Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS Shield, WAF, and DDoS Mitigation: Zero-Fluff Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-shield-waf-and-ddos-mitigation-zero-fluff-study-guide

TECH **AWS Shield, WAF, and DDoS Mitigation: Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~9 min read

AWS Shield, WAF, and DDoS Mitigation: Zero-Fluff Study Guide

(For AWS Solutions Architect – Associate)


1. What This Is & Why It Matters

You’re a cloud engineer at a fintech startup. Your web app handles sensitive transactions, and last week, a competitor (or a script kiddie) launched a DDoS attack that took your site down for 30 minutes. Customers couldn’t log in, transactions failed, and your CTO is now demanding a bulletproof defense—yesterday.

This guide covers AWS Shield (DDoS protection), AWS WAF (Web Application Firewall), and DDoS mitigation strategies—the tools you’ll use to: - Block volumetric attacks (e.g., UDP floods, SYN floods) that overwhelm your network.
- Stop application-layer attacks (e.g., SQL injection, cross-site scripting) that exploit your app’s logic.
- Avoid downtime and cost spikes (DDoS attacks can rack up $100K+ in bandwidth charges if unchecked).

Why this matters in production:
- Downtime = lost revenue. A 1-hour outage for an e-commerce site can cost $100K–$1M.
- DDoS attacks are cheap to launch. A $10/hour botnet can take down an unprotected site.
- AWS Shield Advanced (paid tier) includes DDoS cost protection—AWS credits you for attack-related spikes in CloudFront, ELB, or EC2 costs.

Real-world scenario:
You inherit a legacy web app running on EC2 behind an ALB. The app has no WAF rules, and last month, a SQL injection attack stole customer data. Your task: 1. Deploy AWS WAF to block SQLi and XSS.
2. Enable AWS Shield Standard (free) for basic DDoS protection.
3. Set up CloudFront + Shield Advanced (paid) for high-risk endpoints.


2. Core Concepts & Components


? AWS Shield Standard

  • What it is: Free, always-on DDoS protection for all AWS customers (covers Layer 3/4 attacks like SYN floods, UDP floods).
  • Production insight: If you’re not using Shield Advanced, you’re still protected—but only against basic network-layer attacks. Application-layer attacks (e.g., HTTP floods) require WAF or Shield Advanced.

? AWS Shield Advanced

  • What it is: Paid ($3,000/month) DDoS protection for EC2, ELB, CloudFront, Global Accelerator, and Route 53. Includes:
  • DDoS cost protection (AWS credits you for attack-related spikes).
  • 24/7 DDoS Response Team (DRT) access.
  • Automatic mitigation for large attacks.
  • Production insight: If your app is mission-critical (e.g., banking, healthcare), Shield Advanced is non-negotiable. The $3K/month cost is peanuts compared to a single outage.

? AWS WAF (Web Application Firewall)

  • What it is: A Layer 7 firewall that filters HTTP/HTTPS traffic based on rules (e.g., block SQLi, XSS, bad bots).
  • Production insight: WAF is not enabled by default—you must explicitly attach it to CloudFront, ALB, or API Gateway. If you forget, your app is vulnerable to OWASP Top 10 attacks.

? WAF Rule Groups

  • What it is: Predefined or custom rules to block common threats (e.g., AWS Managed Rules, OWASP Top 10).
  • Production insight: Always start with AWS Managed Rules (e.g., AWS-AWSManagedRulesCommonRuleSet). They’re updated automatically and cover 80% of common attacks.

? WAF Rate-Based Rules

  • What it is: Blocks IPs that exceed a request threshold (e.g., 100 requests/5 minutes).
  • Production insight: Critical for stopping brute-force attacks (e.g., credential stuffing). Set thresholds per endpoint (e.g., /login = 10 req/min, /api = 100 req/min).

? CloudFront + WAF + Shield

  • What it is: A defense-in-depth setup where:
  • CloudFront caches content and absorbs Layer 3/4 attacks.
  • WAF filters Layer 7 attacks (e.g., SQLi, XSS).
  • Shield Advanced blocks large-scale DDoS attacks.
  • Production insight: Always deploy WAF on CloudFront, not just ALB. CloudFront has global edge locations, reducing latency and attack surface.

? AWS Firewall Manager

  • What it is: A centralized WAF/Shield management tool for multiple AWS accounts.
  • Production insight: If you manage multiple AWS accounts (e.g., dev/stage/prod), Firewall Manager saves time by enforcing consistent WAF rules across all accounts.

? DDoS Mitigation Best Practices

  • What it is: Strategies to minimize attack surface (e.g., rate limiting, origin shielding, Anycast routing).
  • Production insight: Never expose your origin server’s IP. Use CloudFront + ALB to hide it. If attackers bypass CloudFront, they’ll hit your ALB, not your EC2 instances.


