This chapter covers AWS WAF and AWS Shield — the two primary services for securing web applications against common exploits and distributed denial-of-service (DDoS) attacks. For the SAA-C03 exam, these services appear in roughly 5-8% of questions, often in the context of designing secure architectures and implementing defense-in-depth. You must understand their distinct roles, how they integrate with Amazon CloudFront, Application Load Balancer (ALB), API Gateway, and AWS AppSync, and how to choose between them for specific threats.
Jump to a section
Imagine a medieval castle is your web application. The castle has a moat (AWS Shield) that absorbs massive attacks like catapults and battering rams (DDoS). The moat handles large-scale threats automatically. Inside the castle, at the gate, there are bouncers (AWS WAF) who check each visitor against a list: they block known criminals (IP blacklists), allow VIPs (IP whitelists), and inspect what each visitor is carrying—no weapons allowed (SQL injection), no forged invitations (XSS). The bouncers can also rate-limit guests from the same region if they crowd the gate. Both the moat and bouncers work together: the moat stops the army, the bouncers handle individual troublemakers. Without the moat, the bouncers would be overwhelmed; without the bouncers, the moat can't block a single assassin with a poisoned dagger. AWS Shield is the moat, AWS WAF is the bouncer.
What is AWS WAF?
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. It gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.
What is AWS Shield?
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It provides always-on detection and automatic inline mitigations that minimize application downtime and latency. There are two tiers: AWS Shield Standard (free, included with all AWS services) and AWS Shield Advanced (paid, $3,000/month plus data transfer fees).
How AWS WAF Works
AWS WAF operates at the application layer (Layer 7) of the OSI model. It inspects HTTP/HTTPS requests and matches them against rules you define. Each rule contains a statement that defines the inspection criteria and an action to take (Allow, Block, or Count). Rules are grouped into rule groups, which are then associated with a Web ACL (Access Control List). The Web ACL is attached to a resource — CloudFront distribution, ALB, API Gateway, or AppSync GraphQL API.
Key components: - Web ACL: The main configuration object. You define rules (or rule groups) and a default action (Allow or Block) for requests that don't match any rule. - Rules: Each rule has a name, a statement (the condition to match), and an action. Statements can be simple (e.g., match an IP address) or complex (e.g., inspect a SQL query string for injection patterns). - Rule groups: A reusable set of rules. AWS provides managed rule groups (e.g., AWS Managed Rules for SQL injection, XSS, etc.) that are updated automatically. You can also create your own rule groups. - Conditions (deprecated but still referenced): Older terminology for match criteria. Now replaced by rule statements.
Default limits: - Maximum number of Web ACLs per account per Region: 100 (soft limit, can be increased) - Maximum number of rules per Web ACL: 100 (soft limit) - Maximum number of IP addresses per IP set: 10,000 (for IPv4) and 10,000 (for IPv6) - Maximum size of a request body that can be inspected: 8 KB (for AWS WAF Classic) or 64 KB (for AWS WAF v2)
Rule types: - IP set: Match requests based on source IP address or CIDR range. - String match: Match a specific string in a request component (e.g., header, query string). - Regex pattern set: Match against a regular expression. - Size constraint: Check the length of a request component. - SQL injection match: Detect SQL injection patterns. - Cross-site scripting (XSS) match: Detect XSS patterns. - Rate-based rule: Count requests from a single IP address; if the rate exceeds a threshold (up to 20,000 requests per 5-minute window), block additional requests. - Geographic match: Allow or block requests based on country of origin.
How a request is processed: 1. Request arrives at the resource (e.g., CloudFront). 2. The Web ACL evaluates the request against rules in order (rules are processed in the order you define, but you can set priorities). 3. The first rule that matches determines the action (Allow, Block, Count). If no rule matches, the default action is applied. 4. For Allow requests, the request is forwarded to the origin. For Block, a 403 Forbidden response is returned. Count increments a metric but continues processing (useful for testing).
How AWS Shield Works
AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It protects against common, infrastructure-layer DDoS attacks (Layer 3/4) like UDP floods, SYN floods, and reflection attacks. It uses deterministic packet filtering and rate limiting at the AWS edge.
AWS Shield Advanced provides enhanced protection for your applications running on EC2, ELB, CloudFront, Global Accelerator, and Route 53. It includes: - Enhanced DDoS detection: Uses dedicated monitoring and machine learning to detect attacks with higher accuracy. - Attack mitigation: Provides automatic mitigations for sophisticated attacks, including application-layer attacks. - DDoS cost protection: If your AWS bill increases due to a DDoS attack (e.g., increased data transfer for a CloudFront distribution), you can request a credit. - 24/7 access to the DDoS Response Team (DRT): You can engage the DRT during an attack. - Real-time visibility: CloudWatch metrics and AWS Shield Advanced dashboard show attack traffic.
