Claude Code for AWS WAF Workflow: A Practical Guide
AWS Web Application Firewall (WAF) is a critical security service that protects web applications from common web exploits and bots. However, configuring and managing AWS WAF rules can be complex and time-consuming. This guide shows you how to leverage Claude Code to automate AWS WAF workflows, from initial setup to ongoing management.
Why Use Claude Code for AWS WAF?
Managing AWS WAF manually through the AWS Console is error-prone and doesn’t scale well. You need to track multiple rules, web ACLs, and rule groups across different environments. Claude Code can help you:
- Generate CloudFormation templates for WAF configurations
- Audit existing WAF rules for security gaps
- Create reusable WAF rule patterns
- Automate rule updates based on traffic analysis
- Document WAF configurations for compliance
The combination of Claude Code’s code generation capabilities and AWS’s infrastructure-as-code approach makes for a powerful security automation workflow.
Setting Up Your AWS WAF Project
Before you start, ensure you have the AWS CLI configured and appropriate credentials. Create a new directory for your WAF project:
mkdir aws-waf-project && cd aws-waf-project
claude
Initialize your project with a CLAUDE.md file that defines your WAF configuration approach:
# AWS WAF Project Context
## Project Overview
Manage AWS WAFv2 configurations using CloudFormation templates.
## AWS WAF Structure
- Web ACLs: Top-level container for WAF rules
- Rule Groups: Reusable collections of rules
- Rules: Individual matching conditions and actions
- Scope: REGIONAL or CLOUDFRONT
## Standards
- Use WAFv2 (not classic WAF)
- All configs in YAML format
- Environment-specific prefixes (dev-, staging-, prod-)
- Include logging configuration
Creating Your First WAF Web ACL
Let me generate a CloudFormation template for a basic WAF Web ACL with common security rules:
AWSTemplateFormatVersion: '2010-09-09'
Description: 'AWS WAF Web ACL for API Protection'
Resources:
# Web ACL
MainWebACL:
Type: AWS::WAFv2::WebACL
Properties:
Name: !Sub '${Environment}-api-protection'
Description: 'WAF rules for API protection'
Scope: REGIONAL
DefaultAction:
Allow: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: !Sub '${Environment}WebACLMetrics'
Rules:
# AWS Managed Rules
- Name: AWSManagedRulesCommonRuleSet
Priority: 1
OverrideAction:
Count: {}
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWSManagedRulesCommonRuleSet
# IP Rate Limiting
- Name: RateLimitRule
Priority: 10
Action:
Block: {}
Statement:
RateBasedStatement:
Limit: 1000
AggregateKeyType: IP
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: RateLimitRule
# SQL Injection Protection
- Name: SQLInjectionRule
Priority: 20
Action:
Block: {}
Statement:
OrStatement:
Statements:
- SqliMatchStatement:
FieldToMatch:
Body:
OversizeHandling: MATCH
TextTransformations:
- Priority: 1
Type: NONE
- SqliMatchStatement:
FieldToMatch:
UriPath: {}
TextTransformations:
- Priority: 1
Type: NONE
# XSS Protection
- Name: XSSRule
Priority: 30
Action:
Block: {}
Statement:
XssMatchStatement:
FieldToMatch:
Body:
OversizeHandling: MATCH
TextTransformations:
- Priority: 1
Type: NONE
# WAF Logging
WAFLogGroup:
Type: AWS::Logs::LogGroup
Properties:
LogGroupName: !Sub '/aws/waf/${Environment}-webacl'
RetentionInDays: 30
WAFLoggingConfiguration:
Type: AWS::WAFv2::LoggingConfiguration
Properties:
ResourceArn: !GetAtt MainWebACL.Arn
LogDestinationConfigs:
- !GetAtt WAFLogGroup.Arn
RedactedFields:
- Method: {}
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- prod
Outputs:
WebACLArn:
Description: 'ARN of the WAF Web ACL'
Value: !GetAtt MainWebACL.Arn
Export:
Name: !Sub '${Environment}-WebACLArn'
Automating WAF Rule Reviews
One of the most valuable Claude Code workflows is auditing existing WAF configurations. Create a skill that analyzes your WAF rules:
Creating a WAF Audit Skill
name: "waf-audit"
description: "Audit AWS WAF configurations for security and best practices"
Running the Audit
Ask Claude Code to analyze your WAF setup:
Audit the WAF configuration in this project. Check for:
- Missing OWASP Top 10 protections
- Inadequate rate limiting
- Missing logging or monitoring
- Rule ordering issues
- Best practice violations
Generate a detailed audit report with remediation steps.
