AWS WAF and Shield

Web application firewall and DDoS protection — web ACLs, rate limiting, managed rules, Shield Standard vs Advanced.

Overview

AWS WAF is a web application firewall that filters HTTP/HTTPS traffic at Layer 7 — it protects against common exploits like SQL injection, XSS, and bot traffic. AWS Shield provides managed Distributed Denial of Service (DDoS) protection at Layers 3, 4, and 7.

Service	Purpose	Cost
AWS WAF	Layer 7 filtering (web ACLs, rules)	Per web ACL + rules + requests
Shield Standard	Basic L3/L4 DDoS protection	Free (automatic for all)
Shield Advanced	Enhanced DDoS protection + DRT + cost protection	$3,000/month + data fees

Core Concepts

Concept	Description
Web ACL	A set of rules that inspects and controls HTTP/S traffic to a protected resource
Rule	A condition-action pair: match criteria → allow, block, count, or CAPTCHA
Rule Group	A reusable collection of rules (AWS Managed, Marketplace, or custom)
Rate-Based Rule	Blocks IPs exceeding a request threshold within a 5-minute window
IP Set	A named list of IP addresses or CIDR ranges for allow/block lists
Regex Pattern Set	A set of regex patterns for matching request components
Managed Rule Group	Pre-configured rules maintained by AWS or third-party vendors
Shield Standard	Automatic L3/L4 DDoS protection at no cost for all AWS resources
Shield Advanced	Enhanced detection, DDoS Response Team (DRT), cost protection, and advanced metrics

WAF Deployment Points

Resource	Layer	Notes
Amazon CloudFront	Edge	Global protection; recommended for internet-facing apps
Application Load Balancer	Regional	Protects ALB-backed applications
Amazon API Gateway	Regional	Protects REST APIs
AWS AppSync	Regional	Protects GraphQL APIs
Amazon Cognito User Pools	Regional	Protects authentication endpoints
AWS App Runner	Regional	Protects App Runner services
AWS Verified Access	Regional	Protects enterprise application access

WAF Rule Types

Rule Type	Matches On	Example
IP match	Source IP or IP set	Block known bad IPs
Geo match	Country of origin	Block or allow specific countries
String match	URI, query string, header, body content	Block paths containing `/admin`
Regex match	Regex patterns on request components	Detect SQL injection patterns
Size constraint	Request component size exceeds threshold	Block oversized payloads
Rate-based	Request count per IP exceeds threshold per 5 minutes	Rate limit to 2,000 req/5 min per IP
Managed rule	Pre-built detection logic (OWASP Top 10, bots, etc.)	AWS Core Rule Set, Bot Control

AWS Managed Rule Groups (Key Examples)

Rule Group	Protects Against
Core Rule Set (CRS)	OWASP Top 10 — SQLi, XSS, SSRF, etc.
Known Bad Inputs	Common exploit payloads
Bot Control	Automated bot traffic (scraping, credential stuffing)
Account Takeover Prevention	Credential stuffing on login pages
IP Reputation	IPs with known malicious activity

Shield Standard vs Advanced

Feature	Shield Standard	Shield Advanced
Cost	Free	$3,000/month (1-year commitment)
Protection layer	L3/L4	L3/L4/L7
Automatic mitigation	Yes (basic)	Yes (enhanced ML-based)
DDoS Response Team (DRT)	No	Yes (24/7 access)
Cost protection	No	Yes (credits for scaling costs during attacks)
Advanced metrics	No	Yes (real-time attack visibility)
WAF integration	Separate	Free WAF for Shield-protected resources
Health-based detection	No	Yes (Route 53 health checks for faster detection)

SAA/SAP Tip: Shield Advanced includes free WAF (no web ACL or rule charges) for protected resources. It also provides cost protection — AWS credits scaling charges incurred during a DDoS attack (e.g., EC2, CloudFront, ALB scale-out).

Common Use Cases

OWASP Top 10 protection — Deploy AWS Managed Core Rule Set on CloudFront or ALB to block SQL injection, XSS, and other common attacks.
Rate limiting — Rate-based rules to throttle brute-force login attempts or API abuse.
Geo-blocking — Restrict content delivery to specific countries for compliance or licensing.
Bot mitigation — Bot Control managed rule group to detect and block scrapers and automated threats.
DDoS protection — Shield Advanced for mission-critical public-facing applications with DRT support and cost protection.

SAA/SAP Exam Tips

SAA/SAP Tip: AWS WAF on CloudFront protects at the edge (global). WAF on ALB protects at the regional level. For best protection, attach WAF to CloudFront in front of the ALB.

Exam Trap: Shield Standard is already enabled for all AWS accounts at no cost. Questions asking about "additional DDoS protection" or "DDoS Response Team" always point to Shield Advanced ($3,000/month).

SAA/SAP Tip: For "block SQL injection and XSS attacks" with minimal effort, the answer is WAF with AWS Managed Rules (specifically the Core Rule Set). No custom rule writing is required.

Cross-Cloud Equivalents

Provider	Service / Solution	Notes
AWS	AWS WAF + Shield	Baseline
Azure	Azure Web Application Firewall + Azure DDoS Protection	WAF on Application Gateway or Front Door
GCP	Google Cloud Armor	Combined WAF + DDoS; integrated with LB
On-Premises	Cloudflare, Akamai, Imperva, ModSecurity	CDN-based or on-premises WAF appliances

Pricing Model

WAF

Dimension	Unit	Notes
Web ACL	$5/month	Per web ACL
Rule	$1/month per rule	Per rule within a web ACL
Requests	$0.60 per million	Inspected requests
Bot Control	$10/month + $1/M	Additional charge for bot rule group

Shield

Dimension	Unit	Notes
Shield Standard	Free	Automatic for all AWS accounts
Shield Advanced	$3,000/month	1-year commitment; includes free WAF for protected resources
DDoS data transfer	Per GB	Charged during Shield Advanced events

Amazon CloudFront — primary deployment point for edge WAF
Elastic Load Balancing — ALB supports WAF web ACL attachment
Amazon API Gateway — WAF protects REST API endpoints
Amazon GuardDuty — threat detection complements WAF prevention
AWS Firewall Manager — centrally manage WAF rules across accounts

AWS WAF and Shield

On this page