AWS Shield
11m 20s
Start course
1h 17m

Explore the 3 AWS services, designed to help protect your web applications from external malicious activity, with this course. Once getting started, this course will delve into depth on all three services, comprised of AWS Web Application Firewall Service (WAF), AWS Firewall Manager and AWS Shield. By learning how all three services can be used together for enhanced protection of web applications you enterprise will wholly benefit from all the advantages that these services have to offer.

Study the core principles, understand the importance and discuss how protecting web apps with AWS can elevate your business to the next level with this cohesive course made up of 14 lectures, including demos.

Learning Objectives

  • Gain a core foundation of what AWS WAF is and what it does
  • Knowledge of how to configure and implement a WAF solution
  • Analyze how AWS WAF works closely with AWS CloudFront
  • An understanding of how AWS Firewall Manager can be used to help you control AWS WAF across multiple accounts
  • How AWS Shield is protecting Distributed Denial of Service attacks
  • An awareness of different types of DDoS attacks
  • An awareness of the step involved in configuring AWS Shield Advanced

Intended Audience

  • Security architects
  • Technical engineers
  • Website administrators
  • Anyone requiring a deeper understanding of WAF, Shield, and Firewall Manager


Cloud Academy would recommend having a basic understanding of the following, before starting this course:

  • Amazon CloudFront Distributions
  • AWS Application Load Balancer
  • AWS Organizations
  • The 7 layers of the OSI model

Related Training Content

If you are interested in further training content related to this topic, discover the following learning paths:



Hello and welcome to this final lecture where I shall be summarizing the key points from all of the previous theory lectures. I started off by explaining what the AWS WAF service was, and in this lecture I explained that AWS WAF is a service that helps to prevent websites and web applications from being maliciously attacked by common web attack patterns. It's also used to identify how Amazon CloudFront distributions and application load balancers respond to web requests based upon specific conditions. It filters both HTTP and HTTPS request distinguishing between legitimate and harmful inbound requests. AWS WAF is comprised of conditions, WAF Rules, and web access control lists, which are also known as Web ACLs. Conditions allow you to specify what element of the incoming HTTP or HTTPS request you want WAF to be monitoring for. The condition used can be cross-site scripting, Geo Match, IP addresses, size constraints, SQL injection attacks, String and Regex Matching. These conditions are then added to AWS WAF Rules. And AWS Rules allow you to group one or more conditions into a list acting as the rule, where each condition is ANDed to form the complete rule. And there are two different rule types, Regular and Rate-Based. Every condition in the rule has to be met for the action of the rule to be carried out. And these actions within the rule are defined within the Web ACL Web ACLs form the final component in the decision process as to whether the request traffic is blocked or allowed on through to the associated CloudFront distribution or application load balancer. And the actions that are allowed are Allow, Block and Count. Incoming requests to WAF will be matched against a rule base in the order that they appear Following this lecture I answered the question, when and why should you use AWS WAF. The key points taken from this lecture were AWS WAF should be used if you are delivering web content via a CloudFront distribution or through an application load balancer. Without using a WAF you could be exposing your websites and web apps to potentially harmful and malicious traffic. Security vulnerabilities exist across web applications and its important that these risks of exposure are mitigated as early as possible. OWASP provide a top 10 list of the most critical security risks facing organizations around application architecture which you should aim to protect against. An AWS WAF might be able to achieve a higher level of security compliance. AWS WAF sits logically between the end user requesting access to your website or web app and your CloudFront distributions. 

Before a request has traversed your CloudFront environment and network you have the ability to detect, analyze and either allow or block the incoming request. The Web Application Firewall is very easy to manage either via the AWS Management Console or via API calls supplied. It also integrates very well with Amazon CloudWatch for monitoring specific WAF metrics and AWS Lambda for automation Next I focused on Monitoring the AWS WAF service, and here we learnt that you can view certain statistical information for your Web ACLs that you have created within the WAF dashboard. And the service dashboard provides a graphical view of the requests that match each of your rules within each of your Web ACLs along with the total number of requests. Integration exists with Amazon CloudWatch allowing you to monitor set metrics for the service in one minute intervals by default. And these CloudWatch Metrics include AllowedRequests, BlockedRequests, CountedRequests, and PassedRequests. And Amazon CloudWatch automatically generates a CloudWatch metric with the same name of your Web ACLs and WAF Rules. I then gave a short lecture on some of the service limits for AWS WAF which were as follows. You can have 100 conditions of each type, such as Geo Match or size constraints, however, Regex is the exception to this rule where only 10 Regex conditions are allowed and this limit is possible to increase this limit. You are able to have 100 rules and 50 Web ACLs per AWS account. And you are also limited to five rate-based-rules per account. Finally you can have 10,000 requests per second when using WAF with your application load balancer. The lecture following this looked at how AWS WAF integrated and worked with Amazon CloudFront, and within this lecture I explained that AWS WAF relies heavily on AWS CloudFront distributions. And it also supports custom origins allowing you to apply the same level of security to web infrastructure managed outside of AWS. And this association between the Web ACL and a CloudFront distribution can take approximately 15 minutes for the Web ACL and associated rules to be propagated to all relevant edge locations linked with your CloudFront distribution When a request is blocked by WAF, CloudFront is notified that the request was forbidden, returning a 403 error. 

