Overview
AWS offers complementary services for application and network security:
Service | Purpose | Scope |
AWS WAF | Layer 7 (HTTP/S) Web Application Firewall for filtering, monitoring, and blocking traffic | Per-resource |
AWS Shield | DDoS protection at Layer 3/4 (Standard) and Layer 3–7 (Advanced) | Per-resource |
AWS Firewall Manager | Centralized management of WAF, Shield, Security Groups, and Network Firewall policies across accounts | Multi-account via AWS Organizations |
When to Use Each
- AWS WAF – For creating custom Layer 7 rules to protect specific applications (e.g., ALB, API Gateway, CloudFront).
- AWS Firewall Manager – For organization-wide policy enforcement, applying WAF, Shield, or security group rules automatically to new and existing resources across accounts.
- AWS Shield Advanced – For enhanced DDoS protection, 24/7 access to the AWS Shield Response Team, detailed attack diagnostics, and cost protection for scaling during attacks.
Combined Approach
- WAF handles granular web traffic filtering.
- Shield Advanced protects from large-scale Layer 3–7 DDoS attacks and provides operational support.
- Firewall Manager deploys and manages these protections consistently across multiple accounts and regions.