WAF & Shield — Concept
AWS WAF
AWS Web Application Firewall (WAF) = L7 firewall for HTTP/HTTPS, attached to CloudFront, ALB, API Gateway (REST), AppSync, Cognito user pool. Inspects requests and allows/blocks/counts based on rules.
Rule types
- Managed rule groups — curated by AWS / Marketplace (e.g. Core rule set, SQLi, XSS, Linux, IPSets, Known bad inputs, Anonymous IP list, Bot Control).
- Custom rules:
- Rate-based (e.g. > 2,000 requests / 5 min from one IP → block).
- IP set match.
- Geo match (country).
- String / regex match.
- Size constraint.
- Body, header, URI, query string, cookie, JA3 fingerprint inspection.
- Logical combinators (AND / OR / NOT).
Concepts
- WebACL = ordered list of rules + default action (allow/block).
- Attached to one or more supported AWS resources.
- Logs to CloudWatch Logs, S3, or Kinesis Firehose.
AWS Shield
AWS Shield = DDoS protection.
| Tier | Cost | What |
|---|---|---|
| Shield Standard | Free, on by default | Auto protection against common L3/L4 DDoS for all AWS customers |
| Shield Advanced | $3,000 / month + DT | Enhanced L3/L4/L7 protection on CloudFront, ALB, NLB, EIP, Route 53, Global Accelerator; DDoS Response Team; cost protection during attack; WAF included; near-real-time visibility |
Firewall Manager
- Central control plane to deploy WAF, Shield Advanced, Network Firewall, security group rules across Organizations.
- Mandatory rules across all accounts.
AWS Network Firewall
- Stateful, deep packet inspection at VPC level (not HTTP-only).
- Use for filtering all traffic in/out of VPCs (e.g., domain allow-list, IDS/IPS).
Common exam scenarios
- "Protect web app from SQL injection / XSS" → WAF with AWS managed Core + SQLi + XSS rule groups on CloudFront / ALB.
- "Mitigate L3/L4 DDoS without paying extra" → already on via Shield Standard.
- "Need DDoS cost protection + 24×7 SRT support" → Shield Advanced.
- "Block requests from country X" → WAF geo-match rule.
- "Stop spammy IP hitting API > 2k req/5 min" → WAF rate-based rule.
- "Apply baseline WAF + Shield Advanced across 50 accounts" → Firewall Manager.
- "Deep packet inspection on all VPC traffic" → AWS Network Firewall (not WAF).
Exam tip
- HTTP-layer rules → WAF.
- DDoS standard mitigation → Shield Standard (free, default).
- DDoS advanced + cost protection → Shield Advanced.
- Cross-account central security → Firewall Manager.
- VPC-level deep inspection → Network Firewall.