AWS WAF: Blocking 99% of Threats & Securing eLearning Workloads

Challenge

Little Sponges, an eLearning platform serving young learners, faced persistent web-based threats that were compromising the security and availability of its critical workloads. A security assessment revealed that 18% of all incoming requests were malicious, resulting in an average of three security incidents per month.

The threat landscape included SQL injection, cross-site scripting (XSS), Layer 7 HTTP flood attacks, malicious bot activity, and zero-day exploit attempts. Given the sensitive nature of the platform’s audience, eliminating these threats was both a security and a trust imperative.

Solution

FactualMinds implemented AWS WAF as part of a custom security application designed to address both known OWASP Top 10 vulnerabilities and application-specific attack vectors identified during the initial security assessment.

AWS WAF Deployment Points:

• CloudFront distributions for content delivery
• Application Load Balancers for backend API services
• API Gateway endpoints for external integrations

Rule Configuration:

• Managed Rule Groups: Core Rule Set, Bot Control, and SQLi/XSS Rules
• Custom Rules: Application-specific regex pattern matching to detect non-standard attack payloads, plus geolocation blocking for regions with no legitimate user traffic
• WebACL Capacity: 1,800 units

Implementation Details

All WAF rules were managed through AWS CloudFormation, enabling infrastructure-as-code practices that kept security configurations consistent across environments and fully auditable.

An automation pipeline was built to update IP sets on a weekly basis using threat intelligence feeds, ensuring the WAF stayed current with newly identified malicious sources. This proactive approach was critical for defending against zero-day exploit attempts that traditional signature-based detection might miss.

WAF logs were analyzed regularly in Amazon Athena to identify emerging patterns and fine-tune rule thresholds. This iterative tuning process was essential for maintaining the high block rate while minimizing false positives that could disrupt the learning experience for students and educators.

The deployment followed a phased approach: initial observation mode to establish baselines, followed by incremental enforcement with close monitoring, and finally full production enforcement with automated alerting.

Results

The WAF deployment transformed the platform’s security posture:

• 99.2% of malicious requests blocked at the edge before reaching application servers
• Security incidents reduced to near zero, down from an average of three per month
• 12% decrease in application latency as backend resources were freed from processing malicious traffic

Little Sponges now operates with robust, automated protection that scales with its growing user base, allowing the team to focus on delivering educational content rather than responding to security incidents.