Looking for more tools to fight off malicious parties attacking your website?

AWS just launched another small, yet useful, tool for you.

As of Jan 3rd, 2025, there is a new section in AWS WAF that uses CloudWatch Insights and your WAF logs to populate some simple visualizations. These include the following:

• Top 100 Uri Paths
• HTTP Method
• Top 100 Client IPs
• Top 100 User agent

Now for you veteran WAF Ninjas, you might think this is noob stuff and I agree. It is a great starting point for those looking to analyze DDoS traffic, but it is not the end-all-be-all for it.

Combining the WAF logs with CW Insights is an insanely powerful tool for figuring out how and who is attacking your system. This is not just for DDoS attacks but also to track malicious parties that are stealing your data.

If you are interested in hearing more about how I do this to fend off attacks on my clients that get hundreds of millions of requests shoot me a message. I am thinking about creating an ebook or bigger piece of content around this.

Feature Request For The AWS WAF Team:

I suggest adding a button that will open the exact query you are using to populate those insight widgets on the CloudWatch Insights page.

That would allow users to take your basic queries as a starting point then edit them in CW Insights to fit their specific needs.

Cost Concerns:

Keep in mind you get charged for every CW Insights Query you run so don’t run those queries frivolously.

Question For You:

What CloudWatch Insight queries have you found the most valuable for tracking malicious traffic patterns?

PS: Here is the talking head version if you want to here me ramble on about this topic for 60 seconds - https://youtube.com/shorts/qpKYxPG1ScE?feature=share