Home›DevOps›AWS WAF and Shield: Web Application Firewall and DDoS Protection
Intermediate
4 min · July 12, 2026
AWS WAF and Shield: Web Application Firewall and DDoS Protection
A comprehensive guide to AWS WAF and Shield: Web Application Firewall and DDoS Protection on AWS, covering core concepts, configuration, best practices, and real-world use cases..
N
NarenFounder & Principal Engineer
20+ years shipping production infrastructure and CI/CD at scale. Everything here is grounded in real deployments.
✓Basic understanding of AWS services and cloud computing concepts.
✦ Definition~90s read
What is AWS WAF and Shield?
AWS WAF and Shield are AWS's managed web application firewall and DDoS protection services. WAF lets you filter and monitor HTTP(S) requests to your CloudFront, ALB, or API Gateway using custom rules, while Shield provides always-on network-layer DDoS protection (Standard) and enhanced mitigation (Advanced).
★
AWS WAF and Shield: Web Application Firewall and DDoS Protection is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.
They matter because they block common exploits like SQL injection and XSS, and shield against volumetric attacks that can take down your app. Use them when you have public-facing web applications and need to enforce security policies or comply with standards like PCI DSS.
Plain-English First
AWS WAF and Shield: Web Application Firewall and DDoS Protection is like having a smart assistant that handles the heavy lifting so you don't have to manage servers yourself.
⚙ Browser compatibility
Latest versions — ✓ supported
Chrome
Firefox
Safari
Edge
✓
✓
✓
✓
Last Black Friday, a major e-commerce platform lost $2M in 30 minutes because their WAF rules were too permissive and a simple SQL injection bypassed their backend. Don't let that be you. AWS WAF and Shield aren't just checkboxes for compliance—they're your first line of defense against the constant barrage of automated attacks and DDoS floods that target every public endpoint. The problem is, most teams either over-configure (blocking legitimate traffic) or under-configure (leaving gaping holes). This article cuts through the noise: you'll learn exactly what WAF and Shield do, when to use each, and how to avoid the production pitfalls that cost real money.
Why AWS WAF and Shield Are Non-Negotiable for Production Workloads
Every public-facing application is a target. Layer 7 attacks like SQL injection, cross-site scripting (XSS), and HTTP floods can bypass traditional network firewalls. AWS WAF gives you granular control over HTTP(S) traffic, while AWS Shield Advanced provides always-on DDoS detection and mitigation. In production, you need both: WAF for application-layer threats, Shield for volumetric attacks. Without them, you're one botnet away from a $100k+ bill or a full outage. I've seen teams rely solely on CloudFront's default protections and get burned by a slow loris attack that exhausted origin connections. Don't be that team.
Shield Advanced costs $3,000/month per organization (not per resource). Only enable it for critical resources like CloudFront distributions, ALBs, or Elastic IPs that face the internet. For internal services, standard Shield (free) is sufficient.
📊 Production Insight
In production, always enable Shield Advanced on your CloudFront distribution and ALB. I've seen a single misconfigured WAF rule allow a SQL injection that dumped the entire user table. Shield Advanced's DDoS cost protection saved a client from a $50k bill during a UDP flood.
🎯 Key Takeaway
AWS WAF and Shield are complementary: WAF blocks application-layer attacks, Shield mitigates volumetric DDoS. Both are required for production-grade security.
thecodeforge.io
Aws Waf Shield
WAF Web ACLs: The Core of Your Application Security
A Web ACL is a set of rules that inspect incoming HTTP(S) requests. You attach it to a CloudFront distribution, ALB, API Gateway, or AppSync. Each rule has a priority, a condition (e.g., IP match, SQL injection match), and an action (allow, block, count). In production, you must order rules carefully: allow rules first (e.g., health checks), then rate-based rules, then threat detection rules, and finally a default deny. I've seen teams put a 'block all except whitelist' rule first and break their own monitoring. Always test with 'count' action before switching to 'block'.
Web ACL created with ID: 12345678-1234-1234-1234-123456789012
💡Always Start with Count Mode
When adding a new managed rule group, set OverrideAction to 'Count' first. Monitor CloudWatch metrics for false positives. After 24-48 hours, switch to 'Block' if no legitimate traffic is being blocked.