Shield Advanced protections: - Layer 3/4 attacks: Same as Standard but with higher capacity and additional mitigations. - Layer 7 attacks: Works with AWS WAF to block application-layer DDoS attacks. Shield Advanced provides a Web ACL that automatically includes rules to block common DDoS patterns (e.g., HTTP floods). - Proactive engagement: You can configure Shield Advanced to automatically engage the DRT when certain conditions are met.
Integration with Other Services
CloudFront: Both WAF and Shield can be associated with a CloudFront distribution. WAF Web ACL is attached at the distribution level, so rules are applied at AWS edge locations before traffic reaches the origin. Shield Advanced protects the distribution from DDoS.
ALB: WAF Web ACL can be associated with an ALB. Shield Advanced can protect the ALB from DDoS.
API Gateway: WAF can be associated with an API Gateway REST API or HTTP API. Shield Advanced can protect the API Gateway endpoint.
AppSync: WAF can be associated with an AppSync GraphQL API.
Route 53: Shield Advanced provides DDoS protection for DNS queries (cost included in the $3,000/month fee).
Pricing
AWS WAF: Pay per Web ACL ($5/month), per rule ($1/month), and per million requests ($0.60/million for HTTP, $0.90/million for HTTPS). Managed rule groups incur additional costs.
AWS Shield Standard: Free.
AWS Shield Advanced: $3,000/month per organization (not per resource). Plus data transfer costs for protected resources (e.g., $0.025/GB for CloudFront).
Key Differences
WAF vs Shield: WAF is for application-layer (Layer 7) attacks like SQL injection and XSS. Shield is for DDoS attacks at Layers 3-7. Shield Advanced includes WAF capabilities but is much more expensive.
Shield Standard vs Advanced: Standard is free and protects against Layer 3/4 attacks. Advanced adds Layer 7 protection, cost protection, and access to the DRT.
Using AWS WAF and Shield Together
For comprehensive protection, you should use both services. Shield Standard/Advanced handles volumetric DDoS attacks, while WAF handles application-level exploits. The typical deployment is:
Place CloudFront in front of your application (or ALB).
Attach a WAF Web ACL to the CloudFront distribution with rules for SQL injection, XSS, and rate limiting.
Subscribe to Shield Advanced for additional DDoS protection and cost protection.
Commands and Configuration
Creating a WAF Web ACL using AWS CLI:
aws wafv2 create-web-acl \
--name MyWebACL \
--scope CLOUDFRONT \
--default-action Allow={} \
--rules file://rules.json \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyWebACLAssociating a Web ACL with a CloudFront distribution:
aws wafv2 associate-web-acl \
--web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyWebACL/abc123 \
--resource-arn arn:aws:cloudfront::123456789012:distribution/E1A2B3C4D5E6F7Enabling Shield Advanced:
aws shield create-protection \
--name MyProtection \
--resource-arn arn:aws:cloudfront::123456789012:distribution/E1A2B3C4D5E6F7Verification
CloudWatch metrics for WAF: AllowedRequests, BlockedRequests, CountedRequests.
Shield Advanced dashboard: shows attack events, top contributors, and mitigation status.
Test with a tool like curl to verify blocking rules.
Common Pitfalls
Not setting a default action: If you create a Web ACL with no rules, the default action applies. Ensure it's either Allow or Block as intended.
Overly permissive rules: A common mistake is allowing all traffic from a trusted IP set but forgetting to block other traffic.
Rate-based rule threshold too high: If set too high, it may not mitigate a slow-rate DDoS.
Not using managed rule groups: AWS Managed Rules are updated automatically and cover common threats. Not using them leaves you vulnerable to known exploits.
Associating WAF with an ALB but not CloudFront: For global applications, WAF should be at the edge (CloudFront) to block traffic before it reaches the origin.
Create Web ACL
Use the AWS WAF console, CLI, or SDK to create a Web ACL. Specify the scope: CLOUDFRONT for CloudFront distributions, REGIONAL for ALB, API Gateway, or AppSync. Define a default action (Allow or Block) for requests that don't match any rule. The Web ACL is the container for all rules.
Add Rules
Add rules to the Web ACL. You can add individual rules (e.g., IP set, string match) or rule groups (e.g., AWS Managed Rules). Each rule has a priority (order of evaluation). Rules are evaluated starting from the lowest priority number. The first rule that matches determines the action. If no rule matches, the default action is taken.
