AWS Shield & WAF

AWS Shield Standard	AWS Shield Advance
Free with Route53 and CloudFront	$3000/month/organization which also supports - EC2, ELB, Global Accelerator in addition to Cloudfront & R53
Protect against Layer 3 and Layer 4 DDoS attacks	Protect against Layer 3 and Layer 4 DDoS attacks
	Provides 24/7 (365 days) advance response team to deal with DDoS atack
	Financial Insurance for any increased AWS cost incurred by the attack

Web Application Firewall

Layer 7 (HTTP/s) Firewall
Protect against complex Layer 7 attacks/exploits
SQL Injections, Cross-Site Scripting, Geo Blocks, Rate Awareness
Web Access Control List (WEBACL) integrated with ALB, API Gateway and CloudFront
- WAF provides WEBACL
- Rules are added to WEBACL and evaluated when traffic arrives
WAF Rules
- WEBACL => RULE GROUPS* => RULES
- WEBACL Capacity Units (WCU)
  - Simpler rule uses fewer WCU
  - More complex rule uses more WCU
  - Limit on how many WCU on WEBACL
- Charged for following..
  - WEBACL - monthly fee for each ACL
  - Rules - monthly fee for each rule
  - Based on no. of Requests
- WEBACL has default action
  - ALLOW or BLOCK
  - COUNT - how many times a rule is matched
- Come with 2 different types of rules
  - Regular Rule
  - Rate-Based Rule - frequency at which an IP could go through ACL
- Conditions (Layer 7 attributes) for rule can be based on
  - IP Addresses
  - Country or GEO
  - Length of the request
  - SQL code in the request
  - Strings in the request
  - Scripts and headers in the request

aws-shield-waf

AWS Shield	AWS WAF
DDoS	Layer 7 (HTTP/HTTPS)
	Rate Limiter and Layer 7 aspects