AWS WAF vs AWS Shield: Difference Between AWS WAF and AWS Shield
With ever increasing cyber attacks in recent times, Security has become the topmost priority for any organization. When it comes to AWS cloud, it provides a wide range of services to help you strengthen the overall security of your environment.
Today, we are going to discuss about two important security services offered by AWS which are-
- AWS WAF(web application firewall)
- AWS Shield
The main purpose of this article is to help you understand these two managed security services from AWS. We will go through their standard features, offering, pricing and when to use which one 🙂
In other words, we will understand the difference between AWS WAF and AWS Shield.
Let’s get started..
What is AWS WAF?
AWS WAF or Web Application Firewall is a web application firewall, that protects your web applications or API against most common cyber-attacks or threats. For example-
- SQL Injection
- Cross-site scripting
- Distributed Denial-of-services etc.
Suggested Read: Most Common Cyber Attacks You Should Know About
It allows you to control traffic to your web application. You can create custom policies to write your own rules to Allow or Block or Monitor the incoming traffic depending on the criteria or condition you define. If you have multiple website/web applications hosted, you get flexibility to create centralized set of rules and apply to all of them.
There are several standard features that are being provided by AWS WAF such as-
- Real-time traffic visibility
- Can be used with firewall manager to manage WAF across multiple accounts
- Web traffic filtering
- Can be managed via API
- AWS WAF Bot Control etc.
Another thing, from pricing prospects, you must be very much familiar with Pay as you go model, Here you have to pay based on combination of below points.
- number of web access control lists (web ACLs) that you create
- the number of rules that you add per web ACL
- and the number of web requests that you receive.
At the time of writing this post, pricing is as mentioned in below screenshot. For updated pricing please visit the official page here.
Integration With Other AWS Services
You can deploy AWS WAF with different AWS services such as AWS CloudFront, Application Load Balancer (ALB), API Gateway and AppSync.
What is AWS Shield?
AWS Shield is the managed security service that protects your web applications in AWS environment against DDoS or Distributed Denial-of-services attack.
Let’s quickly understand what exactly is Distributed Denial-of-Services (DDoS)?
As the name says, it simply means service is denied to the intended user.
In this type of attack, an attacker sends huge amount of fake traffic to your application which might even result in making your underlying system crash. As a result, your application becomes unavailable for it’s actual users.
AWS Shield will protect you against DDoS attack and safeguard your web application. Shield comes in two tiers and let’s see what are those.
AWS Shield Tiers
AWS Shield Standard
- Shield standard provides round the clock detection of most common attacks
- Works mainly in Network and Transport layer of OSI
- Provides automatic mitigation of detected attacks(DDoS)
- It is turned on by default and applies to all services of AWS
- Provided to you at no additional cost
AWS Shield Advanced
- Shield Advanced provides you additional protection against bigger and sophisticated attacks
- Works with EC2 (Elastic Cloud Computing), ELB(Elastic load Balancer), CloudFront, Route53 etc.
- You need to subscribe to Shield Advanced explicitly at extra cost
- It also provides 24X7 access to shield response team.
Pricing is as mentioned in below screenshot. For updated pricing please visit the official page here.
Integration With AWS Services
As we know by now, Shield standard is already turned on by default and works with all AWS services. However, Shield Advanced works with below mentioned AWS services.
AWS WAF vs Shield – Difference Between AWS WAF and AWS Shield
|Comparison Criteria||AWS WAF||AWS Shield|
|Operating OSI Layer||It operates in Application Layer(layer 7)||It operates in Network layer (Layer 3), Transport Layer (layer 4), also Application Layer(Layer 7) if you go for Shield Advanced|
|Pricing||There is cost associated when you use WAF, its not getting turned up automatically||AWS Shield provides two option |
1) Shield Standard – this is turned on automatically at no additional cost
2) Shield Advanced – there is fee associated with it, when you use Shield Advance
|Use-case||It protects against common web attacks like SQL Injection, Cross-Site scripting, DDoS etc.||Mainly protects against DDoS (Distributed Denial-Of-Services)|
Which one should we use?
Although you can always use the combination of WAF and Shield for better security posture, it’s not always necessary to use all the available security services. It always depends on your requirement.
If you just want to protect your application against common web attacks by allowing or blocking relevant traffic, WAF itself is a great choice.
As far as shield is concerned, basic is always enabled in all AWS account and all AWS services at no additional charges.
However, if you have a website which is prone to larger or more sophisticated kind of DDoS attack, you should consider using Shield Advanced.
Finally, it’s time to summarize the outcome from our discussion today. We learnt that, we can use AWS WAF to protect our applications from most common attacks whereas AWS Shield is specifically designed for protecting against DDoS attacks.
Both of these security services i.e. AWS WAF and AWS Shield are very important and plays key role to defend or protect web applications build on AWS infrastructure. Keeping Defense-in-depth concept in mind, we would recommend to use the combination of both of these services to enhance overall security posture of your environment.
Enjoyed the content?
Subscribe to our newsletter below to get awesome AWS learning materials delivered straight to your inbox.
If you liked reading my post, you can motivate me by-
- Adding a comment below on what you liked and what can be improved.
- Follow us on
- Share this post with your friends and colleagues.