Let's say I have an imaginary website: https://myimaginarywebsite.com.
If I try to exploit it, and I make massive concurrent GET requests (source is just one ip), would WAF have a feature to prevent this?
Since this is technically valid traffic but abnormal pattern, I'm curious how AWS WAF handles this.
Is there an already built-in WAF feature we can just add to prevent this, or Do we have still have to tune this in WAF?
Yes, WAF can handle HTTP floods with rate based rules.
The AWS Security Automations quick start found here, and associated docs found here, provide a great template starting point and example of some of the features you can configure in AWS WAF.