A Complete Guide in 2024

At its simplest, the primary difference between AWS Shield vs WAF is that Shield protects against distributed denial-of-service (DDoS) attacks, whereas WAF protects web apps from harmful web requests. AWS Shield works at the network, transport and application layers, but AWS WAF (Web Application Firewall) works at the application layer only.

AWS Shield and AWS WAF fall under the “network and application protection” category of AWS security tools. However, their primary functions are distinct, and understanding these differences is crucial to their proper usage.

What Is AWS Shield?

AWS Shield is a network security service that provides protection against DDoS attacks. 

What is a DDoS attack? A DDoS attack is a situation where a resource is overwhelmed with illegitimate traffic, leaving it unavailable to legitimate users.

AWS Shield is a managed service available in two tiers: Standard and Advanced. The Standard version comes at no extra cost, but AWS Shield Advanced offers more security features.

How Does AWS Shield Work?

AWS Shield works to protect against network, application and transport layer DDoS attacks: layers 3, 7 and 4 of the OSI model, respectively. An attack vector is the method that an attacker uses to exploit a system, and AWS Shield detects and mitigates various DDoS and zero-day attack vectors.

How does AWS Shield detect attacks? In the network and transport layers, AWS Shield detects attacks by inspecting packets coming into the AWS Cloud, checking for traffic elevations, performing health checks and scanning for time to live (TTL) elevations. 

In the application layer, Shield creates a baseline for an application based on the app’s request volume. After that, it monitors incoming traffic and app requests, and compares them against the known baseline.

AWS Shield primarily mitigates attacks using packet validation, suspicion scoring, rate distribution, a TCP SYN proxy, access control lists (ACLs) and traffic shaping.

What Does AWS Shield Protect From?

AWS Shield protects against three main categories of attacks: network volumetric attacks, network protocol attacks and application layer attacks. These attacks affect the network, transport and application layers, respectively.

• Network volumetric attacks: AWS Shield protects against network volumetric attacks like a DNS query flood, using mechanisms like rate limiting and query filtering.
• Network protocol attacks: To defend against network protocol attacks, such as TCP SYN flood attacks, AWS Shield uses a TCP SYN proxy.
• Application layer attacks: Shield mitigates application layer attacks, including HTTP flood and cache-busting attacks, using mechanisms like WAF ACLs, rate limiting and traffic shaping.

What Levels of Protection Does AWS Shield Provide Against DDoS Attacks?

AWS Shield provides automatic attack mitigation and static thresholds for DDoS attacks in the AWS Shield Standard tier. However, the Advanced tier offers advanced attack mitigation, health-based detection, custom DDoS thresholds and many more levels of protection.

AWS Shield Standard

AWS Shield Standard is enabled by default on all AWS accounts, and it’s completely free. It offers protection based on static DDoS thresholds against common attacks, particularly those that target the network and transport layers. It also offers inline attack mitigation.

AWS Shield Advanced

AWS Shield Advanced provides an even higher level of protection than Shield Standard, with additional detection and mitigation features at the application layer. It also comes with round-the-clock access to the AWS Shield Response Team for customers on the Enterprise or Business Support plans.

How Much Does AWS Shield Cost?

AWS Shield Standard is free of charge and available to all users. However, a Shield Advanced subscription costs $3,000 per month and requires a one-year commitment. It also comes with “data transfer out” usage fees, which are charged per gigabyte. The unit price for these usage fees varies by region and depends on the service that’s utilizing AWS Shield Advanced.

What Are the Use Cases of AWS Shield?

AWS Shield’s use cases include any scenario where DDoS protection is essential. Of course, Shield Advanced is better than Shield Standard thanks to its higher levels of protection and customization, and its ability to provide application layer protection.

Here are some ways you can use AWS Shield:

• Protecting TCP-based apps against TCP SYN floods: You can protect a TCP-based app, such as a file transfer protocol service, from a TCP SYN flood using AWS Shield’s TCP SYN proxy.
• Providing HTTP flood protection to web apps: Shield can protect your web app against HTTP flood attacks using AWS WAF rate limiting rules, traffic isolation and ACLs.
• Protecting UDP-based games from UDP reflection attacks: Through a combination of features, like packet validation, rate limiting and UDP-exposure limiting, AWS Shield can attenuate UDP reflection attacks.

What Are the Pros of AWS Shield?

The pros of AWS Shield include automated protection, free usage, ease of use, cost protection, attack visibility, expert support and customizability on the Advanced plan. AWS Shield offers thorough protection against DDoS attacks, ensuring the uptime, safety and accessibility of infrastructure and applications in the AWS Cloud. 

