# Firewall support for Amplify hosted sites
Firewall support for Amplify hosted sites enables you to protect your web applications with a direct integration with AWS WAF. AWS WAF allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or monitor (count) web requests based on customizable web security rules and conditions that you define. When you integrate your Amplify app with AWS WAF, you gain more control and visibility into the HTTP traffic accepted by your app. To learn more about AWS WAF, see [How AWS WAF Works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html) in the *AWS WAF Developer Guide*.
Firewall support is available in all AWS Regions in which Amplify Hosting operates. This integration falls under an AWS WAF global resource, similar to CloudFront. Web ACLs can be attached to multiple Amplify Hosting apps, but they must reside in the same Region.
You can use AWS WAF to protect your Amplify app from common web exploits, such as SQL injection and cross-site scripting. These could affect your app's availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, or requests that contain unexpected SQL code or scripting.
You can also create rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body (limited to the first 8 KB). Additionally, you can create rules to block events from specific user agents, bots, and content scrapers. For example, you can use rate-based rules to specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period.
To learn more about the types of rules that are supported and additional AWS WAF features, see the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html) and the [AWS WAF API Reference](https://docs.aws.amazon.com/waf/latest/APIReference/API_Types_AWS_WAFV2.html).
**Important**
Security is a shared responsibility between AWS and you. AWS WAF isn't the solution to all internet security issues and you must configure it to meet your security and compliance objectives. To help you understand how to apply the shared responsibility model when using AWS WAF, see [Security in your use of the AWS WAF service](https://docs.aws.amazon.com/waf/latest/developerguide/security.html).
**Topics**
+ [
# Enabling AWS WAF for an Amplify application in the AWS Management Console
](getting-started-using-waf.md)
+ [
# Disassociate a web ACL from an Amplify application
](disassociate-web-acl.md)
+ [
# Enabling AWS WAF for an Amplify application using the AWS CDK
](amplify-waf-CDK.md)
+ [
# How Amplify integrates with AWS WAF
](amplify-waf-configuration.md)
+ [
# Firewall pricing for Amplify applications
](waf-pricing.md)
# Enabling AWS WAF for an Amplify application in the AWS Management Console
You can enable AWS WAF protections for an Amplify app either in the Amplify console or in the AWS WAF console.
+ **Amplify console** — You can enable the Firewall capabilities for an existing Amplify app by associating an AWS WAF web ACL to your app in the Amplify console. Use one-click protection to create a web ACL with pre-configured rules that we consider as best practice for most apps. You have the option to customize access by IP address and country. The instructions in this section describe setting up one-click protections.
+ **AWS WAF console**— Use a preconfigured web ACL that you create in the AWS WAF console or by using the AWS WAF APIs. You must create web ACLs that you want to associate with an Amplify app in the Global (CloudFront) Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify. For getting started instructions, see [Setting up AWS WAF and its components](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started.html) in the *AWS WAF Developer Guide*.
Use the following procedure to enable AWS WAF for an existing app in the Amplify console.
**Enable AWS WAF for an existing Amplify app**
1. Sign in to the AWS Management Console and open the Amplify console at [https://console.aws.amazon.com/amplify/](https://console.aws.amazon.com/amplify/).
1. On the **All apps** page, choose the name of the deployed app to enable the Firewall feature on.
1. In the navigation pane, choose **Hosting**, and then choose **Firewall**.
The following screenshot shows how to navigate to the **Add firewall** page in the Amplify console.
![\[The Amplify console Add firewall page.\]](http://docs.aws.amazon.com/amplify/latest/userguide/images/Amplify-WAF-1.png)
1. On the **Add firewall** page, your actions will depend on whether you want to create a new AWS WAF configuration or use an existing one.
+ Create a new AWS WAF configuration.
1. Choose **Create new**.
1. Optionally, enable any of the following configurations:
1. Turn on **Enable Amplify-recommended Firewall protection**.
1. Turn on **Restrict access to amplifyapp.com** to prevent access to your app on the default Amplify domain.
1. For **IP addresses**, turn on **Enable IP address protections**.
1. For **Action**, choose **Allow** if you want to specify the IP addresses that will have access and all others will be blocked. Choose **Block** if you want to specify the IP addresses that will be blocked and all others will have access.
1. For **IP version**, select either **IPV4** or **IPV6**.
1. In the **IP addresses** text box, enter either your allowed or blocked IP addresses, one per line, in CIDR format.
1. For **Countries**, turn on **Enable country protection**.
1. For **Action**, choose **Allow** if you want to specify the countries that will have access and all others will be blocked. Choose **Block** if you want to specify the countries that will be blocked and all others will have access.
1. For **Countries**, select either your allowed or blocked countries from the list.
The following screenshot demonstrates how to enable a new AWS WAF configuration for an app.
![\[The Amplify console Add firewall with all of the firewall settings enabled.\]](http://docs.aws.amazon.com/amplify/latest/userguide/images/Amplify-WAF-2.png)
+ Use an existing AWS WAF configuration.
1. Choose **Use existing AWS WAF configuration**.
1. Select a saved configuration from the list of web ACLs in AWS WAF in your AWS account. The web ACL that you associate with your Amplify app must be created in the Global (CloudFront) Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify.
1. Choose **Add firewall**.
1. On the **Firewall** page, the **Associating** status is displayed to indicate that the AWS WAF settings are being propagated. When the process is complete, the status changes to **Enabled**.
The following screenshots show the firewall progress status in the Amplify console, indicating when the AWS WAF configuration is **Associating** and **Enabled**.
