If you are running AWS WAF in front of your applications, you already have a powerful security layer blocking SQL injections, XSS attacks, and bot traffic. But AWS WAF monitoring is what turns that protection from a passive shield into an active intelligence system.
This guide walks you through every layer of AWS WAF monitoring: the CloudWatch metrics that matter, how to enable Web ACL logging, how to set threshold alerts, and what tools like Datadog, New Relic, or CubeAPM add on top of native AWS capabilities.
Key Takeaways
- WAF publishes AllowedRequests, BlockedRequests and CountedRequests per Web ACL and rule, at 1-minute granularity.
- Web ACL logging must be enabled separately. Choose CloudWatch Logs, S3 or Kinesis Firehose based on your retention needs.
- The built-in traffic dashboard (March 2024+) needs zero setup and shows blocked/allowed ratios, top rules, bots and countries.
- CloudWatch Alarms on BlockedRequests fire SNS notifications when a rule crosses a threshold for faster incident response.
- Datadog, New Relic and CubeAPM ingest WAF metrics via the CloudWatch API and enrich them with APM context.
- Always test new rules in Count mode first, then switch to Block once false-positive rates are acceptable.
What Is AWS WAF Monitoring and Why Does It Matter?
AWS WAF is a managed web application firewall that evaluates every HTTP/S request arriving at your Amazon CloudFront distributions, Application Load Balancers, Amazon API Gateways, AWS AppSync APIs, and AWS Cognito user pools. It processes traffic against ordered sets of rules inside a Web Access Control List (Web ACL), taking actions such as Allow, Block, Count, CAPTCHA, or Challenge on each request.
Without monitoring, WAF operates like a security camera with no recording. You are blocking threats but accumulating no evidence and receiving no warnings. AWS WAF monitoring gives you three critical capabilities:
- Visibility: See which rules are firing, how often, and against what traffic sources.
- Tuning: Use Count mode metrics to validate new rules without disrupting legitimate traffic.
- Alerting: Trigger automated responses when blocked request counts spike beyond a threshold, which often signals an active attack.
According to AWS, the traffic overview dashboard introduced in March 2024 was designed specifically because “protecting application uptime can be a time-consuming challenge of baselining network traffic, investigating suspicious senders, and determining how best to mitigate risks.”
How AWS WAF Generates Metrics in CloudWatch
Every Web ACL you create publishes metrics to Amazon CloudWatch automatically. No additional configuration is needed to start seeing data in CloudWatch. Metrics arrive under the namespace AWS/WAFV2 and can be filtered by three dimensions:
- Region: The AWS region where the Web ACL is deployed.
- WebACL: The name of your Web ACL.
- Rule: The name of the individual rule or rule group within the Web ACL.
This three-level hierarchy is important. You can view aggregate metrics for the entire Web ACL, or drill down to a specific managed rule group like AWSManagedRulesCommonRuleSet to see exactly how many requests it is blocking.
Core AWS WAF Metrics You Need to Track
The following table summarizes the primary metrics available in CloudWatch for AWS WAF. All metrics use the Sum statistic and report in 1-minute periods by default.
| Metric Name | What It Measures | Why It Matters |
|---|---|---|
| AllowedRequests | Total requests passed by the Web ACL | Baseline for normal traffic volume; sudden drops may indicate false positives blocking legitimate users |
| BlockedRequests | Requests explicitly denied by a rule action | Core security health indicator; use with rule dimension to identify which rule is blocking |
| CountedRequests | Requests matched in Count mode (not blocked) | Validate a new rule before promoting to Block mode |
| PassedRequests | Requests that matched no rule and received default action | High values may signal gaps in your rule coverage |
| RequestsWithValidToken | Requests carrying a valid WAF challenge token | Track bot-challenge completion rate |
| CaptchaRequests | Requests that triggered CAPTCHA | Gauge bot activity; spike indicates automated traffic surge |
| Bot Control Metrics | Requests from verified/common/targeted bots | Understand bot composition of your traffic |
The Rule Dimension: Where the Real Insight Lives
The most actionable use of AWS WAF metrics is filtering by the Rule dimension. When you navigate to CloudWatch Metrics and select AWS/WAFV2, you can chart BlockedRequests for a specific rule name over time. This tells you:
- Which managed rule group is contributing the most blocks (helping isolate rules that may be too aggressive).
- When a specific rule started firing at an unusual rate, correlating with attack start times.
- Whether a rate-based rule is triggering expected protections during traffic spikes.
Per AWS security best practices documentation: “Determine which rule is contributing the most blocked requests over the past few days. This can help you isolate a rule that is not working as intended.” (Source:
Using the AWS WAF Traffic Overview Dashboard
As of March 2024, AWS WAF includes a built-in traffic overview dashboard inside the WAF console for each Web ACL. This dashboard is available by default and requires no additional setup, no CloudFormation, and no extra cost beyond the WAF service itself.
