Cargando...
Cargando...
Stop guessing which service to use — master the exact decision framework examiners test
Three complementary layers: application filtering, DDoS protection, and centralized governance
| Feature | WAF Filter malicious HTTP/HTTPS web traffic | Shield Protect against DDoS attacks | Firewall Manager Centrally govern firewalls across accounts |
|---|---|---|---|
Primary Threat Addressed WAF = Layer 7 content inspection. Shield = volumetric/DDoS. Firewall Manager = governance. These are NOT interchangeable. | Layer 7 application attacks (SQLi, XSS, bad bots, HTTP floods, OWASP Top 10) | Layer 3/4 volumetric & protocol DDoS attacks (SYN floods, UDP reflection); Advanced also covers Layer 7 with WAF integration | Policy drift, inconsistent security posture across multi-account / multi-region environments |
OSI Layer Focus Shield Advanced does NOT inspect HTTP content on its own — it delegates L7 inspection to WAF. | Layer 7 (Application) — inspects HTTP headers, body, URI, query strings, cookies | Standard: Layer 3/4. Advanced: Layer 3/4/7 (when combined with WAF) | All layers — orchestrates WAF (L7), Shield Advanced, Security Groups (L3/4), Network Firewall, Route 53 Resolver DNS Firewall |
Pricing Model Shield Standard is always free — no action needed to enable it. Shield Advanced requires explicit subscription. | Pay-per-use: charged per Web ACL, per rule, and per million web requests inspected. No upfront commitment. | Standard: FREE (automatic for all AWS customers). Advanced: $3,000/month per organization (12-month commitment) + data transfer fees. | Per policy per region per month + underlying service costs (WAF, Shield Advanced, etc.) still billed separately. |
Deployment Scope Firewall Manager REQUIRES AWS Organizations. If the question mentions 'hundreds of accounts' or 'enforce at scale,' the answer is Firewall Manager. | Single account, single resource at a time (CloudFront, ALB, API Gateway, AppSync, Cognito User Pool, App Runner, Verified Access) | Standard: automatic on all supported resources. Advanced: per-resource protection plans within subscribed account(s). | Multi-account (requires AWS Organizations), multi-region — applies policies automatically to new/existing accounts |
Supported Protected Resources WAF does NOT protect EC2 directly — traffic must pass through a supported edge/load-balancing service first. | CloudFront distributions, ALB, API Gateway (REST & HTTP), AWS AppSync, Amazon Cognito User Pools, AWS App Runner, AWS Verified Access | Standard: EC2 EIPs, ELB, CloudFront, Route 53, Global Accelerator. Advanced: same + adds DRT support & cost protection. | WAF-protected resources, Shield Advanced resources, Security Groups (EC2/ENI), Network Firewall, Route 53 Resolver DNS Firewall, third-party firewalls |
Rule / Policy Customization WAF Managed Rule Groups (e.g., AWSManagedRulesCommonRuleSet) are pre-built by AWS and updated automatically — no rule maintenance needed. | Highly granular: custom rules (IP sets, geo-match, rate-based, regex, size constraints, SQL injection, XSS), Managed Rule Groups (AWS & Marketplace), Labels, rule priority ordering | Standard: no customization. Advanced: works with WAF for L7 rules; DRT can create custom mitigations on your behalf. | Defines baseline policies (mandatory + customer-managed rules); accounts can add their own rules within guardrails |
Automated Incident Response Shield Advanced DRT access requires you to grant IAM role permissions — it does NOT have automatic access to your account. | Can trigger Lambda via CloudWatch alarms on WAF metrics; no built-in auto-mitigation | Advanced: DDoS Response Team (DRT) proactively engages during attacks; automatic mitigation for known DDoS vectors; SLA-backed response times | Auto-remediates non-compliant resources (e.g., attaches missing WAF Web ACL); sends SNS notifications for compliance violations |
Cost Protection / Financial Guarantee Shield Advanced cost protection is a key differentiator from Standard. If the question mentions 'unexpected bill from DDoS,' Shield Advanced is the answer. | None — you pay for all requests regardless of attack traffic | Advanced only: DDoS cost protection — AWS credits scaling costs (EC2, ELB, CloudFront, Route 53) incurred due to DDoS attacks | None — it is a management plane service, not a protection service itself |
Logging & Visibility WAF logging to Kinesis Firehose enables near-real-time analysis in SIEM tools. This is a common architecture pattern in SCS-C02. | Full request logs to S3, CloudWatch Logs, or Kinesis Data Firehose; sampled requests in console; metrics per rule in CloudWatch | Advanced: attack event history, real-time metrics in Shield console, CloudWatch metrics, SNS notifications; Standard: no visibility | Compliance reports per policy; integrates with Security Hub for centralized findings; does not generate its own traffic logs |
Prerequisites / Dependencies Firewall Manager has the most prerequisites. Missing any one of these three requirements means Firewall Manager CANNOT be used — a frequent exam scenario. | None — standalone service. Web ACL must be associated with a supported resource. | Standard: none. Advanced: subscription required; for L7 protection, WAF must be configured on the resource. | REQUIRES: (1) AWS Organizations with all features enabled, (2) Firewall Manager administrator account designated, (3) Shield Advanced subscription if managing Shield policies |
