WAF Report Builder: Turning AWS WAF Logs into Actionable Security Reports

The Problem

If you manage AWS WAF at scale — across multiple accounts, multiple WebACLs, and dozens of protected resources — you know the pain. AWS WAF logs are JSON blobs sitting in S3. The console gives you basic metrics, but when you need to answer questions like:

"What happens if we switch these rules from Count to Block?"
"Are we blocking legitimate traffic?"
"What are the top attack patterns hitting our applications?"

…you're left manually querying Athena, exporting CSVs, and building spreadsheets. For every single WebACL. Every time.

I built WAF Report Builder to solve this. It's a Python CLI tool that takes your WAF logs from S3, runs the analysis through Athena, and generates a self-contained HTML report you can share with your team, your clients, or your CISO — no AWS console access required.

What It Does

The tool operates in two modes:

Count Mode (Pre-enforcement)

This is the mode you use before activating rules. AWS WAF allows you to set managed rules to Count mode with an override action of Block. This means the rule evaluates traffic and logs what would have been blocked, without actually blocking anything.

The report shows you exactly what traffic those rules are flagging:

Top source IPs
Top targeted URIs
Geographic distribution (with an interactive map)
Which rules are triggering the most, broken down by protected resource
Detailed drill-down: for each rule, what URIs and User-Agents are being flagged

This gives you the confidence to flip the switch — or identifies rules that might generate false positives.

Block Mode (Active Enforcement)

Once rules are active, you need visibility into what's actually being blocked. Are you stopping real attacks? Are you accidentally blocking legitimate users?

Same report structure, but filtered to requests that were effectively terminated by a WAF rule.

The Report

The output is a single .html file that opens in any browser. No server needed, no dependencies for the viewer:

Each report includes:

Summary section explaining what the report covers, the analysis period, and the account/WebACL context
Top IPs — immediately shows if there's a single source hammering your application
Geographic map — choropleth visualization of request origins
Top URIs — what paths are being targeted
Top rules per resource — separate tables for each CloudFront distribution, ALB or API Gateway, so you can see which resource is getting the most rule activity
Rule drill-down — expandable accordions showing URI + User-Agent combinations for each rule, with full horizontal scrolling for long values. Rules involving query strings automatically include the Args column.

Why Not Just Use the AWS Console?

A few reasons this is better for consulting and multi-account environments:

Shareability: The HTML file can be emailed, attached to a ticket, or embedded in a presentation. No AWS access needed for the recipient.
Multi-account: When you manage 20+ accounts with Firewall Manager, you need reports per WebACL. This tool processes one S3 path at a time, or multiple in batch.
Pre-enforcement confidence: The Count mode analysis is something the console doesn't surface well. You get a clear picture of impact before changing rule actions.
Audit trail: Generated reports serve as point-in-time snapshots. Run them monthly and you have a security posture history.
Customizable: It's Python + SQL + HTML. Need an extra metric? Add a query and a template section.

What's Next

Some ideas I'm considering:

Timeline analysis: Adding a time-series view to spot attack spikes
CSV input mode: For environments where you can't run Athena directly but can export results
Comparative reports: Diff between two periods to see if rule tuning had an effect

The repo is available at: github.com/agudemozzi/aws-waf-report-builder

If you're managing AWS WAF at scale and tired of manual log analysis, give it a try. PRs and feedback welcome.

Agustín De Mozzi