AWS WAF vs Shield vs Firewall Manager
- AWS provides three complementary security services for protecting web applications and AWS resources from attacks.
- WAF filters web traffic at Layer 7, Shield protects against DDoS attacks at Layer 3/4, and Firewall Manager centrally manages security policies across accounts.
- These services work together — Shield protects the infrastructure, WAF filters application-layer attacks, and Firewall Manager enforces policies at scale.
WAF vs Shield vs Firewall Manager Comparison
| Feature | AWS WAF | AWS Shield | AWS Firewall Manager |
|---|---|---|---|
| Purpose | Web application firewall (Layer 7) | DDoS protection (Layer 3/4/7) | Central security policy management |
| Protection Layer | Layer 7 (HTTP/HTTPS) | Standard: L3/4; Advanced: L3/4/7 | Manages WAF, Shield, SG, Network Firewall, Route 53 DNS Firewall |
| Attacks Blocked | SQL injection, XSS, bot traffic, rate limiting, geo blocking | SYN flood, UDP reflection, volumetric attacks | Policy violations across accounts |
| Scope | Per resource (CloudFront, ALB, API Gateway, AppSync, Cognito, App Runner, Verified Access) | Per resource (Standard) or account-wide (Advanced) | AWS Organization-wide |
| Pricing | Per web ACL + per rule + per million requests | Standard: Free; Advanced: $3,000/month + data transfer | Per policy per region + per resource |
| Automatic | Rules must be configured | Standard: automatic; Advanced: automatic + DRT team | Auto-applies policies to new resources |
| Managed Rules | AWS + Marketplace (Fortinet, F5, Imperva) | N/A (automatic detection) | Enforces WAF rule groups across accounts |
| Cost Protection | No | Advanced: credits for scaling costs during DDoS | No |
| Response Team | No | Advanced: 24/7 Shield Response Team (SRT) | No |
| Prerequisite | None | Standard: automatic; Advanced: subscription | AWS Organizations + WAF/Shield Advanced |
AWS WAF (Web Application Firewall)
- Layer 7 firewall that filters HTTP/HTTPS requests based on configurable rules.
- Web ACLs contain rules that inspect requests (headers, body, URI, query strings, IP).
- Rule types:
- Rate-based rules – block IPs exceeding request threshold (per 5-min window)
- IP set rules – allow/block specific IP ranges
- Geo match – allow/block by country
- String/regex match – inspect request components
- SQL injection / XSS detection – built-in detection statements
- Size constraints – block oversized requests
- Managed Rule Groups:
- AWS Managed Rules – Core Rule Set, Known Bad Inputs, SQL/Linux/Windows/PHP, Bot Control, Account Takeover Prevention, Account Creation Fraud Prevention
- Marketplace rules – Fortinet, F5, Imperva, Trend Micro
- Bot Control – identify and manage bot traffic (common bots, targeted bots, AI scrapers).
- Account Takeover Prevention (ATP) – detect credential stuffing on login pages.
- Account Creation Fraud Prevention (ACFP) – prevent fake account creation.
- CAPTCHA and Challenge – silent browser challenges or visible CAPTCHA.
- Applies to: CloudFront, ALB, API Gateway, AppSync, Cognito User Pools, App Runner, Verified Access.
- Best for: Protecting web applications from SQL injection, XSS, bot abuse, brute force, and application-layer attacks.
AWS Shield
- DDoS protection service – defends against volumetric, protocol, and application-layer attacks.
