Application owners must ensure a secure exchange of information. To protect applications against unwanted and malicious internet traffic, AWS offers three services: Shield, Web Application Firewall (WAF) and Firewall Manager. These AWS services offer protection on Layer 3 (network), Layer 4 (transport) and Layer 7 (application) of the OSI model.
AWS Shield protects AWS components against DDoS attacks. These attacks produce huge numbers of artificially generated requests to disrupt public applications. Shield is available in two presentations: Standard and Advanced.
AWS Shield Standard is enabled by default in CloudFront and Route 53 at no extra cost. AWS Shield Advanced is available for those two services plus several others: Elastic Load Balancing, EC2, Elastic IPs and Global Accelerator.
AWS Shield Standard offers protection against certain attacks but lacks flexibility for custom configurations. Shield Advanced integrates with the AWS WAF service to configure specific protection rules. Additionally, Shield Advanced provides access to the AWS Shield response team, a 24/7 support group available for emergencies. It also protects against extra AWS charges that could incur as a result of increased usage due to a DDoS attack; affected customers can request credits.
AWS Shield Advanced costs $3,000 per month. There is an additional data transfer fee, which varies depending on the protected resource type and the amount of data transferred (e.g., <100 TB, 400 TB, 500 TB). The Shield Advanced data transfer fee could be between $25 to $50 for 1 TB of data transferred within the initial 100 TB bracket, depending on the protected resource type. This is in addition to the data transfer fees applicable to each protected resource. The monthly fee is applicable per AWS Organization. Therefore, deployments across multiple AWS accounts within one Organization would pay only a single fee.
While Shield Standard protects against attacks on Layer 3 (network) and Layer 4 (transport), Shield Advanced expands the number of supported AWS services and integrates with WAF to support coverage against attacks on Layer 7 (application).
Web Application Firewall
The WAF service focuses on Layer 7 protection. WAF's configurable feature set detects and blocks specific traffic patterns trying to reach your application in real time. It interacts with CloudFront distributions, application load balancers, AppSync GraphQL, APIs and API Gateway REST APIs. A WAF can be configured to detect traffic from the following:
- specific IPs;
- IP ranges or country of origin;
- content patterns in request bodies, headers and cookies;
- SQL injection attacks;
- cross-site scripting; and
- IPs exceeding rate-based rules.
When incoming traffic matches any of the configured rules, WAF can reject requests, return custom responses or simply create metrics to monitor applicable requests.
WAF charges $1 a month per configured rule and $5 a month per web Access Control List (ACL). A web ACL can be associated to multiple resources. AWS restricts how web ACLs can be associated with multiple resources, so check the documentation for details.
AWS WAF charges $0.60 per 1 million requests. For example, an application that handles 10 requests per second will cost approximately $15 per month. Plus, factor in any charges related to the number of rules and web ACLs.
AWS Firewall Manager
AWS Firewall Manager is intended for centralized management across multiple AWS accounts and resources. It supports the following services:
- Shield Advanced
- VPC security groups
- Network Firewall
- Route 53 Resolver DNS Firewall
With Firewall Manager, application owners can configure rules that apply to all accounts. Owners also can configure rules to all resources of a certain type within an account or organization, such as applying rules to all CloudFront distributions. When you add new resources to an account, you can automatically assign certain protection rules to them.
Large organizations sometimes struggle to protect their growing number of configurations and resources. Firewall Manager can assist with that. It charges $100 a month per configured rule per region. Plus, factor in any charges related to created resources, such as WAF webACLs, WAF rules, AWS Config rules and so on.
Combining AWS Shield Standard and WAF is a great option for small or medium deployments. AWS Shield Advanced and Firewall Manager together with WAF is a suitable option for large deployments.