AWS Application Security(AWS WAF, AWS Shield)

Last Updated : 4 Feb, 2026

In an era where online security threats continue to evolve, safeguarding digital assets is of paramount importance. Amazon Web Services (AWS) recognizes the critical need for robust security measures and offers a dynamic duo in the form of AWS WAF (Web Application Firewall) and AWS Shield. In this article, we will explore the key features of both AWS WAF and Shield, understanding how they complement each other to provide a comprehensive defense against web application and DDoS (Distributed Denial of Service) attacks.

aws_shield

AWS WAF (Web Application Firewall) :

AWS WAF is a managed web application firewall service that helps protect your web applications from common web exploits. It allows you to create rules to filter and monitor HTTP and HTTPS traffic, enabling you to block or allow requests based on defined conditions. AWS WAF is designed to work seamlessly with other AWS services, providing a scalable and reliable solution for web application security.

Adding Managed Rule Groups

AWS WAF offers a range of managed rule groups that cover common threats and vulnerabilities. These rule groups are continuously updated by AWS to address emerging security risks. Here's a step-by-step guide on how to add a managed rule group:

1. Navigate to AWS WAF Console: Log in to your AWS Management Console and navigate to the AWS WAF service.

2. Select WebACL: Under the AWS WAF dashboard, choose the WebACL (Web Access Control List) you want to add the managed rule group to.

WAF1
AWS WAF

3. Add Managed Rule Group:

Within the WebACL settings, locate the "Managed rule groups" section. Click on "Add managed rule group" and choose the rule group that aligns with your security requirements.

ManagedRules11
Fig. 2


ManagedRules3
Fig. 3


ManagedRules4
Fig. 4


4. Configure Rule Group Settings: Follow the prompts to configure the settings for the selected managed rule group. This may include specifying the action to take when a rule is triggered, defining rule priorities, and setting other rule-specific parameters.

5. Review and Confirm: Review your configurations and click "Add rule group" to apply the managed rule group to your WebACL.

AddRules
Fig. 5

Adding Custom Rules and Rule Groups

While managed rule groups provide a strong foundation, there may be specific security requirements unique to your web application. AWS WAF allows you to create custom rules and rule groups tailored to your needs. Here's how you can add your own rules and rule groups:

1. Navigate to AWS WAF Console: Access the AWS WAF service in the AWS Management Console.

2. Choose WebACL: Select the WebACL where you want to add custom rules or rule groups.

3. Add Custom Rule or Rule Group: In the WebACL settings, find the "Rules" section. Click on "Add custom rule" to create a single rule or "Add rule group" to group multiple rules together.

AWS_Rule1
Fig. 6


4. Configure Rule Settings: Define the conditions and actions for your custom rule. This may include specifying the type of request, conditions for triggering the rule, and the action to take when a match is found.

Rule22
Fig. 7


RuleName31
Fig. 8


Rule4
Fig. 9


5. Review and Confirm: Review your custom rule or rule group settings, ensuring they align with your security objectives. Click "Add rule" or "Add rule group" to implement your custom configurations.

NewRuleAdded5
Fig. 10


AWS WAF empowers organizations to fortify their web applications against a multitude of security threats. By leveraging both managed rule groups and custom rules, you can create a comprehensive defense strategy that aligns with your specific security requirements. Regularly updating and fine-tuning your AWS WAF configurations ensures that your web applications remain resilient in the face of evolving cyber threats. As you continue to strengthen your web application security posture, AWS WAF stands as a reliable ally in safeguarding your digital assets.

DDoS attack:

  • A DDoS (Distributed Denial of Service) attack aims to disrupt a server, service, or network by overwhelming it with excessive internet traffic.
  • Unlike a single-source DoS attack, a DDoS attack uses many compromised systems simultaneously.
  • These compromised devices, called bots or zombies, are controlled by an attacker.
  • The collection of bots used in the attack is known as a botnet, often distributed across multiple locations worldwide.
  • The attack’s objective is to exhaust system resources (bandwidth, CPU, memory), causing service outages, financial loss, and reputational damage.
attacker
DDOS


AWS Shield:

As cyber threats continue to evolve, protecting digital assets is critical. AWS Shield is a managed DDoS protection service from AWS that defends against large-scale and sophisticated attacks. AWS Shield Standard and Advanced provide multi-layer protection across the OSI model, ensuring comprehensive and resilient security for cloud-based applications.

