AWS Security: WAF, Shield, and DDoS Protection
In the AWS ecosystem, protecting your infrastructure from malicious traffic and Distributed Denial of Service (DDoS) attacks is a multi-layered responsibility. AWS provides a suite of managed services designed to filter traffic at various layers of the OSI model, ensuring your applications remain available and secure.
The Analogy: The Nightclub Security Team
Imagine your AWS application is a popular nightclub:
- AWS Shield Standard: This is the sturdy front door and the sidewalk barriers. It’s always there, preventing people from simply driving a car into the building (Layer 3/4 volumetric attacks).
- AWS WAF: This is the bouncer at the door with a guest list. He checks IDs, looks for fake badges, and ensures people are following the dress code (Layer 7 filtering for SQL injection or Cross-Site Scripting).
- AWS Shield Advanced: This is an elite security detail with 24/7 surveillance, a direct line to the police (DRT), and insurance that covers the cost if the club is damaged during a riot (DDoS cost protection).
Core Concepts & The Well-Architected Framework
From the perspective of the Security Pillar of the AWS Well-Architected Framework, these services provide “Defense in Depth”:
- WAF (Web Application Firewall): Operates at Layer 7 (Application Layer). It monitors HTTP/HTTPS requests. You use it to block common attack patterns like SQL Injection or XSS, and to rate-limit aggressive crawlers.
- AWS Shield: Operates at Layer 3 (Network) and Layer 4 (Transport). It is designed specifically to counter DDoS attacks like SYN floods or UDP reflection attacks.
- AWS Firewall Manager: A management service that allows you to centrally configure and manage firewall rules (WAF, Shield Advanced, VPC Security Groups) across all your accounts in AWS Organizations.
Service Comparison Table
| Feature | AWS WAF | Shield Standard | Shield Advanced |
|---|---|---|---|
| OSI Layer | Layer 7 (Application) | Layer 3 & 4 (Network/Transport) | Layer 3, 4, & 7 |
| Cost | Pay-as-you-go (Rules/Requests) | Free (Included for all customers) | $3,000/month + Data Transfer |
| Target Services | ALB, CloudFront, API Gateway, AppSync | All AWS Services | CloudFront, Route 53, ALB, Global Accelerator |
| DDoS Response Team | No | No | Yes (24/7 Access) |
| Key Benefit | Blocks specific web exploits | Automatic protection from common attacks | Financial protection & advanced mitigation |
Scenario-Based Learning (Decision Matrix)
If the requirement is…
- …to block traffic from a specific country: Use AWS WAF (Geo-match conditions).
- …to protect a fleet of ALB across 20 accounts: Use AWS Firewall Manager.
- …automatic protection against SYN floods at no extra cost: Use AWS Shield Standard.
- …to prevent your bill from spiking due to a DDoS attack scaling your resources: Use AWS Shield Advanced (Cost Protection).
- …to block a “Slowloris” attack or specific HTTP headers: Use AWS WAF.
Exam Tips: Golden Nuggets
- WAF vs Security Groups: Security Groups filter by IP and Port (Layer 4). WAF filters by content within the HTTP packet (Layer 7).
- CloudFront Integration: For the best DDoS protection, always place WAF and Shield at the “Edge” via Amazon CloudFront.
- Shield Advanced Perk: It includes free WAF and Firewall Manager usage for protected resources.
- Rule Groups: Remember that WAF uses “Managed Rule Groups” (maintained by AWS or Marketplace) to save you from writing custom logic for common threats.
Visualizing DDoS Protection Flow
Key Services
- WAF: Web ACLs, Rules, and Conditions.
- Shield: Standard (L3/4) vs Advanced (L3-L7).
- Firewall Manager: Multi-account security policy orchestration.
Common Pitfalls
- Thinking Shield Standard covers Layer 7 (it doesn’t).
- Forgetting that WAF has a processing latency (minimal but exists).
- Not enabling Shield Advanced *before* an attack starts.
Quick Patterns
- Edge Pattern: CloudFront + WAF + Shield.
- API Pattern: API Gateway + WAF.
- Global Pattern: Global Accelerator + Shield Advanced.