This chapter covers AWS WAF (Web Application Firewall) and AWS Shield, two critical services for protecting web applications from common exploits and DDoS attacks. For the SOA-C02 exam, these topics appear in Domain 4 (Security) under Objective 4.2, typically accounting for 5–10% of questions. You must understand how to configure web ACLs, rule groups, rate-based rules, and the integration with services like ALB, CloudFront, and API Gateway, as well as the differences between Shield Standard and Shield Advanced.
Jump to a section
Imagine a nightclub (your web application) with a single entrance (the Application Load Balancer or CloudFront distribution). The bouncer (AWS WAF) stands at the door with a detailed guest list (web ACL rules). Each guest (HTTP request) must present an ID (source IP, headers, body). The bouncer checks the guest against the list: if the guest is on the VIP list (allow rule), they enter immediately. If the guest matches a banned list (block rule), they are turned away. Some guests trigger a 'pat-down' (rate-based rule) if they try to enter too many times in a short period. The bouncer also has a 'lookout' (AWS Shield) who watches for known troublemakers (DDoS attacks) and can call for backup (automatic mitigation). The bouncer logs every interaction (AWS WAF logs) and can share notes with other clubs (AWS Firewall Manager). Critically, the bouncer does not inspect the contents of bags (request body) unless specifically told to (custom request inspection). This analogy mirrors the mechanism: each request is evaluated against rules in order, with default 'allow' or 'block' action at the end. AWS Shield Advanced provides enhanced 'backup' by always monitoring traffic and applying mitigations before the bouncer even acts.
What AWS WAF and Shield Are
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Both are tightly integrated and often work together.
How AWS WAF Works Internally
AWS WAF operates at the edge (CloudFront) or on a regional Application Load Balancer (ALB), API Gateway, or AWS AppSync. When a client sends an HTTP(S) request, the request passes through the WAF before reaching the origin. The WAF evaluates the request against a set of rules defined in a Web Access Control List (web ACL). Each rule consists of a condition (what to inspect) and an action (allow, block, count, or CAPTCHA). Rules are evaluated in order; the first matching rule determines the action. If no rule matches, the default action (allow or block) is applied.
Key Components
- Web ACL: A container for rules. You can associate a web ACL with one or more resources (ALB, CloudFront, API Gateway, AppSync). Each web ACL has a capacity unit (WCU) limit (default 1,500, adjustable). Rules consume WCUs based on complexity. - Rules: Define inspection criteria. Types include: - String match: Inspect headers, query strings, URI path, body, or cookies for a specific string or regex. - IP set: Match against a list of IP addresses or CIDR ranges. - Geo match: Match based on geographic origin (country). - Size constraint: Enforce minimum/maximum length of a request component. - SQL injection match: Detect SQL injection patterns. - Cross-site scripting (XSS) match: Detect XSS patterns. - Rate-based rule: Count requests from a source IP; if the count exceeds a threshold within a 5-minute window, the rule triggers (block or count). The rate is calculated every 30 seconds. - Rule groups: Preconfigured sets of rules. AWS provides managed rule groups (e.g., Core rule set, SQL database, Linux/Windows OS) and you can create your own. - Actions: - Allow: Request proceeds to the resource. - Block: Request is terminated with a 403 Forbidden response. - Count: Request is counted but allowed; used for testing. - CAPTCHA: Challenge the client to solve a puzzle. - Logging: Web ACL traffic can be logged to CloudWatch Logs, S3, or Kinesis Firehose. Logs include details like rule ID, action, and request metadata.
Default Values and Timers
Rate-based rule window: 5-minute sliding window, but the rate is calculated every 30 seconds. The threshold is the maximum number of requests allowed from a single IP in 5 minutes.
WCU: Each web ACL has a default limit of 1,500 WCUs. You can request a higher limit via AWS Support.
Rule evaluation order: Rules are evaluated in the order you specify; you can reorder them.
Default action: Either 'Allow' or 'Block' for the entire web ACL.
