I have played with AWS WAF manage rules and the F5 rules for AWS WAF and noo they are not good for me.
Better use AWS WAF with their managed rules for basic not important sites and for important sites use F5 virtual/cloud edtion or a managed service where you do not need to handle the F5 upgrades etc like F5 Silverline security or Volterra. You can add 1500 rules on the AWS Waf by default and attach the AWS WAF ACL policy to AWS cloudfront and then make another AWS WAF ACL policy and attach it to the AWS WAF application load balancer or API gateway and in this way you have 3000 rules limit (1500 on cloudfrond and 1500 on the load balancer/api gateway). Still as I mentioned I do not see a big difference between the F5 rules for AWS or the AWS managed rules as just AWS WAF techonology is nothing more than mode security the free stateless WAF that you can have for free on your linux servers and things like advanced bot protection like F5 Shape or stopping more complex web attacks you can forget about it as the AWS WAF bot rules are bypassed by changing the User-Agent to Mozilla or something 🙂
AWS WAF issues: