AWS: Services & Architecture
by Sergey Okinchuk
Secrets ManagerGuardDuty
AWS WAF & Shield
Service 35

AWS WAF & Shield

SecurityEdgeNetwork

AWS WAF is a managed web application firewall that sits in front of CloudFront, ALB, API Gateway, or AppSync, inspects every request, and blocks matches at the edge. AWS Shield is DDoS protection: Shield Standard is free and automatic on every account for volumetric attacks; Shield Advanced is paid and adds application-layer protection and a response team.

The two complement each other — WAF stops bad requests one at a time, Shield absorbs floods of bad packets. Most production web applications use both.

How WAF Works

You create a Web ACL and attach it to a resource. It is a priority-ordered list of rules matching on source IP, country, header, URI, query string, method, body content, or request rate, combined with AND/OR/NOT. A matching rule's action is Allow, Block, Count (log only), or a CAPTCHA/Challenge; the Web ACL has a default action when nothing matches.

A typical Web ACL combines AWS-managed rule groups, a rate-based rule on the login endpoint, and a few custom rules.

Managed Rule Groups and Rate-Based Rules

AWS-managed rule groups save you from writing rules: the Core Rule Set catches the OWASP Top 10 (SQL injection, XSS, path traversal), plus Known Bad Inputs and an IP reputation list. Paid add-ons include Bot Control, Account Takeover Prevention, and Fraud Control.

Rate-based rules are the easiest defense against credential stuffing and scraping: count requests per source over a window (commonly 5 minutes) and block when a threshold is exceeded — for example, limit /login to 100 requests per IP per 5 minutes.

Shield Standard and Advanced

Shield Standard is free, automatic, and uncontrollable — it absorbs common SYN floods, UDP reflection, and DNS/NTP amplification at Layers 3 and 4, usually invisibly. You never turn it on or off.

Shield Advanced (USD 3,000/month, one-year commitment) adds application-layer (HTTP-flood) protection, the 24/7 Shield Response Team, cost protection that credits back attack-induced scaling bills, and richer attack visibility. Most teams do not need it — reach for it when you are a known target, have strict uptime SLAs, or the cost protection alone justifies it.

WAF vs Shield

WAF — filtering malicious HTTP requests one at a time — SQL injection, XSS, credential stuffing — with rules at the edge.

Shield Standard — free, automatic absorption of common network/transport-layer volumetric DDoS.

Shield Advanced — paid application-layer DDoS protection, a response team, and cost protection for known targets.

Common Mistakes
  • Flipping managed rule groups straight to Block without first running them in Count mode, blocking legitimate traffic on false positives.
  • Leaving public login endpoints with no rate-based rule, inviting credential stuffing.
  • Running WAF with no logging to CloudWatch or S3, leaving it a black box when something breaks.
  • Attaching WAF only to regional ALBs for a global app instead of to CloudFront, missing edge blocking and origin-load reduction.
  • Buying Shield Advanced for a low-risk app that gains little beyond free Shield Standard.
  • Assuming Shield Standard needs configuration — it is automatic and cannot be turned on or off.
Best Practices
  • Attach a Web ACL with the Core Rule Set to every public-facing application.
  • Start managed rule groups in Count mode, then switch to Block after checking for false positives.
  • Add a rate-based rule on login endpoints.
  • Log WAF to CloudWatch Logs or S3 and tune rules over time.
  • Put WAF on CloudFront for global apps to block at the edge and cut origin load.
  • Reserve Shield Advanced for known attack targets or strict-SLA workloads where cost protection pays back.
Comparable services GCP Cloud ArmorAzure Azure WAF, DDoS Protection

Knowledge Check

What is the division of labor between WAF and Shield?

  • WAF filters malicious HTTP requests individually; Shield absorbs volumetric DDoS floods
  • WAF absorbs volumetric DDoS floods while Shield inspects individual HTTP requests
  • They are simply two different brand names for one and the same underlying service
  • WAF covers only internal VPC traffic, while Shield covers all of the external internet traffic

What is the easiest WAF defense against credential stuffing on a login endpoint?

  • A rate-based rule that blocks a source exceeding a request threshold over a time window
  • Setting the Web ACL's default action to Block so the login endpoint simply rejects everything
  • Enabling Shield Advanced to soak up the credential-guessing attempts
  • A geolocation rule that blocks requests from every country at once

Why start AWS-managed rule groups in Count mode?

  • To observe what they would block and catch false positives on legitimate traffic before switching to Block
  • Because Block mode is always billed at a noticeably higher per-request rate than Count mode for the same traffic
  • Because Count mode is a hard prerequisite that must be set before Shield will activate
  • Because AWS-managed rule groups are only ever able to run in Count mode, never Block

What does Shield Standard require to protect an account?

  • Nothing — it is free, automatic, and always on for every account
  • A one-year minimum subscription commitment plus a flat fee of roughly USD 3,000 per month
  • Manually attaching the protection to each individual resource you want covered
  • A WAF Web ACL configured with the AWS Core Rule Set enabled

You got correct