Threat Protection Services
| Service | What it does |
|---|---|
| Shield Standard | Free, automatic DDoS protection (Layer 3/4) |
| Shield Advanced | $3,000/month/org. Sophisticated DDoS, 24/7 DRT support, auto WAF rules |
| WAF | Layer 7 firewall. Attach to ALB, API Gateway, CloudFront. Rules: IP sets, SQL injection, XSS, geo-match, rate-based |
| Firewall Manager | Centrally manage WAF, Shield, SGs, Network Firewall across AWS Organization |
| GuardDuty | ML-based threat detection. Analyzes CloudTrail, VPC Flow Logs, DNS logs. One click, 30-day trial |
| Inspector | Automated vulnerability scanning for EC2 (via SSM agent), container images (ECR), Lambda |
| Macie | Discovers/protects sensitive data (PII) in S3 using ML |
| Detective | Investigates GuardDuty findings |
| Security Hub | Aggregates findings from GuardDuty, Inspector, Macie |
WAF Web ACL rules — IP sets (up to 10,000 IPs), HTTP headers/body/URI strings, size constraints, geo-match (block countries), rate-based rules. WAF does not support NLB. Workaround: Global Accelerator (fixed IP) + ALB + WAF.
DDoS best practices: CloudFront + Shield at edge → ELB + ASG for infrastructure layer → WAF for application layer. Keep origin IPs private (behind CloudFront, ALB, API Gateway).