But it's also possible to create your own custom 403 errors to give greater information to the end user. You can use a combination of restrictions using CloudFront and your Web ACL to control inbound traffic requests. The last lectures to do with AWS WAF provided a rundown on pricing of the service. So the pricing summary looks as follows. There are three chargeable elements of AWS WAF. The number of incoming requests. The number of Web ACLs that you have. And the number of WAD Rules within each of the Web ACLs. You will not be charged extra for assigning the same Web ACL to multiple CloudFront distributions. And incoming requests are charged at 60 cents per million web requests. And the number of Web ACLs are charged at $5 per Web ACL per month. And the number of Rules per Web ACL are charged at $1 per rule, per Web ACL per month. Do bear in mind that these prices may change over time, so always refer back to the AWS documentation. And there are no upfront costs to use WAF. This then ended the section on WAF. And following this I then focused on the AWS Firewall Manager. 

The first of these lectures introduced the service where I explained that AWS Firewall Manager was designed to help you manage and control AWS WAF across multiple AWS Accounts when using AWS Organizations. It can group and protect specific resources together, for example, all resources with a particular tag, or all of your CloudFront distributions. A key benefit of Firewall Manager is that it automatically protects certain resources that are added to your account To begin using AWS Firewall manager you have to meet three prerequisites, these being, ensuring that your AWS Account is a part of an organization with all features activated. You must define which AWS account will act as the Firewall Manager Admin account. And you need to have AWS Config enabled. I then looked at the components of the service and during this lecture I covered the following elements. WAF Rules which are the same rules used within AWS WAF. Rule Groups which allow you to group together one or more WAF rules that will all have the same action applied when the conditions a rule are met. And hese Rule Groups can either contain a Block or Count action. You can only have 10 rules per group, which is a fixed limitation. Firewall Manager Policies. This policy contains the rule groups that you want to assign to your AWS resources. You can only have two rule groups per policy, One customer created rule group, and one AWS Marketplace rule group. Again, this is a fixed limitation. So logically, AWS WAF rules are defined, which are then added to a Rule Group with either a Block or Count action associated, and this rule group is then added to an AWS Firewall Manager Policy, which is then associated to AWS resources. The cost of each policy is $100 per policy, per region, per month. I then performed a demonstration showing you how to configure an AWS Firewall Policy Manager. 

The final service I looked at was the AWS Shield service. Within the first lecture covering this service I explained that AWS Shield is closely related to both AWS WAF and also the AWS Firewall Manager AWS Shield has been designed to help protect your infrastructure against DDoS attacks. And there are a number of different types of DDoS takes, for example, a SYN Flood, a DNS Query Flood, a HTTP flood or cache-busting attacks. AWS Shield comes in two variations, which is AWS Shield Standard and AWS Shield Advanced. AWS Shield Advanced has more power and protection than the Standard version. AWS Shield Standard is free to everyone and offers DDoS protection against some of the more common layer three and layer four DDoS attacks. AWS Shield Advanced offers the following on top of Standard. A greater level of protection for DDoS attacks across a wider scope for an additional cost. Protection against EC2, CloudFront, Elastic Load Balancing and also Route 53. It provides access to a 24-by-seven specialized DDoS response team at AWS, known as DRT. Provides an enhanced monitoring capability. Protection against layer three, four and seven DDoS attacks. It has added cost protection. And it costs $3,000 per month. The final lecture on AWS Shield provided a process on how to configure and set up AWS Shield Advanced. 

This lecture covered the following points. AWS Shield Advanced is activated via the Management Console using the WAF and Shield Service. It's AWS account specific, so you will need to activate the service on each account required. And you must manually define the resources you want to protect once the service is activated. To protect EC2 instances, you must first associate an Elastic IP first. You must then add Rate-based rules providing you with a primary indicator that a DDoS attack is in progress. You have the opportunity to pre-authorize the AWS DDoS Response team team to update and modify your Web ACLs and Shield configurations during an attack. But if you do not want AWS to have this access, then you can select the Do not grant the DRT access to my account. Access is provided via an IAM role. And it's recommended you configure CloudWatch alarms with alerting via SNS service. By viewing the Global Threat Environment Dashboard it can provide an overview of the top attacks, and the number of attacks across the AWS landscape. That has now brought me to the end of this lecture and to the end of this course. You should now have a greater understanding of how AWS WAF, Firewall Manager and Shield can be used to help mitigate you against vulnerabilities and threats towards your web application infrastructure and resources. For further information on this topic you might want to take a look at the following AWS whitepaper. If you have any feedback on this course, positive or negative, please contact us by sending an email to Your feedback is greatly appreciated. Thank you for your time and good luck with your continued learning of cloud computing. Thank you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.