than the trivial monthly firewall spend on its own.

Quick quiz

Question 1 of 5

Why is an empty web ACL described as the most expensive way to have no protection?

Keep learning

Go deeper on how WAF and Network Firewall enforce rules across the resources in this capability.

You have finished the finance view of WAF and edge protection. You know that an empty web ACL is the most expensive way to have no protection, because you pay for it and trust it at once, that an unprotected public API is a tail-risk on the bill an attack can turn into a five-figure spike overnight, and that the fix adds only a modest per-rule and per-request charge. Next time these findings land, you will treat firewalls as funded baseline and make the empty-or-unattached count a standing zero-target metric.

Back to the library

WAF and edge protection: the headline

Whether the firewalls you believe protect your APIs and networks are actually inspecting traffic

WAF and Network Firewall are the layers that turn away malicious traffic before it reaches the business's applications and networks. The risk this group addresses is subtle: a firewall can be deployed but empty, or a public API can have no firewall in front of it at all, and the dashboard will still read "protected" while the reality is "open."

This is mostly a control-assurance and process matter rather than a cost story. "We had a firewall but it had no rules in it" is a far worse sentence to say after an incident than "we had not deployed one yet," because it reads as negligence. The fix is cheap and largely one-time per resource.

The defensible end state is that every public API and load balancer sits behind a web ACL that contains the managed baseline, every Network Firewall policy carries real rules and cannot be deleted by accident, and coverage is enforced by the deployment pipeline rather than by someone remembering. The leadership question is one number: how many of our firewalls are empty or unattached, and the right answer is always zero.

A short read for the leader who needs to know why a deployed-but-empty firewall is false assurance, why it matters more than its trivial cost suggests, and what good looks like: every public API and load balancer behind a real web ACL, every network firewall carrying rules and protected from deletion, and coverage enforced by the pipeline.

Fun fact

The firewall that blocked nothing for a year

What it looks like when firewall coverage is policy, not accident

After an incident response found that the web ACL fronting a production load balancer had an empty Rules array, so every request had passed uninspected for nearly a year while three security reviews recorded WAF as in place, the CEO asked the obvious question: how did we attest to a control we did not actually have? The answer was that the dashboard, the architecture diagram and the security questionnaire all read protected, and every one of them was technically accurate and wrong about the only thing that mattered, whether traffic was being inspected.

The response was to stop treating firewall coverage as something each team configures by hand and make it a pipeline-enforced default. A non-empty rules block, a web ACL association on every public API and load balancer, and deletion protection on every Network Firewall became required parts of the IaC modules, enforced by a CI policy check so a pull request that creates an inert firewall fails before it merges. The leadership signal is now one number on the report: how many of our firewalls are empty or unattached, and the expected answer is zero. The shift, from a firewall that exists to a firewall that works, is the whole point, because 'we had a firewall but it had no rules in it' is a far worse sentence to say after a breach than 'we had not deployed one yet.'

Why this is on the report

The dollar amount is trivial; the reason it is escalated is that it represents a security control the organisation believes it has and does not. An empty or unattached firewall leaves the application or network it fronts exposed exactly as if no firewall existed, while every report, diagram and questionnaire says it is protected. That gap between claim and reality can survive audits and reviews undetected, which makes it larger than its cost suggests.

There is a reputational and regulatory edge too. "We had a firewall but it had no rules in it" reads as negligence after an incident, not backlog. So this category sits at the intersection of security posture and assurance credibility. The leadership move is not to spend more on firewalls; it is to insist that every firewall the org claims is actually inspecting traffic, and to ask for the one number that proves it: how many are empty or unattached?

The leadership move on edge protection

The executive handle is not to spend more on firewalls. It is to insist that every firewall the organisation claims is actually inspecting traffic, and to make coverage a pipeline-enforced default rather than something a team remembers.

1. Set a default: no firewall ships empty or unattached

Make it policy that every public API and load balancer sits behind a web ACL carrying the managed baseline, and every Network Firewall policy carries real rules. The right place to enforce this is the deployment pipeline, a non-empty rules block, a web ACL association, and deletion protection set true as required parts of any firewall or API module, enforced by AWS Config rules or a CI policy check so an inert firewall fails before it merges, not after an incident.

2. Demand proof of inspection, not proof of deployment

A deployed-but-empty firewall is false assurance: the console shows it associated, the diagram shows a firewall, the questionnaire says yes, and all of it is wrong about whether traffic is inspected. Insist the evidence is the rule count and the association, not the existence of the resource, because that gap between claim and reality is exactly what survives multiple security reviews undetected and reads as negligence after an incident.

3. Ask for one number: how many firewalls are empty or unattached?

At the review the single question worth asking is how many of our firewalls are empty or unattached, and the right answer is always zero. A consistent zero with the baseline enforced in the pipeline is a healthy signal. Any non-zero value is a control the organisation believes it has and does not, which is larger than its trivial cost suggests and worth more attention than the firewall budget itself.

Quick quiz

Question 1 of 5

An incident reveals a production web ACL has been empty for nearly a year while three security reviews recorded WAF as in place. What is the core leadership problem?

Keep learning

Go deeper on how WAF and Network Firewall enforce rules across the resources in this capability.

Two takeaways: a deployed-but-empty firewall is false assurance, a control the organisation believes it has and does not, and the leadership move is not to spend more but to insist every firewall it claims is actually inspecting traffic. The right metric is one number, how many firewalls are empty or unattached, and the right answer is always zero, enforced by the pipeline rather than by someone remembering.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

APIGateway

APIGateway.4 Medium API Gateway should be associated with a WAF web ACL

ELB

ELB.16 Medium ALBs should be associated with a WAF web ACL

NetworkFirewall

WAF

Part of the learning path Lock down access

Protect APIs and edge with WAF

WAF and edge protection: the basics

The firewall that blocked nothing for a year

Finding inert firewalls across an estate

How WAF and Network Firewall enforce traffic rulesdeep dive

What is the impact of an inert or unattached firewall?

How do you make firewalls actually inspect traffic?

1. Inventory empty, unattached and unprotected firewalls

2. Attach the managed baseline in Count mode first

3. Promote to enforcing once metrics are clean

4. Bake the baseline into infrastructure-as-code and guard it

Quick quiz

Keep learning

WAF and edge protection: the cost and risk view

The firewall that blocked nothing for a year

How a finance partner frames the inert-firewall decision

Why this matters to assurance and the bill

What finance can do about inert firewalls

1. Separate the trivial cost from the unbounded exposure

2. Treat WAF and Network Firewall as funded baseline, not per-project line items

3. Make the empty-or-unattached count a standing zero-target metric

Quick quiz

Keep learning

WAF and edge protection: the headline

The firewall that blocked nothing for a year

What it looks like when firewall coverage is policy, not accident

Why this is on the report

The leadership move on edge protection

1. Set a default: no firewall ships empty or unattached

2. Demand proof of inspection, not proof of deployment

3. Ask for one number: how many firewalls are empty or unattached?

Quick quiz

Keep learning

Controls this lesson covers

APIGateway

ELB

NetworkFirewall

WAF

Related compliance lessons