AWS Shield & WAF

AWS Shield and AWS WAF together form the edge defence for internet-facing AWS workloads. Shield protects against L3 / L4 (network and transport) DDoS attacks; WAF inspects L7 (HTTP / HTTPS) traffic against managed and custom rules. Both services integrate natively with CloudFront, Application Load Balancer, API Gateway, and AppSync — the four AWS services that terminate internet traffic.

1. Edge Defence Layers

The traffic path: internet → Shield (always-on at the AWS edge) → CloudFront with a WAF Web ACL attached → origin (ALB / API Gateway / AppSync). Each layer drops different classes of attack so the origin only sees clean L7 traffic.

┌──────────────────────────────────────────────────────────────────────────────┐
│                       INTERNET / ATTACKERS                                   │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │ Legitimate   │  │  L3/L4 DDoS  │  │  L7 App Attacks (SQLi,   │            │
│  │ Users        │  │ (SYN, UDP)   │  │  XSS, Bots, Scrapers)    │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│               AWS SHIELD (Edge / Network DDoS)                               │
│  ┌──────────────────────────┐  ┌──────────────────────────────┐              │
│  │   Shield Standard        │  │   Shield Advanced ($3k/mo)   │              │
│  │   (Free, automatic L3/4) │  │   24x7 SRT, cost protection  │              │
│  └──────────────────────────┘  └──────────────────────────────┘              │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│               CLOUDFRONT + AWS WAF (L7)                                      │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────────────────┐           │
│ │  Managed     │ │  Rate-Based  │ │  Custom + Bot Control /      │           │
│ │  Rule Groups │ │   Rules      │ │  Captcha / Challenge         │           │
│ └──────────────┘ └──────────────┘ └──────────────────────────────┘           │
│   (Web ACL evaluation order: top-down, first terminating action)             │
└──────────────────────────────────────────────────────────────────────────────┘
                                       │
                                       ▼
┌──────────────────────────────────────────────────────────────────────────────┐
│                ORIGIN (Application Tier)                                     │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────────────────┐            │
│  │     ALB      │  │ API Gateway  │  │  AppSync / Cognito       │            │
│  │  EC2 / ECS   │  │   Lambda     │  │  GraphQL                 │            │
│  └──────────────┘  └──────────────┘  └──────────────────────────┘            │
└──────────────────────────────────────────────────────────────────────────────┘

2. AWS Shield: Standard vs Advanced

Shield Standard is automatic and free for every AWS customer. It mitigates the most common volumetric L3/L4 attacks (SYN floods, reflection / amplification, UDP floods) at the AWS network edge with no configuration.

Shield Advanced ($3,000 / month per organization plus per-resource fees) adds:

• Enhanced detection & mitigation: tighter thresholds, faster reaction time on application-layer attacks.
• 24/7 Shield Response Team (SRT): AWS engineers who can be engaged during an active attack to write custom WAF rules and tune mitigations.
• Cost protection: Shield refunds the AWS scaling charges (data transfer, request count, EC2 / Auto Scaling) caused by a DDoS event — arguably the most valuable feature.
• Global threat dashboard: visibility into attacks against your resources and across the AWS network.
• Bundled WAF: WAF charges are included for protected resources, which softens the bill at high request volumes.
• Bundled Firewall Manager: for org-wide rule deployment.

Use Shield Advanced when downtime cost exceeds the subscription, when compliance demands documented DDoS mitigation, or when the cost-protection alone justifies the spend at high traffic.