What the Traffic Overview Dashboard Shows
The dashboard provides near real-time summaries of CloudWatch metrics. Key panels include:
- Total requests vs. blocked requests over the selected time window.
- Allowed vs. blocked ratio with trend lines.
- Bot vs. non-bot traffic breakdown, with bot category classification from the Bot Control managed rule group.
- CAPTCHA solve rate, showing what percentage of challenged users completed the CAPTCHA.
- Top 10 matched rules, ranked by request volume.
- Top originating countries for both total and blocked traffic.
- Client device type breakdown (desktop vs. mobile vs. tablet).
You can access default metrics such as total requests, blocked requests, and common attacks blocked, or customize the dashboard with metrics and visualizations that are most important to you. The dashboard has native integration with CloudWatch, so you can navigate directly from a dashboard panel into CloudWatch for more granular metric exploration.
Sampled Requests Tab
The traffic overview dashboard also includes a Sampled Requests tab. This tab shows a graph of rule matches for web requests AWS WAF has inspected, plus a table of up to 100 sample requests that matched a rule and 100 requests that received the default Web ACL action. Samples come from the previous three hours of traffic on protected resources. This is useful for quickly inspecting the headers, URI, and country of blocked requests without running a full Athena query.
How to Enable AWS WAF Web ACL Logging
CloudWatch metrics give you counts and rates. Web ACL logs give you the full story: the source IP, the URI path, the rule that matched, the HTTP headers, the action taken, and whether a token was present. Logging is not enabled by default and must be configured explicitly for each Web ACL.
Step 1: Choose a Log Destination
AWS WAF supports three logging destinations. Choose the one that matches your operational workflow:
| Destination | Best For | Key Considerations |
|---|---|---|
| Amazon CloudWatch Logs | Real-time alerting, Logs Insights queries, Contributor Insights dashboards | Best native integration; supports CloudFormation deployment of complete dashboards |
| Amazon S3 | Long-term retention, ad-hoc Athena queries, compliance archiving | Lower cost for high-volume logs; query latency higher than CloudWatch |
| Amazon Kinesis Data Firehose | Near real-time streaming to S3, Redshift, Splunk, or OpenSearch | Enables sub-minute delivery to third-party SIEM platforms |
Step 2: Enable Logging for a Web ACL
To enable logging via the AWS Management Console:
- Navigate to the AWS WAF console and select your Web ACL.
- Choose the Logging and metrics tab.
- Under Logging, click Enable.
- Select your logging destination type (CloudWatch Logs, S3, or Kinesis Data Firehose).
- Select or create the target resource (a log group, S3 bucket, or Firehose delivery stream). For CloudWatch Logs, the log group name must start with the prefix aws-waf-logs-.
- Optionally configure log filtering to reduce costs by logging only BLOCK actions or specific rule matches.
- Save the configuration. Logging begins within a few minutes.
Step 3: Query Logs with CloudWatch Logs Insights
Once logs are flowing to CloudWatch Logs, you can run ad-hoc queries using Logs Insights. A useful starting query to find all blocked requests in the last 24 hours:
fields @timestamp, httpRequest.clientIp, terminatingRuleId, action
| filter action = 'BLOCK'
| stats count(*) as blockCount by terminatingRuleId
| sort blockCount descThis query surfaces your top-blocking rules ranked by count, which is the first thing to check when investigating an unexpected spike in blocked traffic.
For top blocked source IPs:
fields @timestamp, httpRequest.clientIp, action
| filter action = 'BLOCK'
| stats count(*) as requests by httpRequest.clientIp
| sort requests desc | limit 20You can also use Contributor Insights rules to create ongoing visualizations of top IPs and top terminating rules without writing manual queries each time.
How to Set Alerts on AWS WAF Blocked Requests
Monitoring dashboards are reactive. Alerts are proactive. AWS WAF integrates with CloudWatch Alarms to notify you when blocked request counts cross a threshold, which is typically the first signal that an active attack or a misconfigured rule is causing problems.
Create a CloudWatch Alarm for Blocked Requests
To set an alert when BlockedRequests for a Web ACL exceed a threshold:
- In the CloudWatch console, navigate to Alarms and click Create alarm.
- Select the metric AWS/WAFV2 > WebACL, Region, Rule > BlockedRequests.
- Set the statistic to Sum and the period to 1 minute (or 5 minutes for less sensitivity).
- Define the threshold. For example: BlockedRequests > 1000 for 2 consecutive data points (2 minutes).
- Set the alarm action to notify an SNS topic, which can send email, SMS, or trigger a Lambda function.
- Name the alarm and click Create.
