Do you have to have a WAF attached to an ALB or CF or APIGW to also have AWS Shield standard capabilities? In other words, do you have to have a WAF attached to those resources if you want DDoS protection (layer3 and 4)?
Or in other words, if you don´t attach a WAF to those resources, you don´t get the DDoS protection… Actually it seems you would only have it on R53.
If you needed layer 7 DDoS protection, you would then need ALB or CF or APIGW with a WAF attached plus AWS Shield Advanced. Am I right?
4 Answers
Hi Thanks for the great questions!
AWS Shield Standard is available to all AWS customers at no extra cost and is applied automatically and transparently to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources. So you would automatically get Layer 7 protection included if your application is behind an ALB. I think with Route53 it would be Layer 7 protection also. And Layer 3/4 with Network Load Balancer or CloudFront. see: https://aws.amazon.com/cloudfront/.
Shield Advanced is available for the following services, and you can choose the resources that you want to protect:
Amazon Route 53
Amazon CloudFront
Elastic Load Balancing
AWS Global Accelerator
Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)
And the difference with the Advanced option is that:
It provides additional protections against more sophisticated and larger attacks
You get and 24/7 DDoS response team
– Access to metrics and detailed reports
– It costs a LOT! – $3,000/month
Check out the following documentation for some Shield Advanced use cases:
https://docs.aws.amazon.com/waf/latest/developerguide/aws-shield-use-case.html
And also the FAQs are a great source of info as well:
Thanks Faye, but I disagree on this.
The AWS docs about WAF and Shield are quite ambiguous in my opinion.
After reading more on the subjects, these are my conclusions:
With AWS Shield Standard you get layer3-4 protection attacks for your LBs, CF and R53. The only layer7 protection you get by default is that the HTTP/S requests have to be valid for the LBs and CF to accept it.
If you want layer7 protection you have two options:
Note: You cannot have proper layer7 protection, with AWS Shield Standard or Advanced, for ELBs or NLBs (although it works only on layer3 so it doesn´t apply here) or EC2s, since you cannot attach a WAF to these resources
Note: layer7 protection for R53 doesn´t make sense.
**option1: Configure your WAF and attach it to ALB, CF or APIGW.
**option2: Enable AWS Shield Advanced.
2a) Configure your own WAF as in option1
2b) WAF managed by AWS Shield team.
In any case for option2, the WAF pricing is included with AWS Shield Advanced. Additionally, you get:
**** DDoS cost protection for LBs, CF, EC2s and R53
**** 24×7 access to the AWS Shield team
Let me know your thoughts.
WAF is Layer 7 (web) protection, and AWS Shield is Layer 3-4. In real world you typically need to protect both 7 and 3-4 – so you would use both
But there be situations there is no web and you only need 3-4 protection – you would only use AWS Shield.
Hey everyone, I think the official AWS DDoS White Paper [1] is actually very clear about this question.
In the following I’m primarily referring to "Table 2: Summary of Best Practices".
Do you have to have a WAF attached to an ALB or CF or APIGW to also have AWS Shield standard capabilities?
"AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications." (that is AWS Shield Standard includes protection up to OSI layer 4)
a) CloudFront: Section "Web Application Delivery at the Edge (BP1)" indicates that there is no need for a WAF to protect against attacks up to level 4, e.g. "Amazon CloudFront only accepts well-formed connections, which helps prevent many common DDoS attacks, like SYN floods and UDP reflection attacks, from reaching your origin."
b) ELB: Section "Load Balancing (BP6)" indicates that there is no need for a WAF to protect against attacks up to level 4, e.g. "For web applications, you can use ALB to route traffic based on its content and accept only well-formed web requests. This means that many common DDoS attacks, like SYN floods or UDP reflection attacks, will be blocked by ALB, protecting your application from the attack."
However, it seems that, according to the whitepaper, it does not hold for TCP-based applications behind a NLB. They seem to be covered by AWS Shield Advanced only [2].
c) API GW: The Security White Paper does not give any indication on how API Gateway protects layer 3 and 4, but "Table 2: Summary of Best Practices" says that it does – even without WAF.
Conclusion: AWS Shield Standard capabilities are usually covered by these services without using a WAF.
If you needed layer 7 DDoS protection, you would then need ALB or CF or APIGW with a WAF attached plus AWS Shield Advanced. Am I right?
I would say that it depends…
Route53:
Amazon Route53 is resistant against level 7 attacks by default. More information is available in the whitepaper under section "Domain Name Resolution at the Edge (BP3)".
Regarding the "Route53 – layer 7" debate: DNS is a Layer 7 protocol [3]. However, there is an ongoing debate towards which level an attack on the DNS protocol is counted [4]. AWS apparently counts them towards layer 7.
CloudFront:
Section "Detect and Filter Malicious Web Requests (BP1, BP2)" in the whitepaper says that CloudFront generally needs a WAF in order to protect against level 7 attacks.
However, they also list some level 7 attacks which CloudFront protects against without using a WAF, such as the following: "CloudFront can automatically close connections from slow reading or slow writing attackers (for example, Slowloris)".
ALB:
"Table 2: Summary of Best Practices" in the whitepaper indicates that ELB provides Layer 7 attack mitigation if used with AWS WAF.
API GW:
There is no indication in the whitepaper that API GW provides layer 7 mitigation at all. I think that they did not update the whitepaper since the release of the WAF feature for this service. Since there is a blog post [5] which discusses the WAF attachment for an API GW, I think that layer 7 protection is possible for an API GW by adding a WAF.
Regarding AWS Shield Advanced:
I do not think you need AWS Shield Advanced for protection against application layer attacks. They give you the following things which are all not direct protection measures, but either:
assistance (e.g. DRT, Global Threat Environment dashboard, automatic baselining of web traffic attributes in WAF)
discounts (WAF at no additional costs, refund of scaling-related costs)
convenience (central firewall management for multiple accounts: access to AWS Firewall Manager)
reliability (enhanced service level agreement)
One big functional (!!) difference however is the following one:
"Sensitive detection thresholds which routes traffic into DDoS mitigation system earlier and can improve time-to-mitigate attacks against Amazon EC2 or NLB, when used with EIP."
I think this is the point which is also announced in the blog post [2].
I do not know what is covered by that, but it sounds interesting, since we know that EC2 and NLB are neither fully protected by WAF nor AWS Shield Standard.
So it seems that AWS Shield Advanced gives some additional attack mitigation… but it is unclear if this targets level 7 (I personally don’t think so)…
What do you think… Is there any protection measure that AWS Shield Advanced offers which cannot be implemented by a AWS Shield Standard customer with WAF access?
Hope you find those sources useful =)
[1] DDoS Whitepaper
[3] https://stackoverflow.com/questions/21654632/at-what-layer-in-the-protocol-stack-does-dns-happen
[4] https://security.stackexchange.com/a/194158
[5] https://aws.amazon.com/blogs/compute/amazon-api-gateway-adds-support-for-aws-waf/
@fayecloudguru the lecture "WAF Integration" does not reflect the addition of WAF to API Gateway in the "WAF Integration – Exam Tip" slide.
see https://docs.aws.amazon.com/en_en/apigateway/latest/developerguide/apigateway-control-access-aws-waf.html