3. Step-by-Step Hands-On: Deploy WAF + Shield for a Web App


Prerequisites

✅ AWS account with admin IAM permissions.
✅ A running web app (e.g., EC2 + ALB, or CloudFront + S3 static site).
AWS CLI installed (aws --version should work).


Step 1: Enable AWS Shield Standard (Free)

Shield Standard is automatically enabled for all AWS customers. No action needed—but verify it’s active:


aws shield describe-subscription

Expected output:


{
"Subscription": {
"StartTime": "2023-01-01T00:00:00Z",
"TimeCommitmentInSeconds": 0,
"AutoRenew": "ENABLED"
} }

Why this matters: If you don’t see this, contact AWS Support—your account might be misconfigured.


Step 2: Deploy AWS WAF on CloudFront (Recommended)

Option A: Quick Start (AWS Managed Rules)

  1. Go to AWS WAF & Shield ConsoleWeb ACLsCreate web ACL.
  2. Name: MyApp-WAF-Prod
  3. Resource type: CloudFront distributions (select your distribution).
  4. Add rules:
  5. AWS-AWSManagedRulesCommonRuleSet (blocks SQLi, XSS, bad bots).
  6. AWS-AWSManagedRulesKnownBadInputsRuleSet (blocks known malicious IPs).
  7. Set default action: Allow (or Block if you want to whitelist-only).
  8. Create the Web ACL.

Option B: Custom Rate-Based Rule (CLI)

# Create a rate-based rule (blocks IPs exceeding 100 req/5 min)
aws wafv2 create-web-acl \
--name MyApp-RateLimit \
--scope REGIONAL \
--default-action Allow={} \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyAppRateLimit \
--rules file://rate-based-rule.json

rate-based-rule.json:


[
{
"Name": "RateLimitRule",
"Priority": 0,
"Action": { "Block": {} },
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "RateLimitRule"
},
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"EvaluationWindowSec": 300
}
}
} ]

Verify it works:


aws wafv2 list-web-acls --scope REGIONAL

Expected output:


{
"WebACLs": [
{
"Name": "MyApp-RateLimit",
"Id": "12345678-1234-1234-1234-123456789012",
"ARN": "arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyApp-RateLimit/12345678-1234-1234-1234-123456789012"
}
] }


Step 3: Enable AWS Shield Advanced (Paid)

  1. Go to AWS Shield ConsoleSubscribe to Shield Advanced.
  2. Select resources to protect:
  3. CloudFront distributions.
  4. ALBs.
  5. EC2 instances (if not behind ALB).
  6. Set up SNS alerts (e.g., email/SMS when an attack is detected).
  7. Enable DDoS cost protection (AWS will credit you for attack-related spikes).

Verify Shield Advanced is active:


aws shield describe-protection --protection-id <PROTECTION_ID>

Expected output:


{
"Protection": {
"Id": "12345678-1234-1234-1234-123456789012",
"Name": "MyApp-Protection",
"ResourceArn": "arn:aws:cloudfront::123456789012:distribution/E1234567890ABC",
"HealthCheckIds": []
} }


Step 4: Test Your WAF Rules (Simulate an Attack)

  1. Use curl to test SQL injection:
    bash
    curl -X POST "https://your-cloudfront-url.com/login" -d "username=admin' OR '1'='1&password=test"

    Expected: 403 Forbidden (WAF blocked it).

  2. Use ab (Apache Bench) to test rate limiting:
    bash
    ab -n 200 -c 10 https://your-cloudfront-url.com/

    Expected: After ~100 requests, WAF blocks the IP.


4. ? Production-Ready Best Practices


Security

  • ✅ Always deploy WAF on CloudFront, not just ALB. CloudFront has global edge locations, reducing latency and attack surface.
  • ✅ Use AWS Managed Rules first. They’re updated automatically and cover 80% of common attacks.
  • ✅ Enable AWS WAF logging to CloudWatch. Helps debug false positives.
    bash aws wafv2 put-logging-configuration \
    --log-destination-configs arn:aws:logs:us-east-1:123456789012:log-group:WAFLogs \
    --resource-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyApp-WAF/12345678-1234-1234-1234-123456789012
  • ✅ Rotate WAF IP sets regularly. Attackers can bypass static IP blocks.

Cost Optimization

  • ✅ Shield Standard is free. Use it for all resources.
  • ✅ Shield Advanced is expensive ($3K/month). Only enable it for mission-critical apps (e.g., banking, healthcare).
  • ✅ Use CloudFront + WAF instead of ALB + WAF. CloudFront is cheaper for high traffic (pay per request, not per hour).

Reliability & Maintainability

  • ✅ Tag all WAF rules. Example: bash aws wafv2 tag-resource \
    --resource-arn arn:aws:wafv2:us-east-1:123456789012:regional/webacl/MyApp-WAF/12345678-1234-1234-1234-123456789012 \
    --tags Key=Environment,Value=Prod Key=Owner,Value=SecurityTeam
  • ✅ Use AWS Firewall Manager for multi-account setups. Enforces consistent WAF rules across all accounts.

