Cheat Sheet: WAF, Shield & Firewall Manager

1. AWS WAF (Web Application Firewall)

1.1 Core Concepts

1.2 Supported Resources

• Amazon CloudFront distributions
• Application Load Balancer (ALB)
• Amazon API Gateway REST APIs
• AWS AppSync GraphQL APIs
• Amazon Cognito user pools
• AWS App Runner services
• AWS Verified Access instances

1.3 Rule Actions

1.4 Match Conditions

• IP addresses (single IP, CIDR ranges, IP sets)
• Country or geographic location (geo match)
• HTTP headers, method, query strings
• URI path
• Request body (first 8192 bytes for ALB/API Gateway, first 64KB for CloudFront)
• SQL injection attack patterns
• Cross-site scripting (XSS) patterns
• Request size constraints
• Regex pattern sets
• Label match statements

1.5 Rate-Based Rules

1.6 Managed Rule Groups

1.6.1 AWS Managed Rules

• Core Rule Set (CRS) - OWASP Top 10 protections
• Admin Protection - blocks access to admin pages
• Known Bad Inputs - blocks patterns associated with exploit attempts
• SQL Database - protects against SQL injection
• Linux Operating System - protects against Linux-specific attacks
• Windows Operating System - protects against Windows-specific attacks
• PHP Application - protects against PHP-specific vulnerabilities
• WordPress Application - protects WordPress sites
• Anonymous IP List - blocks requests from anonymizing services, VPNs, Tor
• IP Reputation List - blocks known malicious IP addresses
• Bot Control - detects and manages bot traffic
• Account Takeover Prevention (ATP) - protects login pages
• Fraud Control Account Creation Fraud Prevention (ACFP) - protects signup pages

1.6.2 AWS Marketplace Managed Rules

• Third-party security vendors provide specialized rule groups
• Subscription-based pricing model
• Includes vendor-specific threat intelligence

1.7 Custom Rules and Rule Groups

• Maximum 10 rules per Web ACL when using only custom rules
• Each managed rule group counts as 1 rule
• Web ACL capacity units (WCUs) determine complexity (max 5000 WCUs per Web ACL)
• Simple rules consume fewer WCUs; complex rules consume more
• Custom rule groups can be shared across multiple Web ACLs

1.8 Logging and Monitoring

1.9 Pricing Model

• Per Web ACL: $5.00/month
• Per Rule on Web ACL: $1.00/month per rule
• Per million requests: $0.60
• Bot Control pricing: additional $10/month + $1 per million requests analyzed
• CAPTCHA pricing: $0.40 per 1,000 CAPTCHA attempts
• Marketplace managed rules have additional subscription fees

2. AWS Shield

2.1 Shield Standard

2.2 Shield Advanced

2.3 Shield Advanced Exclusive Features

• 24/7 access to DDoS Response Team (DRT)
• Advanced real-time metrics and attack notifications via CloudWatch
• Historical attack analytics and reports
• DDoS-specific Web ACL rules and rate-based rules
• Layer 7 attack mitigation with automatic WAF rule creation
• Health-based detection for Route 53 health checks
• Proactive engagement - DRT initiates contact during events
• Application layer DDoS protection visibility
• Global threat environment dashboard

2.4 DRT Permissions

• Requires explicit IAM role authorization to access account
• Can authorize DRT to modify WAF rules and Shield protections on your behalf
• DRT can create or update WAF rules during active attack
• Customer retains full control; DRT acts only when authorized

2.5 Shield Advanced Integration

2.6 Attack Visibility and Notifications

• Real-time notification via CloudWatch Events/EventBridge
• SNS integration for alerting
• Attack vectors identified: SYN flood, UDP flood, DNS query flood, HTTP flood
• Attack duration, volume, and mitigation actions logged
• Historical attack data retained for trend analysis

3. AWS Firewall Manager

3.1 Core Concepts

3.2 Prerequisites

• AWS Organizations must be enabled
• Must designate Firewall Manager administrator account
• AWS Config must be enabled in all accounts and regions where policies apply
• Resources must be tagged if using tag-based policy scope

3.3 Supported Policy Types

3.4 WAF Policy Configuration

3.4.1 Rule Group Options

• First rule groups: evaluated before resource-specific rules
• Last rule groups: evaluated after resource-specific rules
• Can use AWS Managed Rules, Marketplace rules, or custom rule groups
• Override actions: convert rule group actions to Count for testing

3.4.2 Policy Deployment Models

3.5 Security Group Policies

3.5.1 Common Security Group Policy

• Applies baseline security group rules across resources
• Can add rules to existing security groups or replace them
• Supports primary and replica security groups

3.5.2 Auditing Security Group Policy

• Identifies overly permissive rules
• Detects unused security groups
• Checks for rules violating compliance standards
• Auto-remediation can remove non-compliant rules

