L8. AWS WAF, Shield & DDoS Protection
Video generating
Check back soon for the video lesson on AWS WAF, Shield & DDoS Protection
Layer 7 protection with WAF, always-on layer 3/4 protection with Shield Standard, white-glove DDoS response with Shield Advanced, and org-wide enforcement with Firewall Manager.
Layer 7 Protection: AWS WAF
AWS WAF is a web application firewall that sits in front of CloudFront, Application Load Balancer, API Gateway, AppSync, and Cognito user pools, inspecting the content of HTTP requests rather than just the packet headers. That makes it the right tool for layer 7 (application-layer) attacks such as SQL injection and cross-site scripting, where the malicious payload is embedded in the request body, query string, or headers.
WAF protection is built from rule groups: AWS Managed Rules (curated by AWS for common threats like the OWASP Top 10), AWS Marketplace rule groups (from third-party vendors), and custom rules you write yourself for application-specific logic. A web ACL combines one or more rule groups and is attached to the resource you want to protect.
One especially exam-relevant rule type is the rate-based rule, which counts requests from each source IP over a rolling time window and automatically blocks any IP that crosses a configured threshold. This is a fast, low-effort way to blunt application-layer brute-force attempts or unsophisticated DDoS traffic without writing custom detection logic.
Layer 3/4 Protection: AWS Shield
Shield Standard is automatic and free for every AWS customer, no opt-in required. It defends against common network- and transport-layer (layer 3/4) DDoS techniques such as SYN floods and UDP reflection attacks, the kind of volumetric attacks that try to exhaust bandwidth or connection state rather than exploit application logic. Shield Advanced is a paid tier layered on top. It adds enhanced detection tuned for larger and more sophisticated attacks, 24/7 access to the AWS DDoS Response Team (DRT) for hands-on incident support during an active attack, and cost protection that credits back the scaling charges (extra EC2, ELB, or CloudFront usage) incurred while absorbing a DDoS event.Enforcing Protection Across an Organization
Individual account owners might forget to attach a web ACL, or worse, might deliberately remove one to "fix" a false positive. AWS Firewall Manager solves this at the organization level: a designated administrator defines WAF rule sets and Shield Advanced protections once and centrally deploys and enforces them across every account and every in-scope resource in the AWS Organization. Member accounts cannot opt out of a required baseline policy, which is exactly the guarantee compliance-driven environments need.
| Service | Layer | Cost | Key use case |
|---|---|---|---|
| AWS WAF | 7 (application) | Pay per rule/request | SQL injection, XSS, rate limiting |
| Shield Standard | 3/4 (network/transport) | Free, automatic | SYN floods, UDP reflection |
| Shield Advanced | 3/4, enhanced | Paid subscription | Large attacks, DRT support, cost protection |
| Firewall Manager | Org-wide enforcement | Included | Mandatory WAF/Shield policy across accounts |
- ✓AWS WAF protects CloudFront, ALB, API Gateway, AppSync, and Cognito against layer 7 attacks like SQL injection and XSS using managed or custom rule groups
- ✓WAF rate-based rules block source IPs that exceed a configured request threshold over a rolling time window
- ✓Shield Standard is free and automatic for every AWS customer, covering common layer 3/4 DDoS attacks
- ✓Shield Advanced adds enhanced detection, 24/7 DDoS Response Team access, and cost protection that credits back scaling charges incurred during an attack
- ✓AWS Firewall Manager centrally deploys and enforces WAF rules and Shield Advanced protections across every account and resource in an Organization, preventing individual accounts from opting out
1. An application is being hit with a surge of SQL injection attempts through its public API. Which service should be configured to stop this?
2. What does AWS Shield Advanced provide that Shield Standard does not?
3. A company with 40 AWS accounts wants to guarantee that a baseline set of WAF rules is applied to every internet-facing ALB across the whole organization, without relying on each account team to configure it themselves. What should they use?
Recommended: Pluralsight
This free course covers the theory. Pluralsight adds structured SCS-C02 learning paths, hands-on AWS security labs, and timed practice exams to make it stick before exam day.