By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
(For AWS Solutions Architect – Associate)
You’re a cloud engineer at a fintech startup. Your web app handles sensitive transactions, and last week, a competitor (or a script kiddie) launched a DDoS attack that took your site down for 30 minutes. Customers couldn’t log in, transactions failed, and your CTO is now demanding a bulletproof defense—yesterday.
This guide covers AWS Shield (DDoS protection), AWS WAF (Web Application Firewall), and DDoS mitigation strategies—the tools you’ll use to: - Block volumetric attacks (e.g., UDP floods, SYN floods) that overwhelm your network.- Stop application-layer attacks (e.g., SQL injection, cross-site scripting) that exploit your app’s logic.- Avoid downtime and cost spikes (DDoS attacks can rack up $100K+ in bandwidth charges if unchecked).
Why this matters in production:- Downtime = lost revenue. A 1-hour outage for an e-commerce site can cost $100K–$1M.- DDoS attacks are cheap to launch. A $10/hour botnet can take down an unprotected site.- AWS Shield Advanced (paid tier) includes DDoS cost protection—AWS credits you for attack-related spikes in CloudFront, ELB, or EC2 costs.
Real-world scenario:You inherit a legacy web app running on EC2 behind an ALB. The app has no WAF rules, and last month, a SQL injection attack stole customer data. Your task: 1. Deploy AWS WAF to block SQLi and XSS.2. Enable AWS Shield Standard (free) for basic DDoS protection.3. Set up CloudFront + Shield Advanced (paid) for high-risk endpoints.
AWS-AWSManagedRulesCommonRuleSet
/login
/api
✅ AWS account with admin IAM permissions.✅ A running web app (e.g., EC2 + ALB, or CloudFront + S3 static site).✅ AWS CLI installed (aws --version should work).
aws --version
Shield Standard is automatically enabled for all AWS customers. No action needed—but verify it’s active:
aws shield describe-subscription
Expected output:
{ "Subscription": { "StartTime": "2023-01-01T00:00:00Z", "TimeCommitmentInSeconds": 0, "AutoRenew": "ENABLED" } }
Why this matters: If you don’t see this, contact AWS Support—your account might be misconfigured.
MyApp-WAF-Prod
CloudFront distributions
Allow
Block
# Create a rate-based rule (blocks IPs exceeding 100 req/5 min) aws wafv2 create-web-acl \ --name MyApp-RateLimit \ --scope REGIONAL \ --default-action Allow={} \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyAppRateLimit \ --rules file://rate-based-rule.json
rate-based-rule.json:
rate-based-rule.json
[ { "Name": "RateLimitRule", "Priority": 0, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "RateLimitRule" }, "Statement": { "RateBasedStatement": { "Limit": 100, "AggregateKeyType": "IP", "EvaluationWindowSec": 300 } } } ]
Verify it works:
aws wafv2 list-web-acls --scope REGIONAL
{ "WebACLs": [ { "Name": "MyApp-RateLimit", "Id": "12345678-1234-1234-1234-123456789012", "ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyApp-RateLimit/12345678-1234-1234-1234-123456789012" } ] }
Verify Shield Advanced is active:
aws shield describe-protection --protection-id <PROTECTION_ID>
{ "Protection": { "Id": "12345678-1234-1234-1234-123456789012", "Name": "MyApp-Protection", "ResourceArn": "arn:aws:cloudfront::123456789012:distribution/E1234567890ABC", "HealthCheckIds": [] } }
Use curl to test SQL injection: bash curl -X POST "https://your-cloudfront-url.com/login" -d "username=admin' OR '1'='1&password=test" Expected: 403 Forbidden (WAF blocked it).
curl
bash curl -X POST "https://your-cloudfront-url.com/login" -d "username=admin' OR '1'='1&password=test"
403 Forbidden
Use ab (Apache Bench) to test rate limiting: bash ab -n 200 -c 10 https://your-cloudfront-url.com/ Expected: After ~100 requests, WAF blocks the IP.
ab
bash ab -n 200 -c 10 https://your-cloudfront-url.com/
bash aws wafv2 put-logging-configuration \ --log-destination-configs arn:aws:logs:us-east-1:123456789012:log-group:WAFLogs \ --resource-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyApp-WAF/12345678-1234-1234-1234-123456789012
bash aws wafv2 tag-resource \ --resource-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyApp-WAF/12345678-1234-1234-1234-123456789012 \ --tags Key=Environment,Value=Prod Key=Owner,Value=SecurityTeam
AllowedRequests
BlockedRequests
CountedRequests
bash aws cloudwatch put-metric-alarm \ --alarm-name WAF-BlockedRequests-High \ --metric-name BlockedRequests \ --namespace AWS/WAFV2 \ --statistic Sum \ --period 60 \ --threshold 100 \ --comparison-operator GreaterThanThreshold \ --evaluation-periods 1 \ --alarm-actions arn:aws:sns:us-east-1:123456789012:SecurityAlerts
❌ Shield only protects against Layer 3/4 DDoS attacks.
"How do you block a DDoS attack on an ALB?"
✅ For large attacks, use Shield Advanced ($3K/month).
"What’s the difference between Shield Standard and Advanced?"
Advanced: Paid, Layer 3/4/7 protection, DDoS cost protection, 24/7 DRT.
"How do you hide your origin server’s IP?"
Challenge:You have a CloudFront distribution serving a static S3 website. A hacker is brute-forcing the /admin endpoint (100 requests/min). Block the attack using WAF.
/admin
Solution:1. Create a rate-based rule (10 req/min for /admin).2. Attach it to CloudFront.
CLI Command:
aws wafv2 create-web-acl \ --name BlockAdminBruteForce \ --scope CLOUDFRONT \ --default-action Allow={} \ --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=BlockAdminBruteForce \ --rules file://admin-rate-limit.json
admin-rate-limit.json:
admin-rate-limit.json
[ { "Name": "BlockAdminBruteForce", "Priority": 0, "Action": { "Block": {} }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "BlockAdminBruteForce" }, "Statement": { "RateBasedStatement": { "Limit": 10, "AggregateKeyType": "IP", "EvaluationWindowSec": 60, "ScopeDownStatement": { "ByteMatchStatement": { "FieldToMatch": { "UriPath": {} }, "PositionalConstraint": "STARTS_WITH", "SearchString": "/admin", "TextTransformations": [{ "Priority": 0, "Type": "NONE" }] } } } } } ]
Why it works:- Rate-based rule blocks IPs exceeding 10 req/min.- Scope-down statement only applies to /admin (not the whole site).
$3,000/month
aws wafv2 create-web-acl --scope CLOUDFRONT
Limit: 100, EvaluationWindowSec: 300
aws wafv2 put-logging-configuration --log-destination-configs
curl -X POST "https://url.com" -d "username=admin' OR '1'='1"
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.