1.5 AWS WAF, Shield, and Network Firewall
Key Takeaways
- AWS WAF protects web applications from common exploits like SQL injection, XSS, and bot traffic at the application layer (Layer 7).
- AWS Shield Standard provides automatic DDoS protection at no extra cost; Shield Advanced provides enhanced protection with 24/7 DRT access for \$3,000/month.
- AWS Network Firewall provides stateful and stateless packet-level inspection for VPC traffic.
- WAF integrates with CloudFront, ALB, API Gateway, and AppSync — not with NLB or EC2 directly.
- AWS Firewall Manager centrally manages WAF rules, Shield Advanced, security groups, and Network Firewall across multiple accounts.
AWS WAF, Shield, and Network Firewall
Quick Answer: WAF protects against web exploits (Layer 7) and attaches to CloudFront/ALB/API Gateway. Shield protects against DDoS (Standard is free, Advanced is $3,000/month). Network Firewall provides VPC-level packet inspection. Firewall Manager manages all three across accounts.
AWS WAF (Web Application Firewall)
AWS WAF protects web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.
What WAF Protects Against
| Threat | WAF Rule Type |
|---|---|
| SQL injection | SQL injection match condition |
| Cross-site scripting (XSS) | XSS match condition |
| IP-based attacks | IP set rule (allow/block specific IPs) |
| Geo-based blocking | Geographic match condition |
| Rate-based attacks | Rate-based rule (e.g., max 2000 requests/5 minutes per IP) |
| Bot traffic | Bot Control managed rule group |
| Known bad actors | AWS Managed Rules (threat intelligence) |
WAF Integration Points
| Service | Layer | Use Case |
|---|---|---|
| Amazon CloudFront | Edge (global) | Protect global web applications |
| Application Load Balancer (ALB) | Regional | Protect backend web applications |
| Amazon API Gateway | Regional | Protect APIs |
| AWS AppSync | Regional | Protect GraphQL APIs |
On the Exam: WAF does NOT integrate with NLB (Network Load Balancer) or EC2 directly. If a question mentions NLB, WAF is not the answer.
Web ACLs and Rules
A Web ACL contains rules that define what traffic to allow, block, or count:
| Component | Description |
|---|---|
| Web ACL | Container for rules; associated with CloudFront/ALB/API Gateway |
| Rules | Individual conditions (e.g., block if SQL injection detected) |
| Rule Groups | Reusable collections of rules (managed or custom) |
| Default Action | Allow or Block traffic that does not match any rules |
AWS Managed Rules
AWS provides pre-configured rule groups that address common threats:
- Core Rule Set (CRS) — Protects against OWASP Top 10 vulnerabilities
- Known Bad Inputs — Blocks requests with known malicious patterns
- SQL Database — SQL injection protection
- Bot Control — Manages bot traffic
- IP Reputation — Blocks IPs from known threat sources
AWS Shield
AWS Shield provides DDoS (Distributed Denial of Service) protection.
Shield Standard vs. Shield Advanced
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (automatic) | $3,000/month + data transfer |
| Protection | Layer 3/4 DDoS | Layer 3/4/7 DDoS |
| Covered resources | All AWS resources | EC2, ELB, CloudFront, Global Accelerator, Route 53 |
| DDoS Response Team | No | Yes (24/7 access to AWS DRT) |
| Cost protection | No | Yes (credit for scaling charges during attack) |
| Advanced metrics | No | Yes (near real-time visibility) |
| WAF integration | No | Yes (WAF included at no extra cost) |
On the Exam: "The company wants DDoS protection with cost protection against scaling charges during an attack" → Shield Advanced. "Basic DDoS protection" → Shield Standard (already enabled by default).
AWS Network Firewall
AWS Network Firewall is a managed firewall service that provides fine-grained network traffic control for VPCs.
| Feature | Description |
|---|---|
| Inspection | Stateful and stateless packet inspection |
| Rules | Protocol, port, IP address, domain name filtering |
| IPS/IDS | Intrusion prevention and detection signatures |
| TLS inspection | Can decrypt and inspect TLS traffic |
| Deployment | Deployed in a dedicated firewall subnet |
| Scaling | Fully managed, scales automatically |
Use cases:
- Filter outbound traffic to prevent data exfiltration
- Block connections to known malicious domains
- Inspect traffic between VPCs (in Transit Gateway architecture)
- Comply with regulations requiring network-level inspection
AWS Firewall Manager
AWS Firewall Manager centrally manages firewall rules across multiple accounts and resources in an organization.
| Manages | Description |
|---|---|
| WAF rules | Deploy WAF Web ACLs across accounts |
| Shield Advanced | Manage Shield Advanced subscriptions and protections |
| Security groups | Audit and enforce security group policies |
| Network Firewall | Deploy Network Firewall rules across VPCs |
| Route 53 Resolver DNS Firewall | Manage DNS filtering rules |
Prerequisite: AWS Organizations must be enabled to use Firewall Manager.
A company needs to protect its public-facing web application against SQL injection attacks. The app is served via an Application Load Balancer. What should they use?
Which AWS Shield tier provides cost protection (credits for scaling charges during a DDoS attack)?
AWS WAF can be attached to which of the following? (Select the BEST answer)