Client: SaaS Website Builder Platform
Location: India & US ( Serving global customers)
Key Challenges
Being a SaaS company, it was facing a lot of challenges with AWS WAFv1 due to limitations of blocking rogue traffic and creating granular rules. Some of the key issues included ➖
– IP reputation :- Customer was facing difficulty in filtering out rogue traffic since automated IP reputation filtering was not available in WAFv1.
– AWS Managed rules : Customer wanted some mechanism of identifying traffic from datacenters and proxies. Feature was unavailable on WAFv1.
– Automation: Customer wanted some inbuilt solution to block ip address for fixed duration based on attack vector
– Honeypot urls : There was no provision of integrating honeypot url in WAFv1 and required a workaround.
Assets Protected:
- Thousands of user-generated sites on custom domains
- Static and dynamic content across CloudFront, ALB, and API Gateway
Objectives
- Introduce AWS WAF v2 to establish layered perimeter protection
- Deploy rate-based rules to defend APIs and login flows
- Use custom user-agent and pattern regex blacklisting to mitigate scraping and vulnerability scanners
- Build scheduled automation to reset dynamic blacklists after cooldown
- Implement centralized WAF logging, alerting, and visibility
Maneuvers
Security Onboarding & Rule Design
- Conducted threat modeling for multi-tenant SaaS attack surface
- Created dedicated WAF v2 Web ACLs for:
- User dashboard (React SPA)
- Billing and Auth APIs
- End-user websites (hosted via CloudFront)
- Deployed via CloudFormation & AWS Security Automations blueprint
Rule Enhancements with WAF v2
- AWS Managed Rule Groups for OWASP protections
- Application rate limit rules:
- Separate limits for /auth, /dashboard, and /site-edit
- Auto-block high-frequency hits per IP and UA combo
- Custom user-agent blacklist:
- Blocked common reconnaissance tools (sqlmap, nikto, curl, python-requests)
- Regex match filters:
- Block query strings with encoded payloads or unexpected parameters
Modular Rule Groups
- Structured Web ACLs with reusable logic:
- RateLimit-CoreAPIs
- Blacklist-UserAgent
- Tenant-Site-Protection•SEO-Bot-Allowlist
- Enabled domain-level ACL association using CloudFront behaviors
Automation Enhancements
- Scheduled automation to clear IPs from dynamic IP sets after 24 hours
- Enabled WAF v2 full logging to S3
- Alert thresholds wired to CloudWatch Alarms + SNS
Operational and Business Impact
– Tenant-Level Protection: ACL segmentation improved isolation and tuning per platform component.
– Automation Efficiency: Scheduled cleanups and auto-block rules reduced manual intervention.
– Improved Security Posture: Significantly reduced API misuse and bot traffic.
– Uptime Assurance: Protected hosted customer sites with consistent performance even during attack spikes.
– Enterprise Readiness: Hardened platform security aligned with enterprise customer onboarding requirements
– Security : Customer was able to mitigate most of the requests from security audit and tools software after the honeypot feature was implemented with WAFv2 IP list. Customer was also able to to successfully avert FLOOD request through lambda integration achieving 99.99% uptime.
Conclusion
By implementing AWS WAF v2, the SaaS platform achieved a dramatic improvement in tenant-level protection, resource efficiency, and response automation. Advanced rate-limiting and dynamic user-agent filtering drastically reduced API abuse, credential stuffing, and bad bot activity. Client was able to achieve 99.99% uptime after migrating to WAFv2