Associate with Resource
Associate the Web ACL with a resource: CloudFront distribution, ALB, API Gateway, or AppSync API. The association is done via the resource's ARN. Once associated, all incoming requests to that resource are inspected by the Web ACL. For CloudFront, the association is at the distribution level, so rules apply at edge locations.
Enable Shield Advanced
If using Shield Advanced, enable protection for the resource. This is done via the Shield console or CLI. Shield Advanced provides enhanced DDoS mitigation and cost protection. You can also configure proactive engagement with the DRT. For CloudFront, Shield Advanced protects the distribution and can automatically apply WAF rules for DDoS.
Monitor and Tune
Monitor metrics like AllowedRequests, BlockedRequests, and CountedRequests in CloudWatch. Use the Shield Advanced dashboard to view attack events. Adjust rules as needed. For example, if you see false positives, update rules to be more permissive. Use the Count action for testing before switching to Block.
Scenario 1: E-commerce website under SQL injection attack A retail company running a web application on EC2 behind an ALB noticed a spike in database errors. Security logs showed SQL injection attempts in the query string. The solution: deploy AWS WAF with the AWS Managed Rules for SQL injection. The Web ACL was associated with the ALB. Within minutes, malicious requests were blocked, and the application stabilized. The team also added rate-based rules to limit requests per IP to 1000 per 5 minutes to prevent brute force attacks. They used the Count action initially to verify no legitimate traffic was blocked. After a week, they switched to Block. The total cost was ~$5/month for the Web ACL plus request fees.
Scenario 2: Global media site hit by DDoS A streaming service experienced a massive UDP flood targeting its CloudFront distribution. AWS Shield Standard mitigated the layer 3/4 attack automatically, but the application still suffered from a layer 7 HTTP flood. The company subscribed to Shield Advanced ($3,000/month) and enabled the DDoS protection Web ACL, which includes rate limiting and IP reputation lists. Shield Advanced's cost protection meant they could request a credit for the increased data transfer costs during the attack. They also engaged the DRT for assistance. The attack was mitigated within minutes.
Scenario 3: Financial API with strict IP whitelist A bank exposes an API via API Gateway for partner integrations. They must only allow traffic from known partner IP ranges. They created an IP set with the partner CIDRs and a Web ACL with a single rule that allows traffic from that IP set and blocks all others (default action Block). They also added AWS Managed Rules for XSS and SQL injection as an extra layer. The Web ACL is associated with the API Gateway. Misconfiguration: initially, they forgot to set the default action to Block, so traffic from non-partner IPs was allowed. After correcting, they verified using CloudWatch metrics that only allowed traffic was reaching the API.
What SAA-C03 tests (Objective 1.3 Secure Architectures): - Knowledge of when to use AWS WAF vs AWS Shield. - Understanding of how WAF integrates with CloudFront, ALB, API Gateway, and AppSync. - Ability to choose between Shield Standard and Shield Advanced. - Understanding of WAF rule types and actions (Allow, Block, Count). - How rate-based rules work and their default window (5 minutes). - That Shield Standard is free and automatically enabled. - That Shield Advanced costs $3,000/month and includes DDoS cost protection.
Common wrong answers and why: 1. "Use AWS WAF to block DDoS attacks" — This is wrong because WAF is for application-layer exploits, not volumetric DDoS. DDoS is handled by Shield. 2. "Shield Standard protects against Layer 7 attacks" — Wrong. Shield Standard only protects Layers 3 and 4. Layer 7 requires Shield Advanced or WAF. 3. "WAF can be associated with any AWS resource" — Wrong. WAF only supports CloudFront, ALB, API Gateway, and AppSync. Not EC2 directly. 4. "Rate-based rules count requests per second" — Wrong. The default window is 5 minutes (300 seconds). The threshold is requests per 5 minutes.
Specific numbers and terms on the exam: - Shield Advanced cost: $3,000/month. - WAF request body inspection limit: 8 KB (Classic) or 64 KB (v2). - Maximum IPs per IP set: 10,000. - Rate-based rule threshold: up to 20,000 requests per 5-minute window. - Default action for Web ACL: Allow or Block.
Edge cases: - If you need to block IPs from a specific country, use geographic match rules in WAF. - If you need to protect a non-HTTP service (e.g., custom TCP), WAF cannot help; use Shield or Network Firewall. - WAF rules are evaluated in order of priority; if two rules match, the first one wins. - The Count action is useful for testing; it increments a metric but does not block.
