AWS WAF & Shield: Complete Guide to Web Application and DDoS Protection
Learn how to block web attacks with AWS WAF and defend against DDoS with Shield, including architecture design patterns.
Related Exam Domains
- Domain 1: Design Secure Architectures
Key Takeaway
AWS Shield Standard is free and protects against L3/L4 DDoS, while WAF blocks L7 web attacks (SQL injection, XSS, etc.). Shield Advanced provides paid advanced DDoS protection, SRT support, and cost protection. CloudFront + WAF combination is the best practice for edge defense.
Exam Tip
Exam Essential: "L3/L4 DDoS = Shield", "L7 web attacks = WAF", "Advanced DDoS + SRT + cost protection = Shield Advanced"
AWS Shield
Shield Standard vs Advanced
| Item | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (automatic) | $3,000/month + data transfer |
| Protection Layer | L3/L4 | L3/L4 + L7 |
| Applied To | All AWS resources | CloudFront, ALB, NLB, EC2, Global Accelerator, Route 53 |
| DDoS Detection | Basic | Advanced (real-time visibility) |
| SRT Support | ❌ | ✅ 24/7 |
| Cost Protection | ❌ | ✅ Credits for DDoS-induced scaling |
| WAF Integration | ❌ | ✅ WAF cost included |
| Stateful Detection | ❌ | ✅ Per-resource traffic baseline |
| Commitment | None | 1 year |
Shield Standard
Automatically applied to all AWS customers.
Protection Coverage:
- SYN/UDP Flood
- Reflection attacks
- Other L3/L4 DDoS attacks
Automatic detection + automatic mitigation (no user configuration needed)
Shield Advanced
Advanced protection against large-scale, sophisticated DDoS attacks.
Additional Features:
1. Real-time attack visibility (CloudWatch metrics)
2. Shield Response Team (SRT) 24/7 support
3. DDoS cost protection (scaling cost credits)
4. Automatic WAF rule creation (L7 DDoS mitigation)
5. Stateful detection (normal traffic baseline)
Exam Tip
Shield Advanced Keywords: "24/7 expert support", "DDoS cost protection", "real-time visibility" → Choose Shield Advanced
AWS WAF
What is WAF?
A Web Application Firewall that inspects HTTP/HTTPS requests and blocks malicious traffic.
Services WAF Can Be Applied To
| Service | Protection Target |
|---|---|
| CloudFront | Block at global edge (recommended) |
| ALB | Regional web app protection |
| API Gateway | API endpoint protection |
| AppSync | GraphQL API protection |
| Cognito User Pool | Authentication endpoint protection |
Exam Tip
WAF Not Supported: WAF cannot be applied directly to NLB or EC2. You need CloudFront or ALB in front.
WAF Rule Types
1. Regular Rules
Inspect specific conditions to allow/block.
| Condition | Description |
|---|---|
| IP Set | Allow/block specific IPs |
| Geo Match | Block by country |
| String Match | Inspect URI, headers, body |
| Regex | Pattern matching |
| Size Constraint | Request size limits |
| SQL Injection | Detect SQL insertion attacks |
| XSS | Detect cross-site scripting |
2. Rate-Based Rules
Automatically block when same IP exceeds threshold in 5 minutes
Example: Over 2,000 requests in 5 minutes → Block IP
→ Effective for HTTP Flood DDoS defense
3. Managed Rule Groups
Pre-configured rules provided by AWS and AWS Marketplace partners.
| Rule Group | Protection Target |
|---|---|
| Core Rule Set | Common web vulnerabilities (OWASP Top 10) |
| SQL Injection | SQL insertion attacks |
| Known Bad Inputs | Known malicious patterns |
| IP Reputation | Block malicious IPs |
| Bot Control | Bot traffic management |
| Account Takeover Prevention | Account takeover prevention |
WAF Web ACL Structure
Web ACL (Web Access Control List)
│
├── Rule 1: AWS Managed Rules (Core Rule Set) [Priority: 0]
│ → Action: Block
│
├── Rule 2: Rate-Based Rule (2000/5min) [Priority: 1]
│ → Action: Block
│
├── Rule 3: Geo Block (specific countries) [Priority: 2]
│ → Action: Block
│
├── Rule 4: IP Whitelist [Priority: 3]
│ → Action: Allow
│
└── Default Action: Allow
Exam Tip
WAF Rule Evaluation Order: Rules are evaluated in order of Priority number (lowest first). Once matched, that action is executed and evaluation stops.