Configuration and Verification
To create a web ACL via AWS CLI:
aws wafv2 create-web-acl \
--name MyWebACL \
--scope REGIONAL \
--default-action Allow={} \
--rules file://rules.json \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyWebACLMetricAssociate with an ALB:
aws wafv2 associate-web-acl \
--web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyWebACL/abc123 \
--resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/abc123Verification: Check the web ACL's sampled requests via console or CLI:
aws wafv2 get-sampled-requests \
--web-acl-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyWebACL/abc123 \
--rule-metric-name MyRuleMetric \
--scope REGIONAL \
--time-window Start=2023-01-01T00:00:00Z,End=2023-01-01T01:00:00Z \
--max-items 100AWS Shield
AWS Shield Standard is automatically enabled for all AWS customers at no extra cost. It protects against common Layer 3/4 DDoS attacks (e.g., UDP floods, SYN floods) and provides always-on detection. AWS Shield Advanced is a paid service that provides enhanced protection against larger and more sophisticated DDoS attacks, including application layer (Layer 7) attacks. Shield Advanced integrates with AWS WAF to provide automated mitigations via rate-based rules and offers cost protection against scaling charges due to DDoS attacks.
How Shield Works with WAF
Shield Advanced can automatically create and manage WAF rate-based rules for your CloudFront distributions or ALBs. When a DDoS attack is detected, Shield Advanced can apply a rate-based rule to block traffic from attacking IPs. You can also configure Shield Advanced to send notifications via CloudWatch alarms and AWS Lambda for custom responses.
Interaction with Related Technologies
CloudFront: WAF integrated at edge provides global protection with lower latency.
ALB: Regional WAF protects ALB targets.
API Gateway: WAF can be associated with REST APIs, HTTP APIs, and WebSocket APIs.
AWS Firewall Manager: Centrally manage WAF rules across accounts and resources.
AWS Managed Rules: Pre-built rule groups for common threats (e.g., OWASP Top 10).
AWS Shield Advanced: Provides DDoS cost protection and automatic WAF rule creation.
Exam-Specific Details
The exam expects you to know the difference between Shield Standard (free, always-on, Layer 3/4) and Shield Advanced (paid, Layer 7, automatic WAF integration, cost protection).
WAF supports rate-based rules only for IP addresses, not for other keys like user-agent or headers (though you can combine with conditions).
WAF logs are not enabled by default; you must explicitly configure logging.
CAPTCHA action is available for web ACLs associated with CloudFront, ALB, and API Gateway.
The default action for a web ACL is 'Allow' if not specified, but you can set it to 'Block'.
Rule groups have a maximum capacity of 1,500 WCUs, but you can request more.
WAF supports regex patterns using the regex field in conditions.
When using rate-based rules, the threshold is per IP address; if the rate exceeds the threshold, the action is applied for the remainder of the 5-minute window.
Shield Advanced provides 24/7 access to the DDoS Response Team (DRT) and financial protection against scaling costs.
Step-by-Step Mechanism of a WAF Rule Evaluation
Request Arrives: Client sends HTTP request to CloudFront or ALB.
WAF Intercepts: The WAF engine intercepts the request before it reaches the origin.
Rule Order: Rules are evaluated in the order defined in the web ACL. Each rule has a priority (numerical order).
Condition Check: For each rule, the engine checks if the request matches the conditions (e.g., IP set, string match).
Action Execution: If a match occurs, the rule's action is executed (allow, block, count, CAPTCHA). For 'allow', the request proceeds; for 'block', a 403 is returned; for 'count', the request proceeds but a counter is incremented; for 'CAPTCHA', a challenge is issued.
Default Action: If no rule matches, the default action is applied.
Logging: If logging is enabled, the request details are sent to the configured destination.
Rate-Based Rule Mechanism
Rate-based rules count requests from a source IP over a 5-minute sliding window. The count is updated every 30 seconds. If the count exceeds the threshold, the rule's action is applied to subsequent requests from that IP for the remainder of the window. After the window expires, the count resets.
Common Pitfalls
Rate-based rule threshold too low: Legitimate users may be blocked. Start with count mode to test.