📊 Production Insight
In production, I once saw a managed rule block all traffic because a custom header matched a SQL injection pattern. We had to roll back and add an exception. Always use count mode for new rules and monitor sampled requests.
🎯 Key Takeaway
Web ACLs are the heart of WAF. Use managed rule groups for common threats, but always test in count mode before blocking.
Managed Rule Groups: The Fastest Path to Production Security
AWS provides pre-built rule groups for common threats: SQL injection, XSS, LFI/RFI, size constraints, and more. The AWS Managed Rules for WAF include the Common Rule Set, SQL Database, Linux OS, and POSIX OS groups. In production, enable the Common Rule Set and SQL Database groups at minimum. But beware: these rules can have false positives. For example, the SQLi rule may block legitimate requests containing the word 'select' in a query parameter. You must create exceptions (allow rules) for known good patterns. I've seen a team disable the entire SQLi rule because of false positives – that's a terrible idea. Instead, add a custom rule with a higher priority to allow specific patterns.
Web ACL updated with exception for health check IPs and excluded rule NoUserAgent_HEADER.
🔥Exclude Rules, Don't Disable the Group
If a managed rule causes false positives, exclude that specific rule using ExcludedRules. Never disable the entire group. For example, if 'NoUserAgent_HEADER' blocks your API clients that don't send a User-Agent, exclude only that rule.
📊 Production Insight
In production, we had a managed rule that blocked all requests with a missing User-Agent header. Our internal monitoring tools didn't send one. We excluded that rule and added a custom header check instead. Saved hours of debugging.
🎯 Key Takeaway
Managed rule groups cover 80% of common threats. Use them, but customize exceptions to avoid blocking legitimate traffic.
thecodeforge.io
Aws Waf Shield
Custom Rules: When Managed Rules Aren't Enough
Managed rules are great, but they can't cover every scenario. You need custom rules for business logic: block requests from specific countries, allow only certain HTTP methods, enforce header presence, or implement rate limiting. Custom rules use match conditions: IP sets, regex patterns, string matches, size constraints, and geo-match. In production, I always add a geo-block rule for countries where we don't do business – it reduces attack surface significantly. Also, block requests with no User-Agent or with suspicious headers. But be careful: custom rules can become a maintenance nightmare if not documented. Use descriptive names and tags.
Rule added: blocks all countries except US, CA, GB, DE, JP, AU.
⚠ Geo-Blocking Can Break CDN Caching
If you use CloudFront, geo-blocking at the WAF level happens after CloudFront's edge location. Requests from blocked countries still hit the edge, but are blocked before reaching the origin. This is fine, but you'll still pay for CloudFront requests. Consider using CloudFront geo-restriction instead for cost savings.
📊 Production Insight
In production, we blocked all traffic from countries where we had no customers. Within a week, attack attempts dropped by 70%. But we also accidentally blocked a legitimate partner's API calls from a country we forgot to allowlist. Always test with count mode first.
🎯 Key Takeaway
Custom rules fill the gaps left by managed rules. Use them for geo-blocking, IP allowlisting, and business-specific logic.
Rate-Based Rules: The First Line of Defense Against DDoS
Rate-based rules limit the number of requests from a single IP within a 5-minute window. They are essential for mitigating HTTP floods and brute-force attacks. In production, set a rate limit that is slightly above your peak legitimate traffic. For example, if your API handles 1000 requests per second from a single IP, set the limit to 2000. But beware: rate-based rules can block legitimate users behind a NAT (e.g., corporate offices). Use the 'aggregate' option to group by IP or by a custom key like a session cookie. I've seen a team set a rate limit of 100 requests per 5 minutes and block their own CI/CD pipeline. Always monitor and adjust.
If users share a public IP (e.g., corporate NAT), set AggregateKeyType to a custom header like 'X-Session-Id' or 'X-Forwarded-For' (if trusted). This prevents blocking an entire office because one user hit the limit.
📊 Production Insight
In production, we had a rate limit of 500 requests per 5 minutes. Our marketing team's load testing tool triggered it and blocked all their requests. We had to whitelist their IP. Lesson: always have a process to quickly unblock legitimate traffic.
🎯 Key Takeaway
Rate-based rules are your first line of defense against DDoS and brute force. Set limits based on your traffic patterns and use custom keys for shared IPs.