3. AWS WAF Rule Groups

• AWS Managed Rules: AWS-curated rule groups for common threats — CommonRuleSet (OWASP top 10), KnownBadInputs, SQLDatabase, LinuxOperatingSystem, PHPApplication, WordPressApplication, AdminProtection, AnonymousIpList, AmazonIpReputationList. Free with WAF.
• Marketplace Rule Groups: third-party rule groups from Fortinet, F5, Imperva, Cyber Security Cloud, etc., billed per million requests.
• Custom Rules: hand-written predicates on request URI, headers, query string, body, country, IP set, regex patterns. Combine with AND / OR / NOT.
• Rate-Based Rules: count requests per 5-minute window per source IP (or per a custom aggregate key like header value); Block / Count / Captcha when threshold exceeded. Threshold range 100–20,000,000.
• Bot Control: managed rule group that fingerprints bot signatures, distinguishes verified good bots (Googlebot) from scrapers, and applies Captcha or Challenge actions.
• Account Takeover Prevention (ATP) & Account Creation Fraud Prevention (ACFP): dedicated managed rule groups against credential stuffing and fake-signup floods.

4. Integration with CloudFront / ALB / API Gateway / AppSync

A WAF Web ACL attaches to one or more of these AWS services. Each request hits the Web ACL before reaching the origin.

• CloudFront: the preferred attachment point — rules execute at 600+ edge locations, blocking attackers far from the origin. Use Web ACLs scoped to CLOUDFRONT (us-east-1 only).
• Application Load Balancer: attach a regional Web ACL when CloudFront isn't appropriate (internal / IPv4-only traffic).
• API Gateway: regional Web ACL on REST APIs; for HTTP APIs, front them with CloudFront for WAF.
• AppSync: regional Web ACL on GraphQL endpoints — especially useful for query-depth and complexity limits.
• Cognito User Pools: regional Web ACL protects sign-in / sign-up endpoints from credential stuffing.
• App Runner: regional Web ACL attaches directly.

5. Web ACL Evaluation Order

Rules in a Web ACL are evaluated top-to-bottom by priority (lower number first). Each rule's action is one of Allow, Block, Count, Captcha, Challenge, or no terminating action (for label-only rules). The first terminating action wins:

1. Block / Allow / Captcha / Challenge are terminating — once one fires, evaluation stops.
2. Count is non-terminating — useful for shadow-testing a new rule before flipping it to Block.
3. Default Action applies if no rule terminated — typically Allow for public sites, Block for allowlist-only APIs.

Common ordering pattern:

WebACL:
  DefaultAction: Allow
  Rules:
    - Priority: 10
      Name: AllowOurOffice
      Action: Allow
      Statement: { IPSetReferenceStatement: { ARN: ofc-ipset } }
    - Priority: 20
      Name: BlockKnownBad
      OverrideAction: None
      Statement: { ManagedRuleGroupStatement: { Name: AWSManagedRulesAmazonIpReputationList } }
    - Priority: 30
      Name: RateLimitPerIP
      Action: Block
      Statement:
        RateBasedStatement: { Limit: 2000, AggregateKeyType: IP }
    - Priority: 40
      Name: CommonRuleSet
      OverrideAction: None
      Statement: { ManagedRuleGroupStatement: { Name: AWSManagedRulesCommonRuleSet } }
    - Priority: 50
      Name: BotControl
      OverrideAction: None
      Statement: { ManagedRuleGroupStatement: { Name: AWSManagedRulesBotControlRuleSet } }

6. AWS Firewall Manager

Firewall Manager (a paid AWS Organizations service) is the right tool when you need a single team to enforce baseline WAF / Shield / Network Firewall / Security Group rules across many accounts.

• Policy types: WAF Web ACL, Shield Advanced protection, VPC Security Group baseline, Network Firewall, Route 53 Resolver DNS Firewall, third-party (Palo Alto, Fortinet, Check Point).
• Auto-remediation: creates and re-attaches Web ACLs / Shield protections to new resources matched by tag — engineers can't accidentally launch unprotected ALBs.
• Centralized logging: aggregates WAF logs to a single S3 bucket / Kinesis Firehose for the security team.
• Drift correction: if a member account modifies a managed Web ACL out of band, Firewall Manager reverts the change.

Pricing: ~$100 per protected resource per month for Firewall Manager policies (plus the underlying WAF / Shield / Network Firewall costs). Worth it for security teams managing dozens of accounts; overkill for a single account.