Introduction to AWS WAF and Shield
Controlling Traffic to Applications and APIs
AWS WAF and AWS Shield are part of AWS’ infrastructure protection services. They can be used separately or, using web ACLs, together.
AWS WAF specifically provides protection for web applications and APIs by controlling HTTP and HTTPs requests. The key features of AWS WAF include:
- Web traffic filtering
- AWS WAF Bot Control
- Full feature API
- Real-time visibility
- Integration with AWS Firewall Manager
AWS Shield protects applications from DDoS attacks and has two tiers of protection. The AWS Shield Standard tier is available to AWS customers at no additional charge. It provides protection from the most common network and transport layer DDoS attacks. This tier is used with Amazon CloudFront and Route 53 to cover infrastructure attacks. The AWS Shield Advanced tier expands protections to attacks that target applications running on EC2, ELB, Global Accelerator, as well as CloudFront and Route 53.
Learn more about infrastructure protection services in the AWS documentation on AWS WAF and AWS Shield.
AWS WAF is a web application firewall that can observe traffic to and from CloudFront or an Application Load Balancer. It can also block traffic that may be suspicious, such as SQL code or scripts, or traffic from certain places, such as certain countries or IP addresses. AWS Shield is specifically for DDoS attacks and specifically prevents those. It's free of charge, so you should have it enabled.