![\[The Amplify console Firewall status progress in the Associating state.\]](http://docs.aws.amazon.com/amplify/latest/userguide/images/Amplify-WAF-3.png)
![\[The Amplify console Firewall status progress in the Enabled state.\]](http://docs.aws.amazon.com/amplify/latest/userguide/images/Amplify-WAF-4.png)
# Disassociate a web ACL from an Amplify application
You can't delete a web ACL that is associated with an Amplify app. You must first disassociate the web ACL from the app in the Amplify console. Then you can delete it in the AWS WAF console.
**To disassociate a web ACL from an Amplify app**
1. Sign in to the AWS Management Console and open the Amplify console at [https://console.aws.amazon.com/amplify/](https://console.aws.amazon.com/amplify/).
1. On the **All apps** page, choose the name of the app to disassociate a web ACL from.
1. In the navigation pane, choose **Hosting**, and then choose **Firewall**.
1. On the **Firewall** page, choose **Actions**, then choose **Disassociate firewall**.
1. In the confirmation modal, enter **disassociate**, then choose **Disassociate firewall**.
1. On the **Firewall** page, the **Disassociating** status is displayed to indicate that the AWS WAF settings are being propagated.
When the process is complete, you can delete the web ACL in the AWS WAF console.
# Enabling AWS WAF for an Amplify application using the AWS CDK
You can use the AWS Cloud Development Kit (AWS CDK) to enable AWS WAF for an Amplify application. To learn more about using the CDK, see [What is the CDK?](https://docs.aws.amazon.com/cdk/v2/guide/home.html) in the *AWS Cloud Development Kit (AWS CDK) Developer Guide*.
The following TypeScript code example demonstrates how to create an AWS CDK app with two CDK stacks: one for Amplify and one for AWS WAF. Notice that the AWS WAF stack must be deployed to the US East (N. Virginia) (us-east-1) Region. The Amplify application stack can be deployed to a different Region. You must create the web ACL that you want to associate with the Amplify app in the Global (CloudFront) Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify.
```
import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import * as wafv2 from "aws-cdk-lib/aws-wafv2";
import * as amplify from "aws-cdk-lib/aws-amplify";
interface WafStackProps extends cdk.StackProps {
appArn: string;
}
export class AmplifyStack extends cdk.Stack {
public readonly appArn: string;
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const amplifyApp = new amplify.CfnApp(this, "AmplifyApp", {
name: "MyApp",
});
this.appArn = amplifyApp.attrArn;
}
}
export class WAFStack extends cdk.Stack {
constructor(scope: Construct, id: string, props: WafStackProps) {
super(scope, id, props);
const webAcl = new wafv2.CfnWebACL(this, "WebACL", {
defaultAction: { allow: {} },
scope: "CLOUDFRONT",
rules: [
// Add your own rules here.
],
visibilityConfig: {
cloudWatchMetricsEnabled: true,
metricName: "my-metric-name",
sampledRequestsEnabled: true,
},
});
new wafv2.CfnWebACLAssociation(this, "WebACLAssociation", {
resourceArn: props.appArn,
webAclArn: webAcl.attrArn,
});
}
}
const app = new cdk.App();
// Create AmplifyStack in your desired Region.
const amplifyStack = new AmplifyStack(app, 'AmplifyStack', {
env: { region: 'us-west-2' },
});
// Create WAFStack in IAD region, passing appArn from AmplifyStack.
new WAFStack(app, 'WAFStack', {
env: { region: 'us-east-1' },
crossRegionReferences: true,
appArn: amplifyStack.appArn, // Pass appArn from AmplifyStack.
});
```
# How Amplify integrates with AWS WAF
The following list provides specific details about how Firewall support is integrated with AWS WAF and the constraints to consider when creating web ACLs and associating them with Amplify apps.
+ You can enable AWS WAF for any type of Amplify app. This includes any supported framework, server-side rendered (SSR) apps, and fully static sites. AWS WAF is supported for Amplify Gen 1 and Gen 2 apps.
+ You must create web ACLs that you want to associate with an Amplify app in the Global (CloudFront) Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify.
+ The web ACL and the Amplify app must be created in the same AWS account. You can use AWS Firewall Manager to replicate AWS WAF rules across AWS accounts, to simplify keeping organization rules centralized and distributed across multiple AWS accounts. For more information, see [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) in the * AWS WAF Developer Guide*.
+ You can share the same web ACL across multiple Amplify apps in the same AWS account. All of the apps must be in the same Region.
+ When you associate a web ACL with an Amplify app, the web ACL attaches to every branch in the app by default. When you create new branches, they will have the web ACL.
+ When you associate a web ACL to an Amplify app, it is automatically associated with all of the app’s domains. However, you can configure rules that apply to a single domain name using Host-header matching rules.
+ You can't delete a web ACL that is associated with an Amplify app. Before you delete a web ACL in the AWS WAF console, you need to disassociate it from the app.
## Amplify web ACL resource policy
To allow Amplify to access your web ACL, a resource policy is attached to the web ACL during association. Amplify constructs this resource policy automatically, but you can view it using the AWS WAFV2 [GetPermissionPolicy](https://docs.aws.amazon.com/waf/latest/APIReference/API_GetPermissionPolicy.html) API. The following IAM permissions are required for associating a web ACL to an Amplify app.
+ amplify:AssociateWebACL
+ wafv2:AssociateWebACL
+ wafv2:PutPermissionPolicy
+ wafv2:GetPermissionPolicy
# Firewall pricing for Amplify applications
The cost of implementing AWS WAF on an Amplify application is calculated based on the following two components:
+ **AWS WAF usage** – You will be charged for your AWS WAF usage acoording to the AWS WAF pricing model. AWS WAF charges are based on the web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive. For pricing details, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
+ **Amplify Hosting integration cost** – There is a \$115.00 per month, per app charge when you attach a web ACL to an Amplify application. This is prorated hourly.