Web Application Firewall (WAF)

Get started with Web Application Firewall (WAF) on LocalStack


Web Application Firewall (WAF) is a service provided by Amazon Web Services (AWS) that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. WAFv2 is the latest version of WAF, and it allows you to specify a single set of rules to protect your web applications, APIs, and mobile applications from common attack patterns, such as SQL injection and cross-site scripting.

LocalStack allows you to use the WAFv2 APIs for offline web application firewall jobs in your local environment. The supported APIs are available on our API Coverage Page, which provides information on the extent of WAFv2 integration with LocalStack.

Getting started

This guide is for users who are familiar with the AWS CLI and awslocal wrapper script.

Start your LocalStack container using your preferred method. We will walk you through creating, listing, tagging, and viewing tags for Web Access Control Lists (WebACLs) using the Web Application Firewall (WAF) service in a LocalStack environment using the AWS CLI.

Create a WebACL

Start by creating a Web Access Control List (WebACL) using the CreateWebACL API. Run the following command to create a WebACL named TestWebAcl:

$ awslocal wafv2 create-web-acl \
    --name TestWebAcl \
    --scope REGIONAL \
    --default-action Allow={} \
    --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAclMetrics
{ "Summary": { "Name": "TestWebAcl", "Id": "f94fd5bc-e4d4-4280-9f53-51e9441ad51d", "Description": "", "ARN": "arn:aws:wafv2:us-east-1:000000000000:regional/webacl/TestWebAcl/f94fd5bc-e4d4-4280-9f53-51e9441ad51d" } }

Note the Id and ARN from the output, as they will be needed for subsequent commands.

List WebACLs

To view all the WebACLs you have created, use the ListWebACLs API. Run the following command to list the WebACLs:

$ awslocal wafv2 list-web-acls --scope REGIONAL
{ "NextMarker": "Not Implemented", "WebACLs": [ { "Name": "TestWebAcl", "Id": "f94fd5bc-e4d4-4280-9f53-51e9441ad51d", "Description": "", "ARN": "arn:aws:wafv2:us-east-1:000000000000:regional/webacl/TestWebAcl/f94fd5bc-e4d4-4280-9f53-51e9441ad51d" } ] }

Tag a WebACL

Tagging resources in AWS WAF helps you manage and identify them. Use the TagResource API to add tags to a WebACL. Run the following command to add a tag to the WebACL created in the previous step:

$ awslocal wafv2 tag-resource \
    --resource-arn arn:aws:wafv2:us-east-1:000000000000:regional/webacl/TestWebAcl/f94fd5bc-e4d4-4280-9f53-51e9441ad51d \
    --tags Key=Name,Value=AWSWAF

After tagging your resources, you may want to view these tags. Use the ListTagsForResource API to list the tags for a WebACL. Run the following command to list the tags for the WebACL created in the previous step:

$ awslocal wafv2 list-tags-for-resource \
    --resource-arn arn:aws:wafv2:us-east-1:000000000000:regional/webacl/TestWebAcl/f94fd5bc-e4d4-4280-9f53-51e9441ad51d
{ "TagInfoForResource": { "ResourceARN": "arn:aws:wafv2:us-east-1:000000000000:regional/webacl/TestWebAcl/f94fd5bc-e4d4-4280-9f53-51e9441ad51d", "TagList": [ { "Key": "Name", "Value": "AWSWAF" } ] } }