Eliminating wrong answers: - If the question mentions SQL injection or XSS, the answer involves WAF. - If the question mentions DDoS, the answer involves Shield. - If the question mentions cost protection or DRT, the answer is Shield Advanced. - If the question mentions rate limiting, the answer is WAF rate-based rule.
AWS WAF protects against application-layer attacks (SQL injection, XSS) at Layer 7.
AWS Shield Standard provides free Layer 3/4 DDoS protection automatically.
AWS Shield Advanced costs $3,000/month and adds Layer 7 protection, cost protection, and DRT access.
WAF can be associated with CloudFront, ALB, API Gateway, and AppSync only.
Rate-based rules use a 5-minute window; max threshold is 20,000 requests.
WAF rules are evaluated in priority order; first match determines action.
Use the Count action for testing before switching to Block.
Shield Advanced provides DDoS cost protection against bill spikes.
WAF Web ACL default action is either Allow or Block.
Managed rule groups in WAF are updated automatically by AWS.
These come up on the exam all the time. Here's how to tell them apart.
AWS WAF
Layer 7 (application) protection
Blocks SQL injection, XSS, etc.
Customizable rules and rule groups
Cost per Web ACL and per request
Integrates with CloudFront, ALB, API Gateway, AppSync
AWS Shield
Layers 3-7 DDoS protection (Standard: 3-4 only)
Mitigates volumetric DDoS attacks
Standard is automatic; Advanced adds features
Standard free; Advanced $3,000/month
Protects resources globally (CloudFront, Route 53, etc.)
Mistake
AWS WAF can protect any AWS resource.
Correct
AWS WAF only supports CloudFront distributions, Application Load Balancers, Amazon API Gateway APIs, and AWS AppSync GraphQL APIs. It cannot be directly associated with EC2 instances, Network Load Balancers, or other services.
Mistake
AWS Shield Standard protects against application-layer DDoS attacks.
Correct
AWS Shield Standard only protects against infrastructure-layer attacks (Layers 3 and 4) such as UDP floods and SYN floods. For application-layer (Layer 7) DDoS, you need Shield Advanced or AWS WAF.
Mistake
Rate-based rules in WAF count requests per second.
Correct
Rate-based rules count requests from a single IP over a 5-minute rolling window. The threshold is the maximum number of requests allowed in that window. The default window cannot be changed.
Mistake
AWS Shield Advanced is free for all AWS customers.
Correct
Shield Standard is free. Shield Advanced costs $3,000 per month per organization, plus additional data transfer fees for protected resources.
Mistake
You must use AWS WAF and Shield together for any protection.
Correct
Shield Standard is automatically enabled and provides basic DDoS protection without WAF. WAF can be used independently for application-layer threats. They are complementary but not mandatory together.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS WAF is primarily for application-layer attacks, not volumetric DDoS. While rate-based rules can mitigate slow-rate DDoS, for large-scale DDoS you should use AWS Shield. Shield Advanced includes WAF capabilities for Layer 7 DDoS. So, WAF alone is not sufficient for most DDoS scenarios.
Shield Standard is free and automatically protects all AWS customers from common Layer 3/4 DDoS attacks. Shield Advanced costs $3,000/month and provides enhanced protection for Layers 3-7, including application-layer mitigation via WAF, cost protection against bill spikes, and 24/7 access to the DDoS Response Team.
You create a Web ACL in the WAF console (scope REGIONAL) and then associate it with the ALB's ARN. This can be done via the AWS CLI: `aws wafv2 associate-web-acl --web-acl-arn <arn> --resource-arn <alb-arn>`. Once associated, all traffic to the ALB is filtered through the Web ACL.
AWS Managed Rules are pre-configured rule groups that provide protection against common threats like SQL injection, XSS, and known bad IPs. They are updated automatically by AWS and can be added to your Web ACL with a single click. They reduce the burden of maintaining custom rules.
No, AWS WAF cannot be directly associated with an EC2 instance. You must place a supported resource in front of the EC2 instance, such as an Application Load Balancer or CloudFront distribution, and then associate the WAF Web ACL with that resource.
The default action is set when you create the Web ACL. It can be either Allow or Block. If no rule matches a request, the default action is applied. It is important to set this correctly; for example, if you only want to allow specific traffic, set default action to Block.
A rate-based rule counts requests from a single IP address over a 5-minute rolling window. If the count exceeds the threshold you set (up to 20,000), subsequent requests from that IP are blocked until the window resets. This is useful for mitigating DDoS attacks and brute force attempts.
You've just covered AWS WAF and Shield — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?