Default action set to 'Allow': You must explicitly block unwanted traffic; otherwise, all traffic is allowed.
Not enabling logging: Hard to debug why requests are blocked.
Overly complex rules: Exceeding WCU limit can cause rule deployment failures.
Define Protection Requirements
Assess your application's threat model: common exploits (SQLi, XSS), bot traffic, DDoS risks. Determine which resources need protection (ALB, CloudFront, API Gateway). For the exam, know that WAF can protect ALB (regional), CloudFront (global), API Gateway, and AppSync. Shield Advanced is typically used for high-value applications needing Layer 7 DDoS protection.
Create Web ACL and Rules
In the WAF console, create a web ACL with a name, cloudwatch metric name, and default action (allow or block). Add rules: either from AWS Managed Rules (e.g., Core rule set) or custom rules. Each rule has a priority number (lower = higher priority). For rate-based rules, set the threshold (e.g., 2000 requests per 5 minutes). The exam tests that rate-based rules use a 5-minute sliding window with 30-second updates.
Associate Web ACL with Resource
Associate the web ACL with the target resource (ALB, CloudFront distribution, API Gateway stage). For CloudFront, you must associate the web ACL with the distribution (not the origin). For ALB, the web ACL is regional and must be in the same region as the ALB. You cannot associate a web ACL with an ALB in a different region. The exam may test that a web ACL can be associated with multiple resources, but each resource can have only one web ACL.
Configure Logging and Monitoring
Enable logging for the web ACL to CloudWatch Logs, S3, or Kinesis Firehose. Logs contain fields like timestamp, action, rule ID, source IP, and request headers. Also enable CloudWatch metrics for the web ACL to monitor blocked requests and rate-based rule triggers. For Shield Advanced, set up CloudWatch alarms for DDoS detection events. The exam expects you to know that logging is not automatic and must be explicitly configured.
Test and Iterate
Use the Count action to test rules before blocking. Monitor sampled requests in the console. Simulate attacks using tools like OWASP ZAP or custom scripts. Adjust thresholds and rule order based on false positives. For the exam, remember that count mode is essential for testing without impacting users. Also, WAF supports CAPTCHA as an alternative to blocking, which can be used to challenge suspicious requests.
Enterprise Scenario 1: E-commerce Platform Protection
A large e-commerce platform uses CloudFront with AWS WAF to protect against SQL injection and XSS attacks. They enable the AWS Managed Core Rule Set (CRS) and add a rate-based rule set to 5,000 requests per 5 minutes to mitigate bot scraping of product prices. They also use Shield Advanced for cost protection during flash sales when traffic spikes. In production, they observed false positives from the CRS blocking legitimate requests with unusual URL parameters (e.g., search queries containing 'select' or 'union'). They created custom rules to allow those patterns while still blocking malicious ones. Common misconfiguration: setting the rate-based rule threshold too low (e.g., 100 requests) caused legitimate bulk API calls to be blocked. Solution: use count mode initially to establish baseline traffic patterns.
Scenario 2: Financial Services API Gateway
A bank exposes REST APIs via API Gateway and uses WAF to enforce IP whitelisting for backend services. They use IP set rules to allow only known partner IPs and block all others. They also enable geo-match to restrict access to specific countries. To handle DDoS attacks, they subscribe to Shield Advanced, which automatically creates WAF rate-based rules when attack traffic exceeds thresholds. In production, they faced challenges with API Gateway's 30-second timeout for WAF evaluation; complex rules with many conditions caused latency. They optimized by minimizing rule count and using string match instead of regex where possible. Misconfiguration: forgetting to update IP sets when partners change IPs, leading to blocked legitimate traffic.
Scenario 3: SaaS Application with Multi-Tenant Isolation
A SaaS provider uses ALB with WAF to protect tenant-specific microservices. They use WAF to block requests that contain malicious payloads in the body (e.g., JSON injection). They also use rate-based rules per tenant by leveraging the X-Tenant-Id header as a custom key (though WAF rate-based rules only support IP keys, they use a workaround with Lambda@Edge). They monitor WAF logs in CloudWatch Logs and trigger Lambda functions to auto-update IP sets when abuse is detected. Performance considerations: WAF adds ~10ms latency per request. Misconfiguration: not enabling CloudWatch metrics for each rule, making it hard to identify which rule is causing false positives.
