AWS WAF and Shield
Learn how AWS WAF filters web traffic and how Shield Standard and Shield Advanced help protect applications from DDoS events.
AWS WAF and Shield provide layered protection for internet-facing applications by filtering malicious requests and absorbing distributed denial of service attacks. For DevOps teams, it matters because they help security and DevOps teams add guardrails in front of CloudFront, ALB, and API Gateway without rewriting the app itself. Instead of relying on one fragile manual configuration, you can design a repeatable service boundary that stays stable while the workload behind it changes.
Core ideas
The main ideas to understand are AWS WAF uses rules collected into a WebACL and can match patterns such as SQL injection, cross-site scripting, or abusive request rates; WAF can be attached to CloudFront, Application Load Balancers, and API Gateway endpoints; Shield Standard is included with AWS and covers common DDoS protection, while Shield Advanced adds stronger response and cost-protection features; and rate-based rules are especially useful when you need to slow abusive clients without blocking every request from a whole network immediately. These details shape architecture decisions, but they also shape day-to-day operations. When a team chooses defaults without understanding how the service behaves under failure, scale, or security review, the platform often becomes harder to debug than the application itself.
| Control | Where it helps | Example |
|---|---|---|
| WAF rule | Request filtering | Block SQL injection patterns |
| Rate limit | Abuse control | Throttle repeated bot traffic |
| Shield Advanced | Enhanced DDoS support | Large public application protection |
From an operations perspective, the goal is to treat web protection as part of platform design so hostile traffic is handled before it reaches application code or expensive backends. The comparison below highlights the choices that usually matter first. It is often better to start with a simpler design and add sophistication only after metrics, incidents, or delivery requirements prove the change is necessary.
Practical commands
aws wafv2 list-web-acls --scope CLOUDFRONT
aws shield describe-subscription
aws wafv2 get-web-acl --name app-acl --scope REGIONAL --id 12345678-1234-1234-1234-123456789012
Practical CLI checks make the service easier to support in real environments. Use the commands below to inspect the current state and confirm that automation matches intent. Before you promote a change, verify rule match behaviour and false positive risk before enabling a block action on business-critical paths. A safe default is count mode first for new custom rules so you can measure impact before enforcing blocks. That discipline makes later troubleshooting, scaling, and security reviews far less painful.
WAF scope
Which AWS service is used to filter HTTP requests with WebACL rules?
Shield tiers
What is the difference between Shield Standard and Shield Advanced?