Global vs Regional This us-east-1 requirement for WAF+CloudFront is one of the most frequently tested WAF facts across all cert levels. | Global when protecting CloudFront (Web ACL created in us-east-1). Regional for ALB, API Gateway, etc. (Web ACL in resource's region). | Global endpoint (shield.us-east-1.amazonaws.com) regardless of which region you call from — single control plane. | Global service for management but policies are applied per-region; must create separate policies for each region you want to protect. |
IP Reputation & Bot Control WAF Bot Control has two modes: Common (cheap, signature-based) and Targeted (expensive, uses ML + CAPTCHA challenges). Know the cost difference. | Yes — AWS Managed Rules include IP reputation lists, Bot Control managed rule group (distinguishes good bots/bad bots/humans), Account Takeover Prevention (ATP) | No L7 content inspection — cannot distinguish bot traffic from legitimate traffic at HTTP level | Enforces WAF Bot Control policies across accounts but does not perform inspection itself |
Rate-Based Rules WAF rate-based rules are the correct answer for 'block IPs sending too many requests' scenarios, NOT Shield. | Yes — rate-based rules block IPs exceeding a request threshold (minimum 100 req/5min window); can scope by IP, forwarded IP, or custom aggregation key | Advanced detects volumetric anomalies but operates at network level, not per-IP HTTP rate limiting | Can enforce WAF rate-based rule policies across all accounts |
Third-Party Firewall Integration If a question asks how to centrally deploy third-party firewalls across AWS accounts, Firewall Manager is the only correct answer. | No native third-party integration | No native third-party integration | Yes — supports Palo Alto Networks Cloud NGFW and Fortigate CNF as managed policy types |
Health-Based Detection Shield Advanced proactive engagement uses Route 53 health checks. If a health check fails during an attack, the DRT is automatically notified. | No health-based detection — rules are static or rate-based | Advanced: health-based detection using Route 53 health checks to improve attack detection accuracy and reduce false positives | Not applicable |
Summary
Use WAF when you need to inspect and filter HTTP/HTTPS request content at Layer 7 — it is the only service that can block SQL injection, XSS, or bad bots. Use Shield when your concern is volumetric DDoS attacks at Layer 3/4, and upgrade to Shield Advanced when you need DRT support, cost protection, and SLA-backed response. Use Firewall Manager when you operate across multiple AWS accounts or regions and need to enforce consistent security policies at scale — it orchestrates WAF, Shield Advanced, Security Groups, and Network Firewall from a single control plane.
🎯 Decision Tree
Is the threat DDoS/volumetric? → Shield (Standard=free, Advanced=paid+DRT). Is the threat application-layer (SQLi, XSS, bots, rate limiting)? → WAF. Are you managing security across 10+ accounts or need auto-enforcement of policies? → Firewall Manager (requires Organizations). Do you need ALL three? → Use Firewall Manager to orchestrate WAF + Shield Advanced at scale. Single account + single resource + L7 filtering? → WAF alone is sufficient.
WAF for CloudFront MUST be in us-east-1 — this is the single most tested WAF fact. If an exam question shows WAF created in a non-us-east-1 region and asks why CloudFront protection fails, this is why. No exceptions, no workarounds.
Shield Standard is FREE and AUTOMATIC — you never 'enable' it. Shield Advanced costs $3,000/month PER ORGANIZATION (not per account) and requires a 12-month commitment. The DDoS cost protection (credits for scaling costs during attacks) is ONLY available with Shield Advanced, never Standard.
Firewall Manager requires AWS Organizations with ALL features enabled — not just consolidated billing. It is the ONLY correct answer when a question describes centrally enforcing WAF rules, Security Groups, or Shield Advanced across dozens/hundreds of accounts. It auto-remediates non-compliant resources.
WAF does NOT protect EC2 instances directly. Traffic must flow through CloudFront, ALB, API Gateway, AppSync, Cognito, App Runner, or Verified Access. If an exam scenario has EC2 as the direct target, you need ALB in front of it before WAF applies.
Shield Advanced and WAF work TOGETHER for Layer 7 DDoS protection — Shield Advanced alone cannot inspect HTTP content. The combination is: Shield Advanced detects volumetric anomalies + WAF blocks malicious HTTP requests. The DRT (DDoS Response Team) can write WAF rules on your behalf during an attack.
WAF Bot Control has two tiers: Common (uses signatures, cheaper) and Targeted (uses ML + browser interrogation + CAPTCHA, more expensive). Account Takeover Prevention (ATP) is a separate WAF managed rule group for credential stuffing attacks on login pages.
WAF logging destination names matter: logs can go to S3 (cheap, delayed), CloudWatch Logs (real-time, expensive at scale), or Kinesis Data Firehose (near-real-time, integrates with SIEM/analytics). The Kinesis Firehose path is the architecture answer for 'real-time WAF log analysis.'
The #1 exam trap: Selecting WAF to protect against DDoS attacks OR selecting Shield to block SQL injection / XSS. These services target completely different threat types. WAF = Layer 7 content filtering (application attacks). Shield = Layer 3/4 volumetric protection (DDoS). They are complementary, not interchangeable. A close second trap: forgetting that WAF Web ACLs for CloudFront MUST be created in us-east-1, regardless of where your CloudFront distribution serves content.
CertAI Tutor · SAA-C03, SAP-C02, SCS-C02, DEA-C01, DOP-C02, AIF-C01, CLF-C02, DVA-C02 · 2026-02-22
Services
Comparisons
Guides & Patterns