Hi friends im looking into AWS WAF, we have cloudfront, api gateways and application load balancer and i can see WAF supports all 3. We want to use the managed rulesets as a base. But we are not sure what rulesets to use for each of the 3 i mentioned. Does anyone have any information or some guide on what rulesets we can apply to each that would be a good starting point.

WAF stuff depends a bunch on the types of technologies you’re using, potential weakpoints in your application and how it’s used.

E.g., presumably if you’ve got an API you’d want to rate limit at least some parts of it.

What I would say generally is you’ll want to incrementally add bits in, monitor and constantly review your WAF setup so you can tune it to avoid false-positives while also catching enough malicious requests. It’s a bit of a tightrope that needs eyes on it.