Here’s twtech deep dive Comparison of AWS WAF, AWS Firewall Manager, and AWS Shield, focusing on their purpose, scope, architecture, and use cases.
Focus:
- High-Level Overview,
- Core Functions and Responsibilities,
- Layered Security Model Integration,
- Together AWS WAF + Shield + Firewall Manager,
- Protection Layers in OSI Model Context,
- Feature Comparison Matrix,
- Sample Scenarios,
- Best Practice: Combined Use,
- Summary,
High-Level Overview
|
Service |
Primary
Function |
Layer
of Protection |
Typical
Use Case |
|
AWS WAF |
Application layer firewall (L7) |
Protects HTTP/S traffic |
Filter/Block malicious web requests |
|
AWS Shield |
DDoS protection (L3/L4 + partial L7) |
Protects network & transport
layers |
Defend against volumetric or
protocol DDoS attacks |
|
AWS Firewall Manager |
Centralized policy management |
Multi-account governance layer |
Manage WAF, Shield, Network
Firewall, DNS Firewall policies org-wide |
Core Functions and
Responsibilities
|
Capability |
AWS
WAF |
AWS
Shield |
AWS
Firewall Manager |
|
Main Role |
Web traffic filtering (L7) |
DDoS protection (L3/L4 + L7 for Advanced) |
Centralized management for multiple
accounts/policies |
|
Where It Applies |
CloudFront, ALB, API Gateway,
AppSync |
Global Accelerator, CloudFront, ALB,
EC2 (Elastic IPs) |
Across AWS accounts using AWS
Organizations |
|
Protection Type |
OWASP Top 10, bots, SQLi/XSS |
SYN floods, UDP floods, reflection
attacks |
Applies and enforces WAF, Shield,
SG, NF policies |
|
Configuration |
Web ACLs with rules and rule groups |
Auto-enabled (Shield Standard) or
configurable (Shield Advanced) |
Policy definitions (WAF/Shield/Security Groups/DNS/NF) |
|
Automation Scope |
Individual resource level |
Account-level (per resource) |
Organization-level (multi-account, OU-based) |
|
Compliance Reporting |
Per Web ACL metrics (CloudWatch) |
Attack diagnostics and reports |
Compliance dashboard and remediation |
|
Pricing |
Pay-per-WebACL & request |
Standard (free) / Advanced (paid) |
Pay-per-policy per account |
Layered Security Model Integration
# Together AWS WAF + Shield + Firewall Manager:
- WAF defends against application-layer
attacks (SQLi, XSS, bots).
- Shield defends against network-layer DDoS
(SYN
floods, UDP floods).
- Firewall Manager ensures consistent protection across all accounts
and new resources.
Protection Layers in
OSI Model Context
|
OSI
Layer |
Example
Threats |
AWS
Service Defense |
|
Layer 3 (Network) |
SYN floods, UDP floods |
AWS Shield Advanced |
|
Layer 4 (Transport) |
TCP connection exhaustion |
AWS Shield Advanced |
|
Layer 7 (Application) |
SQLi, XSS, bad bots |
AWS WAF |
|
Management / Governance Layer |
Configuration drift, inconsistent
policy |
AWS Firewall Manager |
Feature Comparison
Matrix
|
Feature |
WAF |
Shield |
Firewall
Manager |
|
Custom
Rules |
✅ (Web ACLs, managed rule groups) |
❌ |
✅ (enforce org-wide) |
|
DDoS
Protection |
⚠️ Basic (via rate limits) |
✅ Advanced
detection |
✅ Auto-enroll
Shield via policy |
|
Multi-Account
Policy Enforcement |
❌ |
❌ |
✅ |
|
Bot
Management |
✅ (Bot Control add-on) |
❌ |
✅ (via policy) |
|
API
Gateway Integration |
✅ |
⚠️ (via WAF only) |
✅ |
|
CloudFront
Protection |
✅ |
✅ |
✅ |
|
VPC-Level
Protection |
❌ |
⚠️ (for Elastic IPs) |
✅ (via AWS Network Firewall policy) |
|
Compliance
Dashboard |
⚠️ Limited |
✅ (attack reports) |
✅ (org-wide compliance view) |
|
Auto-Remediation |
❌ |
❌ |
✅ (enforce/reapply policies automatically) |
|
Security
Hub Integration |
⚠️ Manual |
✅ |
✅ |
|
Cost
Control |
Pay-per-ACL |
Flat per resource (Adv) |
Pay-per-policy |
Sample Scenarios
|
Scenario |
Recommended
Service(s) |
|
Protect
CloudFront & ALB from SQL injection, XSS |
AWS WAF |
|
Prevent
DDoS attacks on a public-facing ALB or IP |
AWS Shield Advanced |
|
Apply
a standard WAF + Shield policy across 50 AWS accounts |
AWS Firewall Manager |
|
Ensure
every new VPC includes a Network Firewall policy |
AWS Firewall Manager |
|
Detect
& block bots scraping APIs |
AWS WAF Bot Control |
|
Audit
and restrict overly permissive Security Groups |
Firewall Manager (Security Group policy) |
Best Practice: Combined Use
|
Goal |
Recommended
Combination |
|
Full-stack DDoS + Web protection |
Shield Advanced + WAF |
|
Multi-account security
compliance |
Firewall Manager + (WAF/Shield) |
|
Auto-protection for
new workloads |
Firewall Manager policies with
tag-based enforcement |
|
Visibility + Response |
Integrate all with AWS Security Hub
and CloudWatch |
Summary
|
Aspect |
AWS
WAF |
AWS
Shield |
AWS
Firewall Manager |
|
Primary Focus |
Web app security (L7) |
DDoS resilience (L3/L4) |
Org-wide policy enforcement |
|
Managed By |
Security/DevOps team |
Security/Infra team |
Central SecOps |
|
Scope |
Resource-level |
Account-level |
Organization-level |
|
Best For |
Custom traffic rules, bots |
DDoS protection, SLAs |
Governance & automation |
No comments:
Post a Comment