AWSShield1
Fig. 12

AWS Shield Standard: Guarding the Front Lines

Overview:

AWS Shield Standard is the foundational level of DDoS protection provided to all AWS customers at no additional cost. It is designed to protect against common and most frequently observed DDoS attacks.

Key Features:

Network Layer Protection (Layer 3 and 4):

  • AWS Shield Standard offers protection at the network layer, identifying and mitigating volumetric attacks that aim to overwhelm the network infrastructure by flooding it with a high volume of traffic.
  • This layer focuses on maintaining the availability of resources by filtering and mitigating malicious traffic before it reaches the target.

Application Layer Protection (Layer 7):

  • AWS WAF (Web Application Firewall): This is the service that analyzes HTTP and HTTPS traffic. It uses "Web ACLs" and rules to identify and block common web exploits like SQL injection and Cross-Site Scripting (XSS).
  • AWS Shield Advanced: This paid tier provides more sophisticated Layer 7 DDoS protection (such as mitigating HTTP floods) by baselining your application's traffic and automatically creating WAF rules during an attack.
  • Layer 7 Focus: Protection at this layer is "application-aware," meaning it looks at the specific request URI, query strings, and headers to filter out malicious patterns that infrastructure-level protection would miss.

Automatic Mitigation:

  • AWS Shield Standard provides automatic and continuous DDoS detection and mitigation, requiring no intervention from the customer. This ensures that applications and services remain available during an attack.

AWS Shield Advanced: Elevating Security to the Next Level

Overview:

AWS Shield Advanced builds upon the capabilities of Shield Standard, offering enhanced DDoS protection and additional features for organizations facing more complex and targeted threats.

Key Features:

Enhanced DDoS Mitigation:

  • AWS Shield Advanced provides more advanced and customizable DDoS mitigation capabilities, tailored to the specific needs and threat landscape of individual organizations.
  • It offers additional countermeasures against sophisticated and evolving DDoS attack vectors.

Global Threat Environment Dashboard:

  • This feature provides real-time visibility into the global DDoS threat landscape, helping organizations stay informed about emerging threats and trends.

Dedicated DDoS Response Team (DRT):

  • AWS Shield Advanced subscribers gain access to the DDoS Response Team, a group of security experts available 24/7 to assist with attack mitigation and provide guidance during incidents.

Web Application Firewall (WAF) Integration:

  • AWS Shield Advanced seamlessly integrates with AWS WAF, allowing organizations to combine DDoS protection with application-layer security measures.

OSI Layers and AWS Shield

The OSI model consists of seven layers, each serving a specific function in network communication. AWS Shield operates across multiple layers to provide comprehensive protection:

Physical Layer (Layer 1) and Data Link Layer (Layer 2):

  • While not directly involved in DDoS mitigation, the physical layer is critical for AWS infrastructure. AWS ensures robust physical security to protect against potential physical attacks.

Network Layer (Layer 3):

  • AWS Shield Standard primarily operates at these layers, detecting and mitigating network-layer DDoS attacks that target network infrastructure and bandwidth.

Transport Layer (Layer 4):

  • Shield Standard also addresses attacks at the transport layer, preventing disruptions caused by DDoS attacks targeting protocols and network connections.

Session Layer (Layer 5) and Presentation Layer (Layer 6):

  • While DDoS attacks typically do not directly target these layers, Shield Advanced's advanced mitigation capabilities help ensure the continuity of sessions and maintain the integrity of data presentation.

Application Layer (Layer 7):

  • AWS Shield Standard: Provides automatic, always-on protection against the most common network (Layer 3) and transport (Layer 4) DDoS attacks. It ensures the availability of AWS services themselves, but it does not inspect application traffic (Layer 7).
  • Application Layer Protection: To safeguard against sophisticated Layer 7 attacks (like HTTP Floods), you must use AWS WAF or upgrade to AWS Shield Advanced, which provides visibility and mitigation for application-level threats.
Comment
Article Tags:
DevOps

Explore