AWS WAF can be a very useful tool for mitigating DOS and DDOS attacks, but before starting to use it, it's convenient to do the following:
- Read and observe how to implement the DoS attack mitigation on AWS
- Know your application, and set up a good limit for concurrent connections, to avoid blocking valid traffic and getting false positive responses
- Build a scalable web application, to respond to requests until the WAF understands that it is under attack and triggers its filters