CloudGuild · Blog · Cheat sheets · Lessons · Certifications
AWS WAF, Shield & Firewall Manager — Web Application Security Suite
A set of services to protect web applications from common web exploits and DDoS attacks.
What it is
- AWS WAF: A web application firewall that helps protect your web applications from common exploits.
- AWS Shield: A managed DDoS protection service that safeguards applications running on AWS.
- AWS Firewall Manager: A security management service that simplifies the management of firewall rules across accounts.
When I reach for it
- When you need to protect web applications from SQL injection, XSS, and other vulnerabilities.
- When deploying applications that require DDoS protection, especially in high-traffic scenarios.
- When managing multiple AWS accounts and needing centralized security policies.
Key architectural decisions
- Choose AWS WAF for customizable rules and real-time traffic monitoring.
- Opt for AWS Shield Advanced for advanced DDoS protection with additional features like cost protection.
- Use AWS Firewall Manager to enforce consistent security policies across multiple accounts and resources.
Gotchas & exam traps
- Remember that AWS WAF charges are based on the number of rules and requests processed, which can add up.
- AWS Shield Standard is included at no additional cost, while Shield Advanced incurs a monthly fee.
- AWS Firewall Manager requires AWS Organizations setup, which may not be obvious in exam scenarios.
The architect view
- Integrate AWS WAF with Amazon CloudFront for enhanced protection and low latency.
- Utilize AWS Shield alongside AWS WAF for layered security against both application-level and network-layer attacks.
- Regularly review and update WAF rules to adapt to evolving threats and ensure compliance.