Waf Charm

Blog

AWS WAF vs AWS Shield for beginners

【Table of contents】

  1. 1. Introduction
  2. 2. What is AWS WAF?
  3. 3. What is AWS Shield?
  4. 4. Towards a robust cloud security
  5. 5. Conclusion
  • 1. Introduction

    We will describe the features and roles of AWS WAF and AWS Shield. Both are security-related managed services provided by AWS and have the role of protecting web services built on AWS from external attacks.

  • 2. What is AWS WAF?

    AWS WAF is a web application firewall provided by AWS, which has the largest share of the global cloud service market. It is mainly used to protect websites from attacks on web applications. It is necessary to protect the 7th layer (application layer) of the OSI reference model. AWS WAF has the following features:

    ・Cost effective
    While other WAF products may cost thousands of dollars just for the initial cost, AWS WAF has no initial cost and the running cost is only around $20 per month, making it very cheap. 

    ・Ease of deployment
    If you have a basic knowledge of security, you can set it up in a few clicks. And in case you don't have any security knowledge, you can start with “Managed Rules” for AWS WAF, the defensive rules sold by security-specific vendors on AWS marketplace. These "managed rules" are also available at a very low cost.

    • a) Things AWS WAF can protect

      With AWS WAF, you can protect your web services against security attacks such as the following:

       ・SQL injection attacks
       ・Cross-site scripting attacks
       ・OS command injection attacks
       ・DDoS attacks

      Any attack has chances of causing significant damage that could lead to the leakage of customer information or the suspension of service.
      With AWS WAF, you can only defend against attacks if you are using either API Gateway, Elastic Load Balancer, or CloudFront.

  • 3. What is AWS Shield?

    AWS Shield is a service built on AWS to protect mainly against DDoS attacks. DDoS (Distributed Denial of Service) is an attack that uses a large number of servers to put a load on web services, bringing down servers and applications and making them unusable.
    AWS Shield has the following features:

    ・Cheap
    AWS Shield can be used for free if you don't choose the “AWS Shield Advanced” option. There is no initial or running costs either.

    ・Easy to set up
    Unlike AWS WAF, you don't need to activate it yourself. It is automatically enabled. Therefore, you don't need to do anything to start using it. However, you need to configure it if you want to use the option, but it can also be done in a few clicks without a hassle. Thus, it is very easy to implement.

    ・Excellent options
    Although there is a monthly cost to use, but you can choose AWS Shield Advanced as an additional option. This allows you to detect any communication that you suspect to be DDoS and get support from AWS's dedicated security force. In addition, even if you get a DDoS attack and your AWS usage fee increases due to the high load, the increased amount will be free if it's due to a DDoS attack.

    • a) Things AWS Shield can protect

      We wrote that both AWS WAF and AWS Shield can "defend against DDoS attacks", which is true, but there are different types of DDoS attacks that AWS WAF and AWS Shield can defend against.
      While AWS WAF can mitigate DDoS attacks at layer 7 of the OSI reference model, AWS Shield protects web services from DDoS attacks at layer 3 and 4 of the OSI reference model.

      Wonder what an OSI model is? Please refer to the following blog.
      OSI model for beginners: https://www.wafcharm.com/en/blog/osi-model-for-beginners/

  • 4. Towards a robust cloud security

    Let's compare AWS WAF and AWS Shield for a robust cloud security. Public cloud services such as AWS are used over the Internet and are always at risk of being exposed to security attacks. Let's take a look at what kind of services you can use to make your security stronger.

    • a) Which one should be used?

      As it turns out, you should use both AWS WAF and AWS Shield. It is recommended to avoid using one over the other. AWS WAF and AWS Shield are able to cover each other's unprotected areas from security attacks. It's not that you're okay because you've enabled one or the other, rather the best cloud security is achieved by using both together.

    • b) Services to combine with AWS WAF and AWS Shield

      As an effective way to defend against DDoS attacks, we recommend a combination with CloudFront, which serves as a CDN and caches the web content located on the web server. This means that DDoS attacks targeting web servers and other targets can be prevented from reaching the web servers directly. As a result, DDoS attacks can be evaded without increasing the load on the web server. DDoS attacks, which require a large number of servers to be prepared or purchased for an attack, can be contained in 45 minutes to an hour. Therefore, using AWS Shield and CloudFront together should help you minimize the damage from DDoS attacks.

      There are also other types of security attacks that AWS WAF and AWS Shield can't prevent, such as malware attacks and targeted attacks. This type of attacks can be effectively prevented by installing third-party antivirus software on your web servers. Also, in the unlikely event of an attack, activating services such as GuardDuty or Amazon Detective can greatly reduce detection and investigation efforts. Let's take strong security measures by combining multiple services for security measures provided by AWS.

  • 5. Conclusion

    Despite the title AWS WAF vs. AWS Shield, each has a different role or attack to defend against. By using both, you will be able to combine their functions and implement stronger security measures. Both are very easy and inexpensive to implement, so we would definitely recommend that you use both of these services. Also, AWS offers many other services for security, and they are very cheap. By combining multiple services, you can protect your services from security attacks, as well as being prepared in the event of an attack. Let's combine these services to provide safe and inexpensive web services.

  •