To set alerts on a per-rule basis (for example, only alert when AWSManagedRulesKnownBadInputsRuleSet crosses 500 blocks), repeat the same steps but filter the metric by the Rule dimension set to the specific rule group name.
Anomaly Detection Alarms
In addition to static threshold alarms, CloudWatch supports anomaly detection alarms that use machine learning to model the normal behavior of a metric. You can apply an anomaly detection band to BlockedRequests so that CloudWatch alerts you only when the value deviates significantly from the expected pattern for that time of day and day of week. This reduces false alarms from expected traffic surges (like a product launch) while still catching genuine attack spikes.
Advanced AWS WAF Log Analysis with Athena and QuickSight
For teams with high-volume traffic or long-term compliance requirements, querying logs stored in S3 with Amazon Athena provides the most flexible analysis layer.
Setting Up Athena for WAF Logs
When WAF logs land in an S3 bucket, you can create an Athena table that maps directly to the WAF log schema. AWS provides a sample DDL statement in the WAF documentation. Once the table is created, you can run standard SQL:
SELECT terminatingruleid, COUNT(*) AS block_count
FROM waf_logs
WHERE action = 'BLOCK'
AND from_unixtime(timestamp/1000) > NOW() - INTERVAL '7' DAY
GROUP BY terminatingruleid ORDER BY block_count DESC;You can chain Athena queries with Amazon QuickSight to build managed BI dashboards showing blocked request trends by rule, geo, and URI path. The AWS Security Services Best Practices guide covers this pattern in detail.
AWS WAF Monitoring with Third-Party Tools
Native CloudWatch monitoring is powerful but requires setup time and AWS console access for every investigation. Third-party observability platforms integrate WAF metrics alongside application performance data, providing unified dashboards and more sophisticated alerting.
CubeAPM
CubeAPM is an APM and observability platform that integrates AWS WAF monitoring alongside application performance data, giving security and engineering teams a unified view without switching between the WAF console and CloudWatch.
CubeAPM collects WAF metrics via the CloudWatch API and presents them on pre-built dashboards that cover blocked requests, allowed traffic, bot activity, and rule-level breakdowns. Because it correlates WAF data with traces, error rates, and latency from the same applications protected by WAF, it surfaces the operational impact of both attacks and rule misconfigurations in a single screen.
Datadog
Datadog collects AWS WAF metrics via the AWS integration, which polls CloudWatch on a configurable interval. The Datadog AWS WAF integration surfaces AllowedRequests, BlockedRequests, CountedRequests, and CAPTCHA metrics, all enriched with the Web ACL and Rule dimensions as tags. This means you can build dashboards that correlate WAF block spikes with application error rates or latency increases in the same view.
Key metrics Datadog collects from WAF include aws.waf.allowed_requests, aws.waf.blocked_requests, aws.waf.counted_requests, aws.waf.requests_with_valid_token, and aws.waf.captcha_requests.
New Relic
New Relic’s AWS WAF monitoring integration polls CloudWatch metrics and stores them in NRDB, where you can query them with NRQL. New Relic also supports alert conditions on WAF metrics with anomaly-based baselines.
Site24x7
Site24x7 provides an AWS WAF monitoring integration that pulls CloudWatch data and visualizes it alongside uptime and response time metrics for the protected resources. This is useful for teams that want a single monitoring console rather than switching between WAF console and CloudWatch.
Applications Manager (ManageEngine)
ManageEngine Applications Manager supports AWS WAF monitoring, collecting metrics like AllowedRequests, BlockedRequests, and PassedRequests. It provides threshold-based alerts and historical trend views from within the same console used for infrastructure and application monitoring.
How to Tune AWS WAF Rules Using Monitoring Data
Monitoring is only valuable when it drives action. The most common use of WAF metrics and logs in day-to-day operations is rule tuning: deciding whether a rule is too aggressive (causing false positives) or too permissive (missing attacks).
The Count-Before-Block Workflow
Before switching any new rule to Block mode, run it in Count mode first. This means the rule will match requests and increment CountedRequests without terminating the request. The workflow is:
- Add the new rule or managed rule group to the Web ACL in Count mode.
- Wait at least 24 to 72 hours to collect representative traffic data.
- In CloudWatch, chart CountedRequests filtered by the new rule’s name.
- Use Logs Insights to sample the actual requests being counted: are they legitimate users or attackers?
- If the false-positive rate is acceptable, promote the rule to Block mode.
- Watch BlockedRequests for the same rule over the next 24 hours to confirm there is no legitimate traffic impact.
Identifying Overly Aggressive Rules
If you see a sudden jump in BlockedRequests after deploying a new managed rule group, use the following approach to identify the specific rule causing the issue:
- Filter CloudWatch metrics by the Rule dimension set to the specific managed rule group name.
