Rest API access limit about WAF(through Cloudfront)

Thank you for contacting AWS Re:post .

Below are answers to your questions relating to using AWS WAF (associated to CloudFront) to limit access of your Rest API

1.The access rate limit of WAF is based on 5 minutes. Can it be based on one day or one week or one month?

No, the WAF rate limit rule evaluation period of 5 minutes cannot be increased [1]. 

2.Can WAF restrict network traffic? If WAF can't do it, is there any other service that can do it? For example, the network traffic generated by all API accesses cannot exceed 100GB in one month.

No, AWS WAF  is a web application firewall that operates at the application layer (7), this means it only monitors HTTP/S request by evaluating  HTTP request methods, headers,  URI path, query strings, source IP, request body size,  among other fields depending on the rule configuration. It will either allow or block  a request forwarded to the AWS resource (e.g. CloudFront Distribution or Application Load balancer or Amazon API Gateway, etc) associated with WAF. [2] 

Using WAF SizeConstraintStatement  statement WAF an inspect first 8192 bytes (8 KB) of a request, this allows you to create condition to block request that may exceed a certain size [3].

Hence, WAF  cannot restrict based on the volume of data e.g only allow 100GB in one month.

Within AWS, there's no service to restrict traffic based on the volume data e.g   100GB in one month. 

3.If it is necessary to restrict the network traffic of specific users or companies accessing the API, can WAF not do so? What can I do?

As mentioned in answer to questions 2, WAF cannot be used to restrict the network traffic  as it only evaluates HTTP/S requests. Although, using WAF rate based rules you can limit the number of HTTP/S requests request a particular source IP can make for a period of 5 minutes.

4.Is there any way to limit the number of API calls for different users

No, there's no way of achieving this with an AWS service. This could be controlled on the application to limit the number of request a user can make once they have been authenticated.  In concert with controls in your application you can again use WAF rate based rules  and narrow down the request that match the rule  by adding conditional statements.  For example, if the user pass a certain HTTP headers when making the API call, you can add a statement in the rate based rule to match the specific header [1].

PS:

Whilst it's not possible to increase the evaluation period to rate based rule. If you deploy your WAF using the AWS WAF Automatic deployment solution [4],  you can use the Amazon Athena log parser option if you have familiarity with SQL language to implement customizations.  Essentially, log parser uses Amazon Athena to query the WAF logs stored in S3 every 5 minutes, you can increase this period b by changing QueryScheduledRunTime in aws-waf-security-automations.template. The log parser uses a Lambda function to update AWS WAF IP Set condition to block those IP addresses for a customer-defined period of time [5/6].

[1] Rate-based rule statement - https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

[2] What are AWS WAF, AWS Shield - https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

[3] SizeConstraintStatement - https://docs.aws.amazon.com/waf/latest/APIReference/API_SizeConstraintStatement.html

[4] Automatically deploy a single web access control list that filters web-based attacks with WAF Automation on AWS - https://docs.aws.amazon.com/solutions/latest/waf-automation-on-aws/welcome.html

[5] Component details - https://docs.aws.amazon.com/solutions/latest/waf-automation-on-aws/appendix-b.html

[6] https://docs.aws.amazon.com/solutions/latest/waf-automation-on-aws/appendix-a.html#athena-log-parser