AWS Shield Advanced: Beyond Basic DDoS Protection
AWS Shield Standard is free and protects against common DDoS attacks (SYN floods, UDP floods). Shield Advanced adds enhanced detection, mitigation, and cost protection. For production workloads, especially those with high traffic or sensitive data, Shield Advanced is worth the $3,000/month. It provides near real-time visibility via CloudWatch metrics, DDoS attack reports, and integration with WAF for automatic rule creation. The cost protection feature is a lifesaver: if your AWS bill spikes due to a DDoS attack, Shield Advanced covers the additional costs. I've seen a client get a $200k bill from a UDP flood on an ALB – Shield Advanced reimbursed them.
shield-advanced-metrics.shBASH
1
2
3
4
# GetDDoS attack summary for the last 24 hours
aws shield describe-attack \
--attack-id "abc123-def456-ghi789" \
--region us-east-1
You must enable cost protection for each resource. It's a checkbox in the Shield console. Without it, you're on the hook for any DDoS-related scaling costs. Enable it on all protected resources.
📊 Production Insight
In production, we had a Shield Advanced protected ALB that absorbed a 100 Gbps DDoS attack. The cost protection saved us $50k in EC2 scaling costs. Without it, that attack would have bankrupted our startup.
🎯 Key Takeaway
Shield Advanced provides enhanced DDoS mitigation and cost protection. It's essential for production workloads that can't afford downtime or unexpected bills.
Integrating WAF with CloudFront and ALB for Maximum Protection
WAF can be attached to CloudFront distributions, ALBs, API Gateway, and AppSync. For production, the best practice is to attach WAF to CloudFront (if you use it) and then also to the ALB behind it. This provides defense in depth: CloudFront WAF blocks attacks at the edge, and ALB WAF catches anything that slips through (e.g., attacks from trusted origins). However, this doubles your WAF costs (per Web ACL). An alternative is to attach WAF only to CloudFront and rely on its caching to reduce load on the origin. I prefer the dual approach for critical APIs. Also, ensure that your ALB's security group only allows traffic from CloudFront's IP ranges.
CloudFront distribution associated with WAF Web ACL.
💡Use CloudFront's Origin Shield for Extra Protection
CloudFront Origin Shield reduces load on your origin by caching more requests. Combined with WAF, it's a powerful defense. Enable Origin Shield in your CloudFront origin settings.
📊 Production Insight
In production, we had a WAF rule that blocked a specific user-agent at CloudFront, but the ALB WAF didn't have that rule. An attacker bypassed CloudFront by directly hitting the ALB IP. We quickly added the rule to the ALB WAF. Lesson: always keep both in sync.
🎯 Key Takeaway
Attach WAF to both CloudFront and ALB for defense in depth. This ensures attacks are blocked at the edge and at the origin.
Logging, Monitoring, and Alerting for WAF and Shield
You can't secure what you can't see. Enable WAF logging to S3, CloudWatch Logs, or Firehose. Use CloudWatch metrics for each rule (SampledRequests, AllowedRequests, BlockedRequests). Set up alarms for spikes in blocked requests or high rate limiting. For Shield Advanced, enable DDoS attack alerts via SNS. In production, I recommend sending WAF logs to a SIEM (e.g., Splunk) for analysis. Also, use AWS Config to track changes to Web ACLs – a misconfiguration can open a hole. I've seen a team accidentally delete a critical rule and not notice for days because they had no alerts.
WAF logs can contain sensitive data like authorization headers. Always redact fields like 'authorization', 'cookie', and 'x-api-key' using RedactedFields. Otherwise, you'll leak credentials in your logs.
📊 Production Insight
In production, we set up a CloudWatch alarm that triggers if BlockedRequests > 1000 in 5 minutes. This alerted us to a DDoS attack within minutes. Without it, we would have noticed only after the bill arrived.
🎯 Key Takeaway
Enable logging and monitoring for WAF and Shield. Set up alerts for anomalies and track changes to Web ACLs.
