AWS WAF and Shield

AWS WAF and Shield: Comprehensive Guide for AWS Security Specialty Exam

Why AWS WAF and Shield Are Important

In today's cloud landscape, web applications face constant threats from malicious actors, including DDoS attacks, SQL injection, cross-site scripting (XSS), and bot-driven abuse. AWS WAF (Web Application Firewall) and AWS Shield are critical AWS services that provide layered protection against these threats. For the AWS Security Specialty exam, understanding these services is essential because they form the backbone of AWS's threat detection and incident response strategy at the network and application layers. Questions about these services test your ability to design secure architectures, mitigate attacks in real-time, and choose the right protection mechanisms for different scenarios.

What Is AWS WAF?

AWS WAF is a web application firewall that lets you monitor and control HTTP/HTTPS requests forwarded to your protected web application resources. It helps protect web applications from common web exploits and bots that may affect availability, compromise security, or consume excessive resources.

Key Features of AWS WAF:

• Web ACLs (Access Control Lists): The primary resource in AWS WAF. A Web ACL contains rules that define the inspection criteria and the action to take (Allow, Block, or Count) when a web request matches the criteria.

• Rules and Rule Groups: Rules define the conditions for inspecting web requests. Rule Groups are reusable collections of rules that can be added to multiple Web ACLs. AWS provides AWS Managed Rule Groups (pre-built by AWS and AWS Marketplace sellers) and you can create Custom Rules.

• Conditions (Match Statements): These include IP set match, string match, regex match, size constraint, geographic match, SQLi (SQL injection) match, XSS match, label match, and rate-based rules.

• Rate-Based Rules: Track the rate of requests from individual IP addresses. If the rate exceeds a defined threshold within a 5-minute window, the rule action is triggered. This is crucial for mitigating HTTP flood attacks and brute force attempts.

• Supported Resources: AWS WAF can be associated with Amazon CloudFront distributions, Application Load Balancers (ALB), Amazon API Gateway REST APIs, AWS AppSync GraphQL APIs, Amazon Cognito user pools, AWS App Runner services, and AWS Verified Access instances.

• AWS WAF Bot Control: A managed rule group that provides visibility and control over bot traffic, including common bots, verified bots, and targeted bots.

• AWS WAF Fraud Control - Account Takeover Prevention (ATP): Inspects login attempts and detects credential stuffing and brute force attacks.

• AWS WAF Fraud Control - Account Creation Fraud Prevention (ACFP): Monitors account registration pages for fraudulent account creation attempts.

• Logging and Monitoring: AWS WAF logs can be sent to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. Full logging captures all requests evaluated by a Web ACL.

• AWS Firewall Manager Integration: Allows centralized management of AWS WAF rules across multiple accounts in an AWS Organization.

What Is AWS Shield?

AWS Shield is a managed DDoS (Distributed Denial of Service) protection service. It comes in two tiers:

1. AWS Shield Standard:
• Automatically included for all AWS customers at no additional cost
• Provides protection against most common, frequently occurring network and transport layer (Layer 3/4) DDoS attacks
• Protects resources like Amazon CloudFront, Route 53, and Elastic Load Balancing
• Uses a combination of traffic analysis, flow-based monitoring, and inline mitigation techniques
• Always-on detection and automatic inline mitigation that minimizes application downtime and latency

2. AWS Shield Advanced:
• A paid service ($3,000/month per organization with a 1-year commitment)
• Provides enhanced DDoS protection for Amazon EC2, Elastic Load Balancing, Amazon CloudFront, AWS Global Accelerator, and Route 53 resources
• 24/7 access to the AWS Shield Response Team (SRT) who can help you respond to and mitigate DDoS attacks
• DDoS cost protection: Provides credits for scaling charges resulting from DDoS attacks on protected resources (e.g., EC2 scaling, CloudFront data transfer, ALB scaling)
• Advanced attack visibility: Near real-time notifications via Amazon CloudWatch, detailed diagnostics, and attack forensics through AWS WAF and Shield console
• Health-based detection: Integrates with Route 53 health checks to improve detection accuracy and reduce false positives by detecting attacks based on application health
• Automatic application layer DDoS mitigation: When enabled, Shield Advanced can automatically create, evaluate, and deploy AWS WAF rules to mitigate Layer 7 DDoS attacks
• Protection Groups: Allow you to group your protected resources to get aggregated detection and mitigation
• Includes AWS WAF at no extra cost for resources protected by Shield Advanced

How AWS WAF Works

1. You create a Web ACL and define rules or add managed rule groups.
2. You associate the Web ACL with one or more supported AWS resources (CloudFront, ALB, API Gateway, etc.).
3. When a request arrives at the protected resource, AWS WAF evaluates the request against the rules in the Web ACL in priority order (lowest number evaluated first).
4. Each rule has a defined action: Allow, Block, Count, or CAPTCHA/Challenge.
5. If a request matches a rule, the corresponding action is taken. If no rule matches, the default action of the Web ACL is applied (either Allow or Block).
6. Count mode is used for testing rules before enforcing them — it counts matching requests without blocking them, making it ideal for validating new rules.
7. Rules can also add labels to requests, which subsequent rules in the same Web ACL can reference for more complex logic.