3.5.3 Content Audit Security Group Policy

• Allows only specified rules; blocks all others
• Enforces strict allow-list approach
• Auto-remediation removes unauthorized rules

3.6 Policy Scope Configuration

3.7 Compliance and Monitoring

• Compliance status dashboard shows compliant vs non-compliant resources
• Non-compliance reasons logged (missing protection, incorrect configuration)
• SNS notifications for compliance status changes
• CloudWatch metrics for policy compliance
• Automatic remediation brings resources into compliance
• Manual remediation requires administrator action

3.8 Firewall Manager Pricing

• Per policy: $100/month per region per policy
• Per resource: varies by resource type and policy type
• WAF policy: $0.0002 per resource per month
• Shield Advanced policy: no additional charge beyond Shield Advanced fees
• Security Group policies: $0.0002 per VPC per month
• Underlying service costs still apply (WAF, Shield Advanced, etc.)

4. Integration and Architecture Patterns

4.1 Multi-Layer Protection Architecture

4.2 Regional vs Global Services

4.3 Cross-Account Management

• Firewall Manager manages policies across AWS Organization accounts
• Shield Advanced supports consolidated billing at organization level
• WAF Web ACLs can be shared via AWS Resource Access Manager (RAM)
• DRT requires IAM role in each account for Shield Advanced access
• Central logging account collects WAF logs from all accounts

4.4 Common Use Cases

4.5 WAF Rule Evaluation Order

1. Rules evaluated in priority order (lowest number first)
2. First matching terminating rule action is taken
3. If no terminating rule matches, default Web ACL action applies (Allow or Block)
4. Count actions are non-terminating; evaluation continues
5. Rule group rules evaluated in group's internal priority order

4.6 Performance and Limits

5. Best Practices and Exam Tips

5.1 WAF Best Practices

• Start with AWS Managed Rules Core Rule Set for baseline protection
• Use Count mode to test rules before switching to Block
• Enable logging to S3 or CloudWatch Logs for analysis
• Implement rate-based rules to prevent abuse and DDoS
• Use IP sets for allow-lists and deny-lists; easier to manage than individual rules
• Apply WAF at CloudFront for global protection; at ALB for regional applications
• Review sampled requests regularly to tune rules
• Use labels to create complex rule logic and improve rule organization

5.2 Shield Best Practices

• Shield Standard is automatic and free; always enabled
• Use Shield Advanced for business-critical applications requiring SLA
• Enable Shield Advanced on CloudFront and Route 53 for edge protection
• Configure health-based detection for faster DDoS response
• Grant DRT proactive permissions before attacks occur
• Review DDoS cost protection to understand coverage scope
• Combine Shield Advanced with WAF for comprehensive protection

5.3 Firewall Manager Best Practices

• Enable AWS Config in all accounts and regions before deploying policies
• Use organizational units (OUs) to group accounts with similar security requirements
• Start with monitor mode, then enable auto-remediation after validation
• Use tag-based scoping for flexible resource targeting
• Implement both common and audit security group policies for defense in depth
• Set up SNS notifications to track compliance drift
• Designate a dedicated security account as Firewall Manager administrator

5.4 Cost Optimization

• Use WAF only where needed; not all resources require WAF
• Shield Standard provides adequate protection for most workloads
• Shield Advanced at organization level reduces per-account costs
• Consolidate Web ACLs using resource tagging where appropriate
• Monitor WCU consumption to avoid unnecessary rule complexity
• Use Firewall Manager to prevent policy sprawl and duplicate rules

5.5 Security Considerations

• Never expose EC2 instances directly; use CloudFront or ALB with WAF
• WAF does not inspect encrypted traffic payload; only headers and metadata
• Combine WAF with other services: GuardDuty, Security Hub, Inspector
• Use AWS Managed Rules for known vulnerabilities; custom rules for business logic
• Regularly update IP reputation lists and bot detection rules
• Implement least privilege for WAF and Shield administrative access
• Enable MFA delete on S3 buckets storing WAF logs

5.6 Troubleshooting Common Issues

5.7 Key Exam Scenarios

• Scenario: Block traffic from specific countries → Use WAF geo match condition
• Scenario: Protect against DDoS with cost guarantee → Use Shield Advanced
• Scenario: Centralized firewall rules across 100 accounts → Use Firewall Manager
• Scenario: Prevent SQL injection on web app → Use WAF SQL Database Managed Rule Group
• Scenario: Rate limit API to 1000 req/5min per IP → Use WAF rate-based rule
• Scenario: Monitor potential threats without blocking → Use WAF Count action
• Scenario: Protect login page from credential stuffing → Use WAF ATP
• Scenario: Automatically respond to Layer 7 DDoS → Use Shield Advanced with DRT authorization