SOA-C02 Objective 4.2: Implement and manage security and compliance controls
This objective includes configuring AWS WAF and Shield to protect web applications. The exam tests your ability to:
Choose between Shield Standard and Shield Advanced based on requirements.
Configure web ACLs with appropriate rules (managed vs. custom).
Associate web ACLs with correct resources (ALB, CloudFront, API Gateway).
Enable logging and monitoring for WAF.
Troubleshoot common issues like false positives and WCU limits.
Common Wrong Answers and Why Candidates Choose Them
Shield Standard provides Layer 7 protection. Wrong: Shield Standard only protects Layer 3/4. Shield Advanced adds Layer 7 with WAF integration. Candidates confuse the two.
Rate-based rules can use any request attribute as the key. Wrong: Rate-based rules only use source IP as the key. You cannot use headers or cookies. Candidates assume flexibility.
WAF can be associated with an EC2 instance directly. Wrong: WAF only works with ALB, CloudFront, API Gateway, and AppSync. Candidates think WAF can sit directly in front of an instance.
Default action must be 'Block' for security. Wrong: Default action can be 'Allow' or 'Block'. Many candidates think 'Block' is always required, but 'Allow' is common when using whitelist rules.
Web ACLs can be shared across regions without replication. Wrong: Web ACLs are regional. For global protection, use CloudFront with a web ACL in the CloudFront region (us-east-1). Candidates assume global by default.
Specific Numbers and Terms
Rate-based rule window: 5 minutes (300 seconds), updated every 30 seconds.
WCU default limit: 1,500 per web ACL.
Shield Advanced cost: $3,000 per month per organization (plus data transfer fees).
WAF logging destinations: CloudWatch Logs, S3, Kinesis Firehose.
CAPTCHA action: Available for CloudFront, ALB, API Gateway.
Edge Cases
If you associate a web ACL with an ALB that has multiple target groups, the WAF inspects all traffic before it reaches any target group.
For CloudFront, you must associate the web ACL with the distribution, not the origin. The web ACL must be in us-east-1 for CloudFront.
WAF does not inspect traffic between ALB and targets; it only inspects traffic at the entry point.
Shield Advanced provides cost protection for EC2, ALB, CLB, CloudFront, and Route 53. It does not cover other services.
How to Eliminate Wrong Answers
If the question mentions Layer 7 DDoS protection, the answer must include Shield Advanced (not Standard).
If the question asks about rate limiting, look for 'rate-based rule' and '5-minute window'.
If the question involves 'automatic WAF rule creation', think Shield Advanced.
If the question mentions 'global' protection, think CloudFront + WAF.
If the question mentions 'central management', think AWS Firewall Manager.
AWS WAF operates at Layer 7 and can be associated with ALB, CloudFront, API Gateway, and AppSync.
Rate-based rules use a 5-minute sliding window updated every 30 seconds, with source IP as the only aggregation key.
Shield Standard is free and protects Layer 3/4; Shield Advanced ($3,000/month) adds Layer 7 protection and DDoS cost protection.
Web ACLs are regional; for global protection, use CloudFront with a web ACL in us-east-1.
WAF logging must be explicitly enabled to CloudWatch Logs, S3, or Kinesis Firehose.
Use Count action to test rules before blocking to avoid false positives.
WCU default limit is 1,500 per web ACL; request increase via support if needed.
Managed rule groups (e.g., Core Rule Set) provide pre-built protection against OWASP top 10 threats.
CAPTCHA action can challenge suspicious requests instead of blocking them.
AWS Firewall Manager allows central management of WAF rules across accounts and resources.
These come up on the exam all the time. Here's how to tell them apart.
AWS Shield Standard
Free for all AWS customers
Protects against common Layer 3/4 DDoS attacks (SYN floods, UDP floods, etc.)