How AWS Shield Works

1. Shield Standard operates automatically and transparently. AWS monitors network traffic patterns and applies mitigation techniques when anomalous traffic is detected at Layers 3 and 4.
2. Shield Advanced provides additional detection mechanisms using traffic baselines specific to your application. It analyzes traffic patterns over time to establish what is normal for your application.
3. When an attack is detected, Shield Advanced provides CloudWatch metrics and notifications. You can view attack details in the Shield console.
4. For Layer 7 (application layer) attacks, Shield Advanced works with AWS WAF. You can enable automatic application layer DDoS mitigation, which allows Shield Advanced to automatically create WAF rules to block attack traffic.
5. The Shield Response Team (SRT) can be engaged proactively or reactively. They can directly manage your WAF rules during an active attack (you must grant them the necessary IAM permissions via an IAM role).
6. Health-based detection uses Route 53 health checks to determine when your application is unhealthy, enabling faster and more accurate DDoS detection with lower thresholds for triggering mitigation.

Architecture Best Practices

• Place CloudFront in front of your application to absorb DDoS attacks at the edge and benefit from AWS Shield Standard protection globally.
• Use AWS WAF with CloudFront or ALB to filter malicious application-layer traffic before it reaches your origin.
• Enable Shield Advanced on internet-facing resources (EC2 Elastic IPs, ALBs, CloudFront distributions, Route 53 hosted zones, Global Accelerator accelerators) for enhanced DDoS protection.
• Use AWS Firewall Manager to centrally manage WAF rules and Shield Advanced protections across all accounts in your organization.
• Configure Rate-based rules in AWS WAF to automatically block IPs that exceed request thresholds.
• Enable AWS WAF logging and analyze logs with Amazon Athena, Amazon OpenSearch Service, or third-party SIEM tools for threat intelligence.
• Use AWS Managed Rules as a baseline and supplement with custom rules specific to your application.

Key Differences Between WAF and Shield

• AWS WAF operates at Layer 7 (Application Layer) — it inspects HTTP/HTTPS request content, headers, query strings, body, etc.
• AWS Shield operates primarily at Layers 3 and 4 (Network and Transport Layers) — it protects against volumetric, state-exhaustion, and protocol attacks. Shield Advanced also provides Layer 7 protections through integration with AWS WAF.
• WAF is about filtering and inspecting web traffic; Shield is about absorbing and mitigating DDoS attacks.
• They are complementary services and are often used together.

Integration with Other AWS Services

• Amazon CloudWatch: Both WAF and Shield Advanced emit CloudWatch metrics for monitoring. Shield Advanced provides DDoS attack metrics.
• AWS CloudTrail: API calls to WAF and Shield are logged in CloudTrail for auditing.
• AWS Firewall Manager: Centralized management of WAF rules and Shield Advanced across an AWS Organization. Firewall Manager requires AWS Organizations with all features enabled and AWS Config enabled in all accounts.
• Amazon S3 / Kinesis Data Firehose / CloudWatch Logs: Destinations for WAF logging.
• AWS Config: Rules can check whether WAF is associated with required resources.
• Amazon Route 53: Health checks integrate with Shield Advanced for health-based detection.
• AWS Security Hub: WAF findings can be viewed in Security Hub for a unified security view.

Common Attack Scenarios and Mitigations

• SQL Injection / XSS: Use AWS WAF SQLi and XSS match conditions, or use the AWS Managed Rules - Core Rule Set (CRS) and SQL Database rule group.
• HTTP Flood (Layer 7 DDoS): Use rate-based rules in AWS WAF. Enable Shield Advanced automatic application layer mitigation.
• Volumetric DDoS (Layer 3/4): Shield Standard provides automatic protection. Shield Advanced provides enhanced detection and SRT support.
• Bot Abuse: Use AWS WAF Bot Control managed rule group.
• Geographic Restriction: Use AWS WAF geographic match to block or allow traffic from specific countries.
• IP Reputation: Use the Amazon IP Reputation List managed rule group to block known malicious IPs.
• Credential Stuffing: Use AWS WAF Account Takeover Prevention (ATP).

