Over the past couple of years, security has become a high priority for most companies. No matter what you do to keep your own infrastructure and data safe, you can still be affected by the numerous flaws in the environments your business is running on, and it’s becoming more commonplace to hear about security breaches resulting from misconfigurations.
Fortunately, there are many services available to help you improve the overall security of your AWS environment. Because most AWS services are very simple to use and don’t require management by a team of specialized employees, companies of all sizes can easily benefit from their use. This article will look at three of these services—AWS Web Application Firewall (WAF), AWS Shield, and AWS Firewall Manager—and explain why you should consider implementing them.
AWS WAF and AWS Shield
While these two services are both designed to keep your cloud environment safe, they were designed for different use cases. Let’s examine those use cases, starting with AWS WAF.
AWS Web Application Firewall
AWS Web Application Firewall (AWS WAF) is a cloud firewall that uses various security rules to protect web applications running on AWS. You can either use the security rules provided by AWS or configure your own. These rules can be implemented on a per application basis to give you flexibility.
AWS WAF was designed to be used with EC2, CloudFront, Application Load Balancer, and API Gateway. Because AWS is a fully managed service that eliminates all of your responsibilities, it is very easy to implement. There are no necessary deployments of any kind, you don’t need to install any software, and you don’t have to worry about keeping the firewall up-to-date. All you have to do is put your desired rules in place. The pricing plan for AWS WAF is also quite simple. Charges are based on the number of access control lists (Web ACLs) that you create ($5.00 per month per web ACL, prorated hourly), the number of rules you have for each web ACL ($1.00 per month per rule), and the number of web requests you receive ($0.60 per 1 million requests).
AWS WAF can be used to prevent a variety of attacks on your AWS environment. The simplest type is an attack from a known IP address, which can be stopped by configuring an IP match condition. Others are SQL injection attacks, prevented by using SQL injection match conditions, and cross-site scripting attacks (XSS attacks), prevented by cross-site scripting match conditions. AWS WAF also allows you to create a rate-based rule to stop brute force HTTP flood attacks.
While AWS WAF is a firewall that can protect you from multiple types of attacks and provide various options for whitelisting, AWS Shield is a single-purpose service. AWS Shield is a managed Distributed Denial of Service (DDoS) protection tool for your AWS-based applications. DDoS attacks are malicious attacks on servers or network infrastructures that attempt to disrupt normal traffic. They’re often effective because they utilize multiple computers (usually compromised ones) as the sources of the attacks, overwhelming the target’s capacity. Since DDoS attacks are one of the most common types of attacks, having a dedicated security service for them is wise.
AWS Shield comes in two different service tiers: AWS Shield Standard and AWS Shield Advanced. The standard tier is completely free. If you’re an AWS customer, it’s already set and up and working for you. AWS Shield Standard typically protects against common network and transport layer (layers 3 and 4) DDoS attacks that target your business applications and websites. AWS Shield monitors all incoming traffic and mitigates attacks if malicious activity is detected. The service’s only downside is that, while you are protected, you can’t see an attack history, and you don’t receive any notification or report describing the attack.
AWS Shield Advanced provides much more sophisticated protection using advanced routing technology. It protects all resources running on EC2 backup, CloudFront, ELB, Route53, etc. and detects any attacks against application layers (layer 7). AWS Shield Advanced provides integration with AWS WAF and real-time visibility into attacks. This tier of service also provides 24×7 access to the AWS DDoS Response Team (DRT). If a DDoS attack does occur, and your billing increases significantly, you can be refunded for the amount you lost in the attack.
AWS Shield Advanced comes with a cost: $3,000 per month with a one-year subscription commitment. You’ll also be charged AWS Shield Advanced data transfer usage fees. For details on these, visit the AWS Shield official pricing page.
AWS Firewall Manager
AWS Firewall Manager is a service that provides a centralized place for configuring and managing firewall rules and security policies as well as for enforcing them across all applications and accounts within your AWS Organization. AWS Firewall Manager is used to simplify the use of both AWS WAF and AWS Shield.
For users running larger environments, especially those with multiple accounts, the ability to group rules and policies and apply them across an entire environment can be very helpful. AWS Firewall Manager makes it easier to bring new applications into compliance very quickly, increasing your agility. It also handles Security Groups, providing you with easy management of them through the use of a preconfigured set of rules.
AWS Firewall Manager costs $100.00 per policy per region, although it’s free with an AWS Shield Advanced subscription. Of course, you will also be charged for all the resources being managed, like firewall rules or web ACLs.
AWS WAF and AWS Shield – the optimal combination for your security
As security concerns grow, so does the need for higher-level protection of business environments running in the public cloud. Thankfully, AWS offers a whole set of managed services that greatly simplify configuration and management of these security processes. AWS WAF uses various security rules to strengthen the cloud firewall in front of your applications and ensure their uptime in the event of a malicious attack. AWS Shield provides dedicated DDoS protection meant to stop attacks on your network and servers. AWS Firewall Manager allows you to efficiently design and implement those protections across your entire cloud organization.
Whether you’re running a small startup or a large enterprise, these services can be very helpful. It’s worth your time to investigate them and make sure you properly implement them in your cloud environment.