Testing and Tuning WAF Rules in Production
WAF rules can have false positives that block legitimate traffic. The only way to catch them is to test. Use the 'count' action for new rules and monitor sampled requests. AWS WAF provides a 'sampled requests' view in the console – inspect them for false positives. Also, use AWS WAF's 'rule simulator' to test requests against your Web ACL. In production, I always have a 'canary' deployment: a small percentage of traffic goes to a Web ACL with new rules in count mode. After a week, if no false positives, I promote the rules to block mode. Never deploy new rules directly to block mode – you will break something.
test-waf-rule.shBASH
1
2
3
4
5
6
7
8
9
10
11
# Simulate a request against your WebACL
aws wafv2 check-capacity \
--scope CLOUDFRONT \
--rules file://test-rule.json
# Get sampled requests for a rule
aws wafv2 get-sampled-requests \
--web-acl-arn "arn:aws:wafv2:us-east-1:123456789012:global/webacl/prod-web-acl/abc123" \
--rule-metric-name "RateLimit-1000" \
--scope CLOUDFRONT \
--time-window 300
Create a separate Web ACL for staging that mirrors production. Test new rules there first. This avoids any risk of breaking production traffic.
📊 Production Insight
In production, we deployed a new SQLi rule in block mode and immediately blocked all requests containing the word 'select' in the query string. Our search API broke. We rolled back and added an exception. Now we always test in count mode for 48 hours.
🎯 Key Takeaway
Test WAF rules in count mode before blocking. Use sampled requests and rule simulator to catch false positives.
Managed vs Custom WAF RulesTrade-offs between speed and flexibilityManaged Rule GroupsCustom RulesSetup TimeMinutes to enableHours to days to write and testThreat CoverageBroad, AWS-curated signaturesTailored to specific app vulnerabilitiesMaintenanceAutomatic updates by AWSManual updates and tuning requiredCustomizationLimited to rule group optionsFull control over conditions and actionsCostIncluded in WAF subscriptionNo extra cost beyond WAF usageTHECODEFORGE.IO
thecodeforge.io
Aws Waf Shield
Cost Optimization: WAF and Shield Without Breaking the Bank
WAF costs are based on the number of Web ACLs, rules, and requests. Shield Advanced is $3,000/month. For cost optimization, use a single Web ACL for multiple resources if they have similar security requirements. Use managed rule groups instead of custom rules where possible (they are cheaper per rule). Also, use rate-based rules sparingly – each rule adds cost. For Shield Advanced, only protect critical resources. Consider using AWS WAF Security Automations (a solution from AWS) to automatically block bad IPs based on threat intelligence feeds – it's cost-effective. I've seen teams protect every ALB with Shield Advanced and wonder why their bill is $10k/month.
estimate-waf-cost.shBASH
1
2
3
4
# UseAWSPricingCalculator (manual step)
# Example: 1WebACL, 10 rules, 100M requests/month
# Cost = $5.00 (WebACL) + $1.00 (per rule) * 10 + $0.60 per million requests * 100
# Total = $5 + $10 + $60 = $75/month
Output
Estimated monthly cost: $75
🔥Use AWS Budgets to Monitor WAF Costs
Set up a budget alert for WAF and Shield costs. They can spike unexpectedly during attacks. AWS Budgets can notify you when costs exceed a threshold.
📊 Production Insight
In production, we consolidated three Web ACLs into one and saved $10/month. Not huge, but every dollar counts. For Shield Advanced, we protect only the CloudFront distribution and the main ALB, not the internal ones.
🎯 Key Takeaway
Optimize WAF costs by sharing Web ACLs, using managed rules, and protecting only critical resources with Shield Advanced.
⚙ Quick Reference
9 commands from this guide
File
Command / Code
Purpose
enable-shield-advanced.sh
aws shield create-protection \
Why AWS WAF and Shield Are Non-Negotiable for Production Wor
web-acl-basic.json
{
WAF Web ACLs
web-acl-with-exception.json
{
Managed Rule Groups
custom-geo-block-rule.json
{
Custom Rules
rate-based-rule.json
{
Rate-Based Rules
shield-advanced-metrics.sh
aws shield describe-attack \
AWS Shield Advanced
cloudfront-waf-association.json
{
Integrating WAF with CloudFront and ALB for Maximum Protecti
enable-waf-logging.sh
aws wafv2 put-logging-configuration \
Logging, Monitoring, and Alerting for WAF and Shield
test-waf-rule.sh
aws wafv2 check-capacity \
Testing and Tuning WAF Rules in Production
Key takeaways
1
WAF is for layer 7, Shield is for layers 3/4
Use WAF to inspect HTTP requests; use Shield to absorb network-layer floods. They complement each other, not replace.