Observability

  • ✅ Monitor WAF metrics in CloudWatch:
  • AllowedRequests
  • BlockedRequests
  • CountedRequests
  • ✅ Set up CloudWatch Alarms for spikes:
    bash aws cloudwatch put-metric-alarm \
    --alarm-name WAF-BlockedRequests-High \
    --metric-name BlockedRequests \
    --namespace AWS/WAFV2 \
    --statistic Sum \
    --period 60 \
    --threshold 100 \
    --comparison-operator GreaterThanThreshold \
    --evaluation-periods 1 \
    --alarm-actions arn:aws:sns:us-east-1:123456789012:SecurityAlerts
  • ✅ Enable AWS Shield Advanced SNS alerts. Get notified when an attack is detected.


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not deploying WAF on CloudFront Attackers bypass CloudFront and hit your ALB/EC2 directly. Always attach WAF to CloudFront first.
Using only Shield Standard Application-layer attacks (e.g., HTTP floods) bypass Shield Standard. Use WAF + Shield Advanced for full protection.
Not setting rate-based rules Brute-force attacks (e.g., credential stuffing) succeed. Set rate limits per endpoint (e.g., /login = 10 req/min).
Exposing origin server IP Attackers bypass CloudFront and DDoS your origin. Use CloudFront + ALB to hide origin IP.
Not testing WAF rules False positives block legitimate users. Test with curl and ab before deploying to prod.


6. ? Exam/Certification Focus (AWS SAA)


Typical Question Patterns

  1. "Which service protects against SQL injection?"
  2. AWS WAF (not Shield).
  3. ❌ Shield only protects against Layer 3/4 DDoS attacks.

  4. "How do you block a DDoS attack on an ALB?"

  5. Enable Shield Standard (free) + WAF (for Layer 7).
  6. For large attacks, use Shield Advanced ($3K/month).

  7. "What’s the difference between Shield Standard and Advanced?"

  8. Standard: Free, Layer 3/4 protection.
  9. Advanced: Paid, Layer 3/4/7 protection, DDoS cost protection, 24/7 DRT.

  10. "How do you hide your origin server’s IP?"

  11. Use CloudFront + ALB (never expose EC2 directly).

⚠️ Trap Distinctions

Concept Shield Standard Shield Advanced WAF
Layer 3/4 (Network) 3/4/7 (Network + App) 7 (Application)
Cost Free $3,000/month Pay per rule + request
DDoS Cost Protection ❌ No ✅ Yes ❌ No
24/7 DRT ❌ No ✅ Yes ❌ No


7. ? Hands-On Challenge (With Solution)

Challenge:
You have a CloudFront distribution serving a static S3 website. A hacker is brute-forcing the /admin endpoint (100 requests/min). Block the attack using WAF.

Solution:
1. Create a rate-based rule (10 req/min for /admin).
2. Attach it to CloudFront.

CLI Command:


aws wafv2 create-web-acl \
--name BlockAdminBruteForce \
--scope CLOUDFRONT \
--default-action Allow={} \
--visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=BlockAdminBruteForce \
--rules file://admin-rate-limit.json

admin-rate-limit.json:


[
{
"Name": "BlockAdminBruteForce",
"Priority": 0,
"Action": { "Block": {} },
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "BlockAdminBruteForce"
},
"Statement": {
"RateBasedStatement": {
"Limit": 10,
"AggregateKeyType": "IP",
"EvaluationWindowSec": 60,
"ScopeDownStatement": {
"ByteMatchStatement": {
"FieldToMatch": { "UriPath": {} },
"PositionalConstraint": "STARTS_WITH",
"SearchString": "/admin",
"TextTransformations": [{ "Priority": 0, "Type": "NONE" }]
}
}
}
}
} ]

Why it works:
- Rate-based rule blocks IPs exceeding 10 req/min.
- Scope-down statement only applies to /admin (not the whole site).


8. ? Rapid-Reference Crib Sheet

Command/Concept Key Details
Enable Shield Standard Free, always-on. No setup needed.
Enable Shield Advanced $3,000/month, includes DDoS cost protection.
Attach WAF to CloudFront aws wafv2 create-web-acl --scope CLOUDFRONT
AWS Managed Rules AWS-AWSManagedRulesCommonRuleSet (blocks SQLi, XSS).
Rate-Based Rule Limit: 100, EvaluationWindowSec: 300 (100 req/5 min).
WAF Logging aws wafv2 put-logging-configuration --log-destination-configs
Hide Origin IP Use CloudFront + ALB (never expose EC2).
Test WAF curl -X POST "https://url.com" -d "username=admin' OR '1'='1"
⚠️ Default WAF Action Allow (change to Block for whitelist-only).
⚠️ Shield Advanced SNS Alerts Must be configured manually.


9. ? Where to Go Next

  1. [AWS WAF & Shield Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide


ADVERTISEMENT