Implementing Custom WAF Rules
AWS Managed Rules are great, but you often need custom rules for specific threats. Here’s how to create custom rules with Claude Code:
Geo-Blocking Rule
# Custom Geo-Blocking Rule
- Name: GeoBlockingRule
Priority: 5
Action:
Block: {}
Statement:
NotStatement:
Statement:
GeoMatchStatement:
CountryCodes:
- US
- CA
- GB
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: GeoBlockingRule
Bot Control Rule
# AWS WAF Bot Control
- Name: BotControlRule
Priority: 2
OverrideAction:
Count: {}
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesBotControlRuleSet
ManagedRuleGroupConfigs:
- LoginPath: /api/login
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: BotControlRule
Integrating WAF with Application Deployment
A complete security workflow integrates WAF with your CI/CD pipeline. Here’s how to automate WAF deployments:
GitHub Actions Workflow
name: Deploy WAF
on:
push:
paths:
- 'waf/**/*.yaml'
branches:
- main
jobs:
deploy-waf:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate CloudFormation
run: |
aws cloudformation validate-template \
--template-body file://waf/webacl.yaml
- name: Deploy WAF Stack
run: |
aws cloudformation deploy \
--template-file waf/webacl.yaml \
--stack-name prod-waf \
--parameter-overrides Environment=prod \
--capabilities CAPABILITY_NAMED_IAM \
--no-fail-on-empty-changeset
Ask Claude Code to generate this integration:
Create a GitHub Actions workflow that:
1. Validates CloudFormation templates on pull requests
2. Deploys WAF changes to staging for testing
3. Requires approval for production deployment
4. Runs WAF ruleset validation
5. Sends deployment notifications to Slack
Monitoring WAF with CloudWatch
Effective WAF management requires monitoring. Claude Code can help create comprehensive dashboards:
CloudWatch Dashboard Configuration
{
"widgets": [
{
"type": "metric",
"properties": {
"title": "WAF Allowed/Blocked Requests",
"metrics": [
["AWS/WAFV2", "AllowedRequests", "WebACL", "prod-api-protection"],
[".", "BlockedRequests", ".", "."]
],
"period": 300,
"stat": "Sum"
}
},
{
"type": "metric",
"properties": {
"title": "Top Rule Labels Triggered",
"metrics": [
["AWS/WAFV2", "LabelMatchStatements", "WebACL", "prod-api-protection"]
],
"topk": 10
}
}
]
}
Best Practices for Claude Code WAF Workflows
Based on real-world implementations, here are actionable tips:
1. Use Rule Priorities Wisely
Always order your rules from most specific to least specific. Rate limiting should come before complex matching rules to reduce compute costs:
Rules:
- Priority: 1 # Rate limiting (cheap, high impact)
- Priority: 10 # IP blocks (simple matching)
- Priority: 20 # SQLi/XSS (medium complexity)
- Priority: 30 # Managed rule groups (expensive)
2. Start with Count Mode
Never deploy blocking rules directly to production. Use override actions to count first:
- Name: NewSecurityRule
OverrideAction:
Count: {} # Change to Block after testing
Statement:
# ... your rule statement
3. Implement Staged Rollouts
Use WAF’s label matching to gradually enable rules:
# Initial rule - labels requests but allows all
- Name: ShadowModeRule
Action:
Allow: {} # Also adds labels via RuleGroup
Statement:
# ... complex matching
4. Document Everything
Create a WAF rule catalog:
## Rule Catalog
### AWSManagedRulesCommonRuleSet
- Purpose: General OWASP protections
- Action: Override to Count in dev, Block in prod
- Review: Monthly
### RateLimitRule
- Purpose: Prevent DDoS/Brute force
- Threshold: 1000 req/5min per IP
- Review: Quarterly
### SQLInjectionRule
- Purpose: Block SQL injection attacks
- Action: Block (production)
- Review: After any WAF incident
Conclusion
Claude Code transforms AWS WAF management from a manual, error-prone process into an automated, repeatable workflow. By generating CloudFormation templates, auditing configurations, and creating documentation, you can establish robust WAF governance across your infrastructure.
Start with the basic Web ACL template, then gradually add custom rules and automation. Remember to always test in non-production environments first, and leverage WAF’s logging and metrics to continuously improve your security posture.
Related Reading
- Claude Code for Beginners: Complete Getting Started Guide
- Best Claude Skills for Developers in 2026
- Claude Skills Guides Hub
Built by theluckystrike — More at zovo.one