VISI

Threat Protection Services

ServiceWhat it does
Shield StandardFree, automatic DDoS protection (Layer 3/4)
Shield Advanced$3,000/month/org. Sophisticated DDoS, 24/7 DRT support, auto WAF rules
WAFLayer 7 firewall. Attach to ALB, API Gateway, CloudFront. Rules: IP sets, SQL injection, XSS, geo-match, rate-based
Firewall ManagerCentrally manage WAF, Shield, SGs, Network Firewall across AWS Organization
GuardDutyML-based threat detection. Analyzes CloudTrail, VPC Flow Logs, DNS logs. One click, 30-day trial
InspectorAutomated vulnerability scanning for EC2 (via SSM agent), container images (ECR), Lambda
MacieDiscovers/protects sensitive data (PII) in S3 using ML
DetectiveInvestigates GuardDuty findings
Security HubAggregates findings from GuardDuty, Inspector, Macie

WAF Web ACL rules — IP sets (up to 10,000 IPs), HTTP headers/body/URI strings, size constraints, geo-match (block countries), rate-based rules. WAF does not support NLB. Workaround: Global Accelerator (fixed IP) + ALB + WAF.

DDoS best practices: CloudFront + Shield at edge → ELB + ASG for infrastructure layer → WAF for application layer. Keep origin IPs private (behind CloudFront, ALB, API Gateway).

References

Quiz

A few quick questions based on this unit. Mark it complete when you are done.

Question 1 / 2

What is WAF Web ACL rules?