Network Firewall

AWS Shield

AWS Shield Standard:

  • Free service that is activated for every AWS customer

  • Protects from attacks such as SYN/UDP Floods, Reflection attacks, and other layer 3/layer 4 attacks

AWS Shield Advanced:

  • Optional DDoS mitigation service ($3,000 per month per organization)

  • Protect against more sophisticated attacks on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53

  • 24/7 access to AWS DDoS response team (DRP)

  • Protect against higher fees during usage spikes due to DDoS

AWS WAF – Web Application Firewall

• Protects your web applications from common web exploits (Layer 7)

• Layer 7 is HTTP (vs Layer 4 is TCP)

• Deploy on Application Load Balancer, API Gateway, CloudFront

• Define Web ACL (Web Access Control List):

  • Rules can include IP addresses, HTTP headers, HTTP body, or URI strings

  • Protects from common attack - SQL injection and Cross-Site Scripting (XSS)

  • Size constraints, geo-match (block countries)

  • Rate-based rules (to count occurrences of events) – for DDoS protection

AWS Network Firewall

• Protect your entire Amazon VPC

• From Layer 3 to Layer 7 protection

• Any direction, you can inspect

  • VPC to VPC traffic

  • Outbound to internet

  • Inbound from internet

  • To/from Direct Connect & Site-to-Site VPN

PreviousDDOSNextPenetration Testing on AWS Cloud

Last updated