---

Exam Tips: Answering Questions on AWS WAF and Shield

1. Know Which Tier Does What: If a question asks about DDoS protection that is automatically provided at no cost, the answer is Shield Standard. If the question mentions DDoS cost protection, SRT access, advanced metrics, or protection for EC2 instances, the answer is Shield Advanced.

2. Understand Resource Associations: AWS WAF can be attached to CloudFront, ALB, API Gateway, AppSync, Cognito, App Runner, and Verified Access. It cannot be directly attached to EC2 instances or Network Load Balancers (NLBs). If a question mentions protecting an NLB or EC2 directly with WAF, that is incorrect.

3. Shield Advanced Protects Specific Resource Types: EC2 (via Elastic IP), ELB, CloudFront, Global Accelerator, and Route 53. Remember that Shield Advanced on EC2 requires an Elastic IP address.

4. Rate-Based Rules for HTTP Floods: When a question describes high volumes of requests from specific IPs or HTTP floods, the answer typically involves rate-based rules in AWS WAF, not Shield alone.

5. SRT Requires IAM Permissions: If asked how the Shield Response Team can assist during an attack, remember they need an IAM role with proper permissions granted via the Shield Advanced console. They can create and manage WAF rules on your behalf.

6. DDoS Cost Protection: Shield Advanced provides cost protection (service credits) for scaling charges caused by DDoS attacks. This only applies to resources protected by Shield Advanced. If a question asks about avoiding unexpected charges during a DDoS attack, Shield Advanced cost protection is the answer.

7. Firewall Manager for Multi-Account: Any question about managing WAF rules across multiple accounts or an AWS Organization should lead you to AWS Firewall Manager. Remember it requires AWS Organizations with all features enabled and AWS Config enabled.

8. Count Mode for Testing: When deploying new WAF rules, use Count action first to test and verify the rules won't inadvertently block legitimate traffic. This is a common best practice tested in exams.

9. Logging Destinations: AWS WAF logs go to S3, CloudWatch Logs, or Kinesis Data Firehose. The log resource name must begin with aws-waf-logs-. For S3, the bucket must be in the same Region (or us-east-1 for CloudFront).

10. Health-Based Detection: Shield Advanced with Route 53 health checks enables health-based detection, which provides faster and more accurate DDoS detection. If a question mentions reducing false positives or improving detection sensitivity, this is the answer.

11. Automatic Application Layer Mitigation: Shield Advanced can automatically create WAF rules to mitigate Layer 7 DDoS attacks. This feature requires a Web ACL to be associated with the protected resource and a rate-based rule in the Web ACL.

12. CloudFront + WAF for Global Protection: For scenarios requiring global edge protection against web application attacks, the answer is typically CloudFront with AWS WAF. CloudFront provides geographic distribution and Shield Standard protection at the edge.

13. Managed Rules vs. Custom Rules: AWS Managed Rules provide quick baseline protection (e.g., OWASP Top 10). Custom rules are needed for application-specific logic. The exam may test when to use each.

14. CAPTCHA and Challenge Actions: AWS WAF supports CAPTCHA and Challenge actions to verify human users. These are useful for bot mitigation scenarios.

15. Rule Priority Matters: Rules in a Web ACL are evaluated in order of priority (lowest numeric value first). Once a request matches a rule with a terminating action (Allow or Block), evaluation stops. Count and labels are non-terminating and evaluation continues.

16. Distinguish Between WAF, Shield, Network Firewall, and Security Groups: The exam may present options mixing these services. Remember: WAF = Layer 7 HTTP filtering, Shield = DDoS protection, Network Firewall = VPC-level stateful/stateless packet inspection, Security Groups = instance-level stateful firewall, NACLs = subnet-level stateless filtering.

17. Shield Advanced Subscription Scope: One Shield Advanced subscription covers all accounts in an AWS Organization if enabled through AWS Firewall Manager. The $3,000/month fee applies per organization, not per account.

18. Proactive Engagement: Shield Advanced offers proactive engagement where the SRT contacts you during detected events. This requires configuring contact information and Route 53 health checks in the Shield Advanced console.

By understanding these core concepts and exam tips, you will be well-prepared to answer questions about AWS WAF and Shield on the AWS Security Specialty exam. Focus on understanding the why behind each service choice, the architectural patterns they support, and the specific scenarios where one solution is preferred over another.