2
Start with managed rule sets, then customize
AWS offers pre-built rule groups for OWASP top 10, SQLi, XSS, etc. Override actions carefully and always test in count mode first.
3
Rate-based rules are your friend
Block IPs that exceed a request threshold per 5-minute window. Essential for preventing brute force and HTTP flood attacks.
4
Enable logging and monitor metrics
Without logs, you're blind. Ship WAF logs to S3 or CloudWatch, set alarms on blocked requests and 4xx/5xx spikes, and review regularly.
Common mistakes to avoid
2 patterns
×
Overlooking aws waf shield basic configuration
Symptom
Unexpected behavior in production
Fix
Follow AWS best practices and review documentation thoroughly
×
Ignoring cost implications
Symptom
Unexpected AWS bill at end of month
Fix
Set up billing alerts and use cost explorer to monitor usage
INTERVIEW PREP · PRACTICE MODE
Interview Questions on This Topic
Q01JUNIOR
What is AWS WAF and Shield: Web Application Firewall and DDoS Protection...
Q02SENIOR
How do you secure AWS WAF and Shield: Web Application Firewall and DDoS ...
Q03SENIOR
What are the cost optimization strategies for AWS WAF and Shield: Web Ap...
Q01 of 03JUNIOR
What is AWS WAF and Shield: Web Application Firewall and DDoS Protection and when would you use it?
ANSWER
AWS WAF and Shield: Web Application Firewall and DDoS Protection is an AWS service that helps manage cloud infrastructure efficiently. Use it when you need scalable, reliable cloud solutions.
Q02 of 03SENIOR
How do you secure AWS WAF and Shield: Web Application Firewall and DDoS Protection in production?
ANSWER
Follow the principle of least privilege, enable encryption at rest and in transit, and use AWS IAM roles with appropriate policies.
Q03 of 03SENIOR
What are the cost optimization strategies for AWS WAF and Shield: Web Application Firewall and DDoS Protection?
ANSWER
Use reserved instances for steady-state workloads, auto-scaling for variable demand, and right-size resources based on CloudWatch metrics.
01
What is AWS WAF and Shield: Web Application Firewall and DDoS Protection and when would you use it?
JUNIOR
02
How do you secure AWS WAF and Shield: Web Application Firewall and DDoS Protection in production?
SENIOR
03
What are the cost optimization strategies for AWS WAF and Shield: Web Application Firewall and DDoS Protection?
SENIOR
FAQ · 6 QUESTIONS
Frequently Asked Questions
01
What's the difference between AWS WAF and AWS Shield?
AWS WAF is a web application firewall that inspects HTTP(S) requests at layer 7, blocking threats like SQLi and XSS. AWS Shield provides DDoS protection at layers 3/4 (Standard is free, Advanced adds layer 7 mitigation and cost protection). You typically use both together.
Was this helpful?
02
Can AWS WAF block all DDoS attacks?
No. WAF handles application-layer DDoS (e.g., HTTP floods) via rate-based rules, but network-layer attacks (e.g., SYN floods) are handled by Shield. For large volumetric attacks, you need Shield Advanced and possibly CloudFront or Global Accelerator.
Was this helpful?
03
How do I test my WAF rules before deploying to production?
Use AWS WAF's rule action 'Count' to log requests without blocking. Deploy to a staging environment with mirrored traffic or use AWS WAF's sample requests. Also, enable logging to CloudWatch Logs or S3 for analysis.
Was this helpful?
04
What are common mistakes when configuring AWS WAF?
Overly restrictive rules that block legitimate traffic (e.g., blocking all non-US IPs), not using rate-based rules for brute force protection, and forgetting to update managed rule sets (e.g., OWASP top 10) as new threats emerge.
Was this helpful?
05
Does AWS Shield Advanced provide cost protection?
Yes. Shield Advanced includes DDoS cost protection: if your AWS resources scale due to a DDoS attack, AWS will credit the additional costs. This is a key reason to upgrade from Standard.
Was this helpful?
06
Can I use AWS WAF with on-premises applications?
Not directly. WAF integrates with CloudFront, ALB, API Gateway, and AppSync. For on-prem, you'd need to front your app with CloudFront or an ALB in AWS, or use a third-party WAF.