- If the platform supports sub-rule labels (via WAF log labels field), query Logs Insights for the most frequent labels in blocked requests.
- Review sampled blocked requests in the WAF console Sampled Requests tab to check if legitimate user agents or IPs are included.
- Consider adding IP set overrides or scope-down statements to the rule group to exclude known-good traffic from matching.
AWS WAF Monitoring Best Practices
Drawing from AWS documentation, Datadog, and security engineering guidance, here are the practices that define a mature AWS WAF monitoring posture:
ACL-level BlockedRequests tells you something is happening. Rule-level BlockedRequests tells you what is happening. Always configure your CloudWatch dashboards and alerts with the Rule dimension populated. This becomes especially important when you have multiple managed rule groups in a single Web ACL.
Create individual CloudWatch Alarms for rules that protect your most sensitive endpoints, such as rate-based rules guarding login pages or the SQLi rule set protecting your API. Route these alarms to an on-call SNS topic so that any spike triggers an immediate page to the security team.
A practical architecture is to send WAF logs to both destinations using Kinesis Data Firehose: one delivery stream writes to CloudWatch Logs (for real-time Logs Insights queries), and another writes to S3 (for Athena-based historical analysis and compliance retention). The cost difference is manageable for most traffic volumes.
AWS managed rule groups add labels to requests that match specific conditions. These labels appear in the WAF log’s labels field. You can query Logs Insights for label frequency to understand which sub-rule within a managed rule group is driving the most matches, even when the rule group itself does not expose per-sub-rule CloudWatch metrics.
Establish a weekly review cadence where a security engineer examines the top blocked IPs, top blocked URIs, and any new rule that appeared in the top 10 matched rules dashboard. Blocked requests that repeat from the same IP over days without a block on that IP in your IP deny list may indicate that you need to add a rate-based rule.
The built-in AWS WAF traffic overview dashboard is the fastest path to situational awareness. Keep it bookmarked in your security team’s browser. Because it requires no setup and auto-refreshes with near real-time data, it is often the first place to check when a support ticket mentions slow responses or unexpected errors.
Monitor AWS WAF with CubeAPM
Stop juggling CloudWatch dashboards, S3 buckets, and Athena queries. CubeAPM centralizes your AWS WAF blocked request metrics, rule-level insights, and security alerts in a single pane of glass.
With CubeAPM you get:
- Out-of-the-box AWS WAF dashboards for blocked requests, allowed traffic, and bot activity
- Rule-level granularity so you can pinpoint exactly which managed rule group is firing
- Intelligent alerting when blocked request counts spike above your configured thresholds
- Correlation of WAF metrics with application performance data for full-stack visibility
Disclaimer: This article contains pricing estimates based on publicly available AWS CloudWatch Logs rates as of May 2026. Actual costs may vary by AWS region, account type, and usage patterns. Always verify current pricing before making infrastructure decisions.
FAQs
How do I check which rule is blocking requests in AWS WAF?
Navigate to the AWS WAF console, select your Web ACL, and open the Traffic Overview dashboard. The Top 10 Matched Rules panel shows which rules are terminating the most requests. For more detail, open the Sampled Requests tab or run a Logs Insights query filtering on action = ‘BLOCK’ and grouping by terminatingRuleId if you have logging enabled.
Can I get blocked request data per IP address from CloudWatch?
CloudWatch metrics do not expose per-IP data. For per-IP visibility you need WAF logs. Enable logging to CloudWatch Logs and run a Logs Insights query grouping BlockedRequests by httpRequest.clientIp. Alternatively, use Contributor Insights with a rule that tracks the top N source IPs for blocked requests.
What is the difference between BlockedRequests and PassedRequests?
BlockedRequests counts requests that matched a rule with the Block action and were denied. PassedRequests counts requests that reached the end of the rule evaluation without matching any terminating rule and received the Web ACL default action (which could be Allow or Block depending on your configuration). A high PassedRequests count with a Block default action is not necessarily a problem; it means your rules are not matching most legitimate traffic.
How much does AWS WAF monitoring cost?
The WAF service charges per Web ACL, per rule, and per million requests evaluated. CloudWatch metrics for WAF are included at no additional charge. CloudWatch Logs ingestion, storage, and Logs Insights query charges apply separately. Contributor Insights rules are billed per rule per month. For most production workloads, the combined cost of WAF + CloudWatch monitoring is well under $10 per month per Web ACL for log analysis costs.
Can I monitor AWS WAF across multiple accounts and regions?
Yes. You can use AWS Firewall Manager to centrally manage WAF policies across an AWS Organization and aggregate compliance status. For metrics, deploy a cross-account CloudWatch dashboard by granting cross-account metric access in the CloudWatch console. Third-party platforms like Datadog and CubeAPM also aggregate WAF metrics across regions and accounts natively.