Always-on detection and automatic mitigation
No integration with AWS WAF for Layer 7 attacks
No cost protection for scaling charges
AWS Shield Advanced
Paid: $3,000/month per organization (plus data transfer fees)
Protects against Layer 3/4 and Layer 7 DDoS attacks (including application layer)
Provides 24/7 access to the DDoS Response Team (DRT)
Integrates with AWS WAF for automatic mitigation via rate-based rules
Includes cost protection against scaling charges (e.g., EC2 auto-scaling, ALB capacity)
Mistake
AWS WAF can block traffic at the network layer (Layer 3/4).
Correct
AWS WAF operates at Layer 7 (application layer) only. It inspects HTTP/HTTPS requests. For Layer 3/4 DDoS protection, use AWS Shield or network ACLs.
Mistake
AWS Shield Standard protects against large DDoS attacks.
Correct
Shield Standard provides always-on detection and mitigation for common Layer 3/4 attacks, but for larger or more sophisticated attacks (including Layer 7), you need Shield Advanced.
Mistake
Rate-based rules can be configured with any custom key (e.g., user-agent).
Correct
Rate-based rules only use the source IP address as the aggregation key. You cannot use headers, cookies, or other attributes. However, you can combine with other conditions to narrow the scope.
Mistake
You can associate a single web ACL with resources in multiple regions.
Correct
Web ACLs are regional resources. For global protection, you must use CloudFront (which operates globally) and associate a web ACL in the us-east-1 region. You cannot associate the same web ACL with ALBs in different regions.
Mistake
WAF logging is enabled by default.
Correct
WAF logging is not enabled by default. You must explicitly configure logging to CloudWatch Logs, S3, or Kinesis Firehose. Without logging, you cannot see sampled requests or blocked traffic details.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, AWS WAF supports geo-match rules that allow or block requests based on the country of origin. You can create a rule that uses a geo-match condition to match requests from specific countries. This is useful for restricting access to certain regions. Note that geo-match uses the source IP address to determine location, so it may not be accurate for VPN or proxy traffic.
Shield Standard is free and provides protection against common Layer 3/4 DDoS attacks (e.g., SYN floods, UDP floods) for all AWS customers. Shield Advanced is a paid service ($3,000/month) that adds enhanced protection against larger and more sophisticated attacks, including Layer 7 attacks. Shield Advanced integrates with AWS WAF to automatically create rate-based rules, provides 24/7 access to the DDoS Response Team, and offers cost protection against scaling charges due to DDoS attacks.
Rate-based rules count requests from a single source IP over a 5-minute sliding window. The count is updated every 30 seconds. If the number of requests exceeds the threshold you set, the rule's action (block or count) is applied to subsequent requests from that IP for the remainder of the 5-minute window. After the window expires, the count resets. Rate-based rules only use source IP as the aggregation key; you cannot use other request attributes.
Yes, you can have both. You can associate a web ACL with the CloudFront distribution to protect at the edge, and another web ACL with the ALB for additional regional protection. However, this is redundant if the CloudFront WAF is sufficient. Note that if you use Shield Advanced, it can protect both the CloudFront distribution and the ALB, but you must enable it separately.
If you try to add rules that exceed the web ACL's WCU limit (default 1,500), the operation will fail. You must either remove some rules or request a higher WCU limit via AWS Support. The WCU limit is per web ACL and cannot be exceeded. Each rule consumes WCUs based on its complexity (e.g., string match rules consume 1 WCU, regex rules consume more).
Use the Count action for rules during testing. The Count action allows the request to proceed but increments a counter. You can monitor the count in CloudWatch metrics to see how many requests would have been blocked. Once you are confident the rule is correct, switch the action to Block. This is a best practice to avoid false positives.
Yes, AWS WAF can inspect the request body, query string, URI path, headers, cookies, and HTTP method. You can create custom rules that match specific patterns in these components using string match, regex, or size constraints. For body inspection, you can specify a limit (default 8 KB) for the portion of the body to inspect.
You've just covered AWS WAF and Shield for SysOps — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?