- Shield Standard (free, automatic):
- Automatically protects ALL AWS customers at no extra cost
- Protects against common Layer 3/4 DDoS attacks (SYN/UDP floods, reflection attacks)
- Applied to CloudFront, Route 53, and Global Accelerator automatically
- Shield Advanced ($3,000/month):
- Enhanced detection for EC2, ELB, CloudFront, Global Accelerator, Route 53
- DDoS cost protection – credits for Auto Scaling, CloudFront, ELB scaling costs during attacks
- Shield Response Team (SRT) – 24/7 expert team to assist during attacks
- Advanced metrics and reporting – real-time visibility into attacks
- Automatic application-layer mitigation – creates WAF rules automatically during L7 attacks
- Health-based detection – uses Route 53 health checks for faster detection
- Proactive engagement – SRT contacts you when health checks trigger
- Protection applies to all resources in the account (and org with Firewall Manager)
- Best for: High-profile applications needing DDoS protection guarantees, SLA credits, and 24/7 expert support.
AWS Firewall Manager
- Central security policy management across AWS Organizations accounts and resources.
- Manages policies for:
- AWS WAF – deploy WAF rules across all accounts/resources
- AWS Shield Advanced – enable protection organization-wide
- Security Groups – audit and enforce SG rules
- AWS Network Firewall – deploy firewall rules across VPCs
- Route 53 Resolver DNS Firewall – enforce DNS filtering
- Third-party firewalls – Palo Alto, Fortigate via Marketplace
- Auto-remediation – automatically applies policies to new resources/accounts as they’re created.
- Compliance dashboard – view which resources are non-compliant across the organization.
- Prerequisites: AWS Organizations, AWS Config enabled in all accounts.
- Best for: Multi-account organizations needing consistent security policies, compliance auditing, and automatic enforcement.
How They Work Together
- Shield Standard (always on) protects infrastructure from volumetric L3/4 DDoS.
- Shield Advanced adds L7 protection and automatically creates WAF rules during application-layer attacks.
- WAF handles ongoing application-layer threats (bots, injections, rate limiting).
- Firewall Manager ensures WAF + Shield Advanced policies are consistently deployed across all accounts and resources.
- Typical stack: Firewall Manager → Shield Advanced → WAF → Application.
When to Choose Which
- Every application gets Shield Standard – it’s free and automatic.
- Add WAF when – you need to filter application-layer traffic (SQL injection, bot management, rate limiting, geo-blocking).
- Add Shield Advanced when – you need DDoS cost protection, 24/7 SRT support, enhanced detection, and SLA guarantees for business-critical applications.
- Add Firewall Manager when – you manage multiple AWS accounts and need consistent security policies automatically applied across the organization.
AWS Certification Exam Practice Questions
- A company experiences a sudden spike in traffic that appears to be a DDoS attack targeting their ALB. They want AWS experts to help mitigate the attack in real-time. Which service provides this?
- AWS WAF with rate-based rules
- AWS Shield Advanced (Shield Response Team)
- AWS Firewall Manager
- AWS Network Firewall
- An e-commerce site needs to block SQL injection attacks and limit login attempts to 100 per IP per 5 minutes. Which service provides these capabilities?
- AWS Shield Advanced
- Security Groups
- AWS WAF (SQL injection rule + rate-based rule)
- Network ACLs
- A large enterprise with 50 AWS accounts needs to ensure every ALB in every account has the same WAF rules applied, including new ALBs created in the future. Which service automates this?
- AWS WAF with central web ACL
- AWS Shield Advanced
- AWS Config Rules
- AWS Firewall Manager
- After a DDoS attack, a company’s CloudFront and Auto Scaling costs spiked significantly due to the attack traffic. Which service provides credits for these scaling costs?
- AWS WAF
- AWS Shield Advanced (DDoS cost protection)
- AWS Firewall Manager
- AWS Trusted Advisor
- A company wants to detect and block AI web scrapers from crawling their content while allowing legitimate search engine bots. Which WAF feature addresses this?
- Rate-based rules
- Geo match rules
- AWS WAF Bot Control (AI Content Scraper category)
- IP reputation lists
Related Posts
- AWS Network Firewall vs WAF vs Security Groups vs NACLs
- AWS KMS vs CloudHSM vs Secrets Manager vs Parameter Store
- AWS Security Services Cheat Sheet
- AWS Certified Security – Specialty Exam Learning Path