1.5 AWS WAF, Shield, and Network Firewall

Quick Answer: WAF blocks Layer-7 web exploits and attaches to CloudFront/ALB/API Gateway. Shield defends against DDoS — Standard is free, Advanced is ~$3,000/month with cost protection and a Shield Response Team. Network Firewall inspects packets inside the VPC. Firewall Manager governs all three across accounts.

AWS WAF (Web Application Firewall)

AWS WAF filters HTTP(S) requests at the application layer (Layer 7) using rules organized in a Web ACL (Access Control List).

Integration Targets (memorize the list)

On the Exam: WAF does NOT attach to a Network Load Balancer (NLB) or to EC2 directly — both are Layer-4 / instance-level. If a scenario uses an NLB and needs Layer-7 filtering, the design must put a WAF-capable layer (ALB or CloudFront) in front.

A Web ACL holds rules and rule groups and a default action (Allow or Block) for unmatched requests. AWS Managed Rules include the Core Rule Set (OWASP Top 10), Known Bad Inputs, SQL Database, IP Reputation, and Bot Control — using them avoids hand-writing common protections.

AWS Shield

AWS Shield is the managed Distributed Denial of Service (DDoS) protection service.

On the Exam: "Protect against DDoS and get billing credits for Auto Scaling spikes during an attack" → Shield Advanced. "Basic, no-cost DDoS protection" → Shield Standard (already enabled).

AWS Network Firewall

AWS Network Firewall is a managed, stateful VPC firewall for Layer-3/4 and some Layer-7 inspection.

Use it to stop data exfiltration, block egress to known-bad domains, or inspect east-west traffic between VPCs — things SGs and NACLs cannot do because they filter only by IP/port, not by content or domain.

AWS Firewall Manager

AWS Firewall Manager centrally applies and audits protections across an entire AWS Organization (which is a prerequisite).

On the Exam: "Enforce the same WAF rules automatically on every new account/ALB across the organization" → Firewall Manager, not per-account WAF.

Where Each Layer Lives in the Request Path

Understanding the order of inspection clarifies which service answers a question. A request to a global web app typically flows: client → Shield (edge, automatic) → CloudFront → WAF (Web ACL evaluated here) → origin (ALB) → security groups → instance. WAF inspects HTTP content; Shield absorbs volumetric floods before they reach your origin; security groups and NACLs filter at the network layers; and Network Firewall sits inside the VPC inspecting east-west and egress traffic that the edge services never see.

Mapping a threat to the correct layer is the recurring skill: SQL injection is Layer 7 → WAF, a 100-Gbps UDP flood is Layer 3/4 → Shield, and outbound traffic to a malicious domain is VPC egress → Network Firewall.

WAF Rule Priority and Actions

Within a Web ACL, rules run in priority order (lowest number first), and the first terminating action — Allow or Block — stops evaluation. A Count action is non-terminating and is used to test a new rule's impact safely before switching it to Block. A common design mistake is placing a broad Allow rule above a specific Block rule, so the malicious request matches Allow first and is never blocked — order rate-based and managed protection rules above permissive rules.

Rate-Based Rules and Bot Control

A rate-based rule tracks requests per source IP over a rolling 5-minute window and blocks IPs that exceed the threshold (for example, 2,000 requests), automatically releasing them when the rate subsides. This is the standard answer for mitigating an HTTP flood / Layer-7 DDoS at the application tier, complementing Shield's network-layer defense. For automated and targeted bots (scrapers, credential stuffing), the Bot Control managed rule group adds detection beyond simple rate limiting.

Service Selection Cheat Sheet

Common Trap: WAF and Shield are complementary, not interchangeable. A question that asks to stop SQL injection is never solved by Shield, and one asking for DDoS cost protection is never solved by WAF alone.