63. AWS WAF, AWS Firewall Manager, and AWS Shield

Overview

• AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, or an AWS AppSync GraphQL API.
• AWS WAF also lets you control access to your content.
  • Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, Amazon CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync responds to requests either with the requested content or with an HTTP 403 status code (Forbidden).
• At the simplest level, AWS WAF lets you choose one of the following behaviors:
  • Allow all requests except the ones that you specify 
  • Block all requests except the ones that you specify
  • Count requests that match your criteria 
  • Run CAPTCHA checks against requests that match your criteria – You can implement CAPTCHA controls against requests to help reduce bot traffic to your protected resources.
• You can use AWS WAF web access control lists (web ACLs) to help minimize the effects of a distributed denial of service (DDoS) attack.
• For additional protection against DDoS attacks, AWS also provides AWS Shield Standard and AWS Shield Advanced.
  • AWS Shield Standard is automatically included at no extra cost beyond what you already pay for AWS WAF and your other AWS services.
  • AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and AWS Global Accelerator accelerators.
  • AWS Shield Advanced incurs additional charges.
• AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including AWS WAF, AWS Shield Advanced, Amazon VPC security groups, AWS Network Firewall, and Amazon Route 53 Resolver DNS Firewall.
  • With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources.

Which should I choose

• It all starts with AWS WAF.
• You can automate and then simplify AWS WAF management using AWS Firewall Manager.
• Shield Advanced adds additional features on top of AWS WAF, such as dedicated support from the Shield Response Team (SRT) and advanced reporting.
• If you want granular control over the protection that is added to your resources, AWS WAF alone is the right choice.
• If you want to use AWS WAF across accounts, accelerate your AWS WAF configuration, or automate protection of new resources, use Firewall Manager with AWS WAF.
• Finally, if you own high visibility websites or are otherwise prone to frequent DDoS attacks, you should consider purchasing the additional features that Shield Advanced provides.

AWS WAF

Benefits

• Additional protection against web attacks using conditions that you specify.