Here’s a deeper dive into the benefits of AWS Shield:

• Automated protection: Shield automatically mitigates common DDoS attacks.
• Available for free: AWS Shield Standard comes at no extra cost.
• Ease of use: Since it’s a managed service, you don’t have to do much to get AWS Shield to work.
• Cost protection: When you opt for Shield Advanced, you’re covered if your costs increase as your resources scale up due to DDoS attacks.
• Attack visibility: Shield Advanced provides near real-time insights on DDoS attacks.
• Expert support: With Shield Advanced, customers on the Business or Enterprise support plans get 24/7 access to the AWS DDoS response team.
• Customizability: There’s more room for custom configurations when you get Shield Advanced.

What Are the Cons of AWS Shield?

The cons of AWS Shield include a lack of expert support and limited customizability on the standard plan, lengthy commitments, and a costly advanced plan. AWS Shield Advanced requires a one-year commitment, and AWS Shield Standard doesn’t offer expert support. 

The following are some cons of AWS Shield:

• Lack of expert support: Shield Standard doesn’t provide access to the AWS Shield Response Team.
• Lengthy commitments: An AWS Shield Advanced subscription requires you to make a one-year commitment.
• Costly payments: Besides the one-year commitment, some organizations may find the $3,000 monthly payments to be pricey.
• Limited customizability: Unlike Shield Advanced, Shield Standard offers limited custom configurations.

What Are the Advantages of AWS Shield Over AWS WAF?

AWS Shield doesn’t necessarily have an advantage over AWS WAF — in fact, using both services together makes for better protection. That said, Shield is the better option for DDoS attacks, while WAF is best for web application attacks like SQL injection.

What Is AWS WAF (Web Application Firewall)?

AWS WAF is short for AWS Web Application Firewall. Being a firewall, it stands between a web application and the network traffic that traverses the app. AWS WAF protects against common web app exploits due to unauthorized ingress. Such exploits include SQL injection, cross-site scripting and even DDoS attacks.

Besides protecting against web exploits, AWS WAF offers bot control and fraud prevention related to account creation and account takeovers. It’s also integrated with AWS CloudWatch, so you can monitor its activities in real time.

How Does AWS WAF Work?

AWS WAF works by describing and controlling how an application responds to web queries. It primarily achieves this through web access control lists (web ACLs). Web ACLs are made up of rules, and those rules have their own conditions. 

Here are some more insights regarding web ACLs, rules and conditions:

• Web ACLs: At their simplest, web ACLs control the traffic going into your application based on custom rules. They can allow or block certain requests depending on the conditions and actions stated in their rules.
• Rules: Rules can either be managed or user-defined. They set conditions for how a web ACL should inspect a request, and define what action to take based on those conditions. You can create a rule group to collect WAF rules that you want to reuse. You may also get rule groups from AWS Managed Rules and sellers on AWS Marketplace.
• Conditions: A condition is an identifier for the request you want WAF to allow or block. This could be an IP address, string match and so on.

What Does AWS WAF Protect From?

AWS WAF protects from common web threats like DDoS attacks in layer 7, SQL injection, cross-site scripting, bot traffic control and many others.

• DDoS attacks: With WAF, you can write rules to block requests with unexpected patterns. This reduces HTTP flood attacks, which are a type of DDoS attack. You can also add rate-limiting rules to shut out voluminous traffic within a certain duration.
• SQL injection: WAF lets you add rules that inspect for malicious SQL codes, such as those that try to steal data from your database.
• Cross-site scripting: To prevent cross-site scripting, configure WAF rules to monitor for harmful scripts. These rules may contain conditions for query or URI string matching.

What Layer Is WAF in AWS?

AWS WAF is in the application layer (layer 7), where it filters web traffic (HTTP and HTTPS) to prevent common web exploits.

What Are the Features of AWS WAF?

AWS Web Application (WAF) features include web traffic filtering, bot control, fraud control, real-time visibility, AWS Firewall Manager integration and full feature API. 

• Web traffic filtering: WAF features custom and managed rules that determine which HTTP/HTTPS queries are allowed or blocked.
• Bot control: Bot control is a WAF managed rule group that protects against persistent bot traffic.
• Fraud control: This managed rule group offers two types of fraud prevention: account takeover and account creation. Account takeover fraud prevention monitors the app’s login page to prevent unauthorized access. Account creation fraud prevention monitors the signup page to prevent the creation of suspicious accounts.
• Real-time visibility: AWS WAF captures web requests and provides details, such as IP addresses, referrers, metrics, URIs and so on. It can also send notifications based on defined thresholds through its integration with CloudWatch.
• AWS Firewall Manager integration: Like AWS Shield Advanced, you can centrally manage AWS WAF from AWS Firewall Manager.
• Full feature API: All WAF features are available via the AWS WAF API.

