AWS Adds AI Traffic Analysis Dashboards to WAF

According to the AWS WAF developer guide, the AWS WAF console now exposes protection pack (web ACL) Traffic overview dashboards that include an AI Traffic Analysis tab for web requests analyzed for AI bot and agent activity, including bot identification, intent classification, access patterns, and temporal trends (docs.aws.amazon.com/waf/latest/developerguide/web-acl-dashboards.html). The documentation states these dashboards present near real-time summaries of the Amazon CloudWatch metrics that AWS WAF collects, and that the Top security insights pane obtains richer detail by querying CloudWatch logs, which may incur additional query costs (docs.aws.amazon.com). ITSecurityNews indexes the AWS Security Blog announcement summarizing the new dashboard availability (itsecuritynews.info).

CuriousOrbit podcast coverage describes a Sankey diagram visualizing AI bot flows inside the dashboard and reports a built-in one-click block action for specific bot categories; the hosts also reported an anecdotal example of a site with over 50% bot traffic that included ChatGPT users (curiousorbit.com).

Editorial analysis - technical context: The dashboard, per AWS docs, combines CloudWatch metrics and optional CloudWatch logs queries to move from aggregate telemetry to richer, request-level insights. That pattern mirrors other cloud provider offerings that layer metric-level telemetry for scale with selective log queries for investigation, trading index and query cost for signal fidelity. The AWS docs mention UI elements such as a "Top 10 rules" pane, a "Sampled requests" tab, and a toggle to show count rule matches, which together enable teams to pivot from summary charts to sampled request payloads for triage (docs.aws.amazon.com).

For security teams and platform engineers, built-in AI-focused analytics reduce the friction of assembling custom telemetry pipelines to detect programmatic agent patterns. Visibility into bot identity and intent classification can shorten mean time to detection for malicious automation, but practitioners should treat intent labels as probabilistic signals that require validation against sampled requests and rule matches. The requirement to enable metrics and the explicit note about CloudWatch logs query costs mean organizations will need to balance the value of richer insights against observability spend.

Observers should watch for vendor documentation on detection signals and false positive rates, published guidance on tuning rule actions for agent categories, and integrations with SIEM and incident response playbooks. Also track CloudWatch billing changes as teams enable log-backed "Top security insights" queries at scale. Finally, look for AWS follow-up posts or whitepapers that clarify the classification heuristics behind the AI bot and intent labels, since detection methodology affects operational tuning and compliance reviews.

For teams running web ACLs, the new dashboards offer a low-friction way to measure and act on AI-driven traffic patterns directly in the AWS console, while still exposing the tradeoffs between aggregate metrics and log-backed investigative costs. Security engineers should validate AI bot classifications against sampled requests, monitor CloudWatch query cost impact, and integrate dashboard outputs into existing incident workflows and SIEM ingestion as needed.