.svg)
Introduction
Nowadays many different types of Distributed Denial of Service (DDoS) attacks, and web exploits are happening on applications.
In this article, I will cover AWS Shield vs AWS WAF and how this AWS service helps make Serverless Application Security Stronger.
What is AWS WAF?
AWS WAF is a web application firewall that helps protect your web applications and APIs against common web exploits and bots. Attacks may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that control bot traffic and block common attack patterns.
What is AWS Shield?
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
AWS WAF and AWS Shield protect and enhance security
The above image represents AWS WAF and AWS Shield protecting and enhancing security.
Difference Between AWS Shield and AWS WAF
What is the recommended Setup for a Serverless Architecture?
For a Serverless Architecture I would recommend using AWS WAF along with CloudFront/API Gateway/AppSync/ALB to protect your APIs/Relevant resources from common web exploits. At the very least, start from some rate-based rules according to your application traffic. Also, it is recommended to have AWS Shield Standard by default enabled for the enhanced security against common web exploits when paired with AWS WAF. One reference Serverless Architecture has already been shared above in this article.
If you own a high visibility application or are otherwise prone to frequent DDoS attacks, you should consider purchasing the additional features that Shield Advanced provides. Shield Advanced adds additional features on top of AWS WAF as described in the previous comparison above.
Conclusion
AWS Shield (DDoS protection) and AWS WAF (Web Application Firewall) are both good security control services that lower the risk of external attacks on your AWS Serverless Application.
AWS Shield, and AWS WAF Both services give protection at different OSI layers and help to prevent major web exploits, bots, and DDoS attacks.
AWS Shield Advanced gives robust protection against DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, 24x7 access to the AWS Shield Response Team with additional charges compare to AWS Shield Standard free service.