How Much Does AWS WAF Cost?

AWS WAF offers monthly pricing based on the number of access control lists (ACLs), rules and requests (prorated per hour). CAPTCHA attempts and challenge responses cost extra based on the volume.

AWS WAF bot control has a monthly subscription fee of $10 per web ACL. You’re also charged per million requests, with targeted bot control being more expensive than common bot control. Like regular WAF rules, extra charges are incurred for CAPTCHA attempts and challenge responses.

The “fraud control” feature also has a $10 monthly subscription per web ACL. You get charged per million requests analyzed, with larger request volumes having lower unit costs compared to smaller ones. However, you don’t pay separately for CAPTCHA attempts and challenge responses.

What Are the Use Cases of AWS WAF?

AWS WAF has many use cases, including preventing common web app attacks such as SQL injection and cross-site scripting. 

Here are some examples of WAF’s roles and use cases:

• Protecting web apps against HTTP flood attacks: WAF can protect against flood attacks using rate limiting and traffic isolation, and by blocking out requests with unusual patterns.
• Stopping SQL codes from extracting data from databases: WAF looks out for and blocks SQL codes that may try to gain unauthorized access to your app’s database.
• Controlling bot traffic into web apps: You can create rules to block traffic from specific bots. However, if reducing traffic is your main goal, then you can limit bot traffic using rate-based rules. You may also use WAF’s “bot control” feature.

What Are the Pros of AWS WAF?

The primary pros of AWS WAF is increased protection against common web application threats, high customizability, reasonable costs, third-party integrations and managed rule groups. 

Here’s a breakdown of these benefits:

• Protection from common web threats: AWS WAF effectively protects web apps from common web vulnerabilities like XSS (cross-site scripting) and SQL injection.
• High customizability: You get to create custom rules and conditions based on the types of threats you want to prevent.
• Reasonable costs: The pricing is generally based on usage volume.
• Integrations with other security services: WAF integrates seamlessly with services like CloudFront, Application Load Balancing and API Gateway.
• Managed rule groups: Managed rule groups provide quick and easy access to ACL rules.

What Are the Cons of AWS WAF?

The main cons of AWS WAF is that configuration can be complex, and the service gets more expensive with increased requests. 

• Complexity: Configuring WAF can be difficult if the rules are complex.
• Limited DDoS protection: WAF provides some degree of DDoS protection, but it’s limited to layer 7.
• Body inspection size limits: AWS WAF can inspect only request bodies up to 64KB.

What Are the Advantages of AWS WAF Over AWS Shield?

AWS WAF and AWS Shield are suited for different purposes, so WAF doesn’t necessarily have an advantage over Shield. In spite of that, AWS WAF is the better option to protect against web attacks such as SQL injection and cross-site scripting.

Can AWS WAF and AWS Shield Be Used Together?

Yes, AWS WAF and AWS Shield can be used together. In fact, AWS Shield Advanced employs some AWS WAF features for DDoS protection in the application layer.

What Are the Other AWS Security Services?

Other AWS services related to network and application security include AWS Firewall Manager, AWS Network Firewall, AWS Verified Access, and Route 53 Resolver DNS Firewall. 

• AWS Firewall Manager: Firewall Manager allows for the central configuration and management of firewalls across AWS accounts.
• AWS Network Firewall: Network Firewall controls traffic between layer 3 and layer 7, providing extra protection to a VPC.
• AWS Verified Access: AWS Verified Access facilitates secure access to corporate resources without requiring a VPN.
• Route 53 Resolver DNS Firewall: Amazon’s Route 53 Resolver DNS Firewall controls and filters outgoing VPC DNS traffic.

Final Thoughts

AWS WAF is a security service that protects web apps in an AWS environment from regular web threats by filtering app requests. On the other hand, AWS Shield is a different security service that defends AWS resources against DDoS attacks.

Between AWS Shield and WAF, which do you think is more vital to network security? Have you used any of the other AWS security services mentioned in this guide? What was your experience with it? Let us know your thoughts in the comments. Thank you for reading.

FAQ

• What Is the Difference Between WAF and Shield in AWS?

  AWS WAF and AWS Shield differ in that WAF protects against web exploits by controlling web traffic, while Shield detects and mitigates DDoS attacks.

• What Is the Difference Between WAF and Site Shield?

  WAF is an AWS service, while Site Shield is an Akamai service. WAF filters malicious web traffic, whereas Site Shield removes apps from the public IP address space, therefore reducing the attack surface.

• What Is AWS Shield Used For?

  AWS Shield is used for spotting and attenuating DDoS attacks in the network, transport and application layers.

• Does Shield Advanced Include WAF?

  Shield Advanced includes WAF features, such as web ACLs, rules and rule groups.