What are Amazon WAF, Amazon Shield, and Amazon Firewall Manager? - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

What are Amazon WAF, Amazon Shield, and Amazon Firewall Manager?

You can use Amazon WAF, Amazon Shield, and Amazon Firewall Manager together to create a comprehensive security solution. Amazon WAF is a web application firewall that you can use to monitor web requests that your end users send to your applications and to control access to your content. Amazon Shield provides protection against distributed denial of service (DDoS) attacks for Amazon resources, at the network and transport layers (layer 3 and 4) and the application layer (layer 7). Amazon Firewall Manager provides management of protections like Amazon WAF and Shield Advanced across accounts and resources, even as new resources are added.

Amazon WAF

Amazon WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources. You can protect the following resource types:

  • Amazon CloudFront distribution

  • Amazon API Gateway REST API

  • Application Load Balancer

  • Amazon AppSync GraphQL API

  • Amazon Cognito user pool

  • Amazon App Runner service

  • Amazon Verified Access instance

Amazon WAF lets you control access to your content. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, your protected resource responds to requests either with the requested content, with an HTTP 403 status code (Forbidden), or with a custom response.

At the simplest level, Amazon WAF lets you choose one of the following behaviors:

  • Allow all requests except the ones that you specify – This is useful when you want Amazon CloudFront, Amazon API Gateway, Application Load Balancer, Amazon AppSync, Amazon Cognito, Amazon App Runner, or Amazon Verified Access to serve content for a public website, but you also want to block requests from attackers.

  • Block all requests except the ones that you specify – This is useful when you want to serve content for a restricted website whose users are readily identifiable by properties in web requests, such as the IP addresses that they use to browse to the website.

  • Count requests that match your criteria – You can use the Count action to track your web traffic without modifying how you handle it. You can use this for general monitoring and also to test your new web request handling rules. When you want to allow or block requests based on new properties in the web requests, you can first configure Amazon WAF to count the requests that match those properties. This lets you confirm your new configuration settings before you switch your rules to allow or block matching requests.

  • Run CAPTCHA or challenge checks against requests that match your criteria – You can implement CAPTCHA and silent challenge controls against requests to help reduce bot traffic to your protected resources.

Using Amazon WAF has several benefits:

  • Additional protection against web attacks using criteria that you specify. You can define criteria using characteristics of web requests such as the following:

    • IP addresses that requests originate from.

    • Country that requests originate from.

    • Values in request headers.

    • Strings that appear in requests, either specific strings or strings that match regular expression (regex) patterns.

    • Length of requests.

    • Presence of SQL code that is likely to be malicious (known as SQL injection).

    • Presence of a script that is likely to be malicious (known as cross-site scripting).

  • Rules that can allow, block, or count web requests that meet the specified criteria. Alternatively, rules can block or count web requests that not only meet the specified criteria, but also exceed a specified number of requests in any 5-minute period.

  • Rules that you can reuse for multiple web applications.

  • Managed rule groups from Amazon and Amazon Web Services Marketplace sellers.

  • Real-time metrics and sampled web requests.

  • Automated administration using the Amazon WAF API.

If you want granular control over the protections that you add to your resources, Amazon WAF alone might be the right choice. For more information about Amazon WAF, see Amazon WAF.

Amazon Shield

You can use Amazon WAF web access control lists (web ACLs) to help minimize the effects of a Distributed Denial of Service (DDoS) attack. For additional protection against DDoS attacks, Amazon also provides Amazon Shield Standard and Amazon Shield Advanced. Amazon Shield Standard is automatically included at no extra cost beyond what you already pay for Amazon WAF and your other Amazon services.

Amazon Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, Route 53 hosted zones, and Amazon Global Accelerator standard accelerators. Amazon Shield Advanced incurs additional charges. Shield Advanced options and features include automatic application layer DDoS mitigation, advanced event visibility, and dedicated support from the Shield Response Team (SRT). If you own high visibility websites or are otherwise prone to frequent DDoS attacks, consider purchasing the additional protections that Shield Advanced provides. For additional information, see Amazon Shield Advanced capabilities and options and Deciding whether to subscribe to Amazon Shield Advanced and apply additional protections.

Amazon Firewall Manager

Amazon Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections, including Amazon WAF, Amazon Shield Advanced, Amazon VPC security groups, Amazon Network Firewall, and Amazon Route 53 Resolver DNS Firewall. With Firewall Manager, you set up your protections just once and the service automatically applies them across your accounts and resources, even as you add new accounts and resources.

For more information about Firewall Manager, see Amazon Firewall Manager.