Multi-Layer Defense Architecture
Best Practice: CloudFront + WAF + Shield
[Internet]
│
▼
[CloudFront] ← WAF Web ACL attached
│ ├── Managed Rules (OWASP)
│ ├── Rate-Based Rules
│ └── Geo Block
│
│ Shield Standard (automatic, free)
│ Shield Advanced (optional, paid)
│
▼
[ALB] ← Additional WAF possible
│
▼
[EC2 / ECS / Lambda]
Defense Layer Roles
| Layer | Service | Defense Target |
|---|---|---|
| Edge (L3/L4) | Shield Standard | SYN Flood, UDP Flood |
| Edge (L7) | WAF on CloudFront | SQL injection, XSS, bots |
| Regional (L7) | WAF on ALB | Additional rule application |
| Advanced DDoS | Shield Advanced | Large-scale sophisticated attacks |
WAF Cost Structure
| Item | Cost |
|---|---|
| Web ACL | $5/month |
| Rule | $1/rule/month |
| Requests | $0.60/million |
| Managed Rule Groups | Varies by group |
Example: 1 Web ACL, 5 rules, 10 million requests/month
- Web ACL: $5
- Rules: $5 (5 × $1)
- Requests: $6 (10 × $0.60)
- Total: $16/month
AWS Firewall Manager
Centrally manage WAF, Shield Advanced, and Security Groups across multiple accounts.
Organizations + Firewall Manager:
Management Account
└── Firewall Manager
├── WAF Policy → Apply to CloudFront/ALB across all accounts
├── Shield Advanced Policy → Apply to designated accounts
└── Security Group Policy → Apply to VPC resources
Exam Tip
Firewall Manager Prerequisite: Requires AWS Organizations + WAF enabled.
SAA-C03 Exam Focus Points
- ✅ Shield Standard: "Free, automatic, L3/L4 DDoS defense"
- ✅ Shield Advanced: "Paid, SRT 24/7, DDoS cost protection"
- ✅ WAF Targets: "CloudFront, ALB, API Gateway (NLB not supported)"
- ✅ Best Practice: "CloudFront + WAF = edge defense"
- ✅ Rate-Based Rules: "HTTP Flood defense"
Exam Tip
Sample Exam Question: "Your web application is experiencing SQL injection attacks. How do you defend?" → Answer: Apply AWS WAF with SQL injection managed rules (connect to CloudFront or ALB)
Frequently Asked Questions
Q: Is Shield Standard sufficient?
For most common DDoS attacks, Shield Standard is sufficient. Only consider Shield Advanced when you need protection against large-scale attacks, SRT expert support, or cost protection.
Q: Can WAF be applied directly to NLB?
No. WAF can only be applied to L7 (HTTP/HTTPS) services. NLB is L4, so direct application is not possible. Consider placing CloudFront in front of NLB or switching to ALB.
Q: Does Shield Advanced activation include WAF?
Yes. Shield Advanced includes WAF usage costs. WAF Web ACL, rules, and request costs are included in the Shield Advanced subscription.
Q: How do I test WAF rules?
Set the rule action to Count mode to record match counts without actual blocking. After sufficient testing, change to Block.
Q: When should I use Firewall Manager?
When you need to consistently apply WAF rules or Shield Advanced across multiple AWS accounts. For a single account, it's simpler to configure WAF directly without Firewall Manager.