Application Layer: WAF, Shield, and API Security
The application layer protects your workloads from external threats that target your application logic. While network and identity controls prevent unauthorized access, application-layer security filters malicious traffic that arrives through legitimate channels, such as a SQL injection payload in a web form or a DDoS attack against your API.
AWS WAF​
AWS WAF (Web Application Firewall) inspects HTTP/HTTPS requests and blocks those that match rules you define. WAF attaches to CloudFront distributions, Application Load Balancers, API Gateway REST APIs, and AppSync GraphQL APIs.
Web ACLs and Rules​
A Web ACL is a collection of rules that WAF evaluates against each incoming request. Rules are evaluated in priority order, and the first matching rule determines the action (allow, block, or count).
Rule types:
| Rule Type | Example | Use Case |
|---|---|---|
| Rate-based | Block IPs exceeding 2,000 requests in 5 minutes | DDoS mitigation, brute force protection |
| IP set | Block or allow specific IP ranges | Geoblocking, allowlisting known partners |
| Regex pattern set | Match specific patterns in headers or body | Custom signature detection |
| Managed rule groups | AWS Managed Rules, marketplace rules | Broad protection with minimal configuration |
AWS Managed Rule Groups​
AWS provides free managed rule groups that cover common attack vectors:
| Rule Group | What It Blocks |
|---|---|
| AWSManagedRulesCommonRuleSet | OWASP Top 10 including XSS, SQLi, command injection |
| AWSManagedRulesKnownBadInputsRuleSet | Known bad request patterns (Log4j, etc.) |
| AWSManagedRulesSQLiRuleSet | SQL injection patterns |
| AWSManagedRulesLinuxRuleSet | Linux-specific exploits (path traversal, etc.) |
| AWSManagedRulesAmazonIpReputationList | IPs identified as bots or threats |
| AWSManagedRulesBotControlRuleSet | Bot detection and management (paid) |
Best practice: Start with the Common Rule Set and Known Bad Inputs in count mode. Review the logs for false positives before switching to block mode.
AWS Shield​
AWS Shield provides DDoS protection at two tiers:
Shield Standard vs Advanced​
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (automatic) | $3,000/month + data transfer |
| Protection | Layer 3/4 (network/transport) | Layer 3/4/7 (including application) |
| Resources | All AWS resources | CloudFront, ALB, ELB, Route 53, Global Accelerator, EC2 EIPs |
| Response team | None | 24/7 AWS Shield Response Team (SRT) |
| Cost protection | None | DDoS cost protection (credits for scaling charges) |
| Visibility | Basic | Advanced metrics, attack forensics |
When to use Shield Advanced: When your application is public-facing and a DDoS-related outage or cost spike would cause significant business impact. The $3,000/month subscription covers all resources in the account.
API Gateway Authorization Patterns​
API Gateway provides multiple mechanisms to authenticate and authorize API requests:
1. IAM Authorization​
Requests are signed with AWS Signature Version 4. The caller must have IAM permissions to invoke the API.
Best for: Service-to-service communication, internal APIs, and programmatic access where callers already have IAM credentials.
2. Cognito User Pool Authorizer​
API Gateway validates a JWT token issued by a Cognito User Pool. The token contains the user's identity and claims.
Best for: User-facing APIs where you manage user registration and authentication with Cognito.
3. Lambda Authorizer (Custom Authorizer)​
A Lambda function receives the request token or headers and returns an IAM policy that API Gateway uses to allow or deny the request.
Best for: Custom authentication logic, third-party identity providers, or when you need to validate tokens from a non-Cognito IdP.
Choosing an Authorization Pattern​
| Pattern | Authentication Source | Caching | Complexity |
|---|---|---|---|
| IAM | AWS SigV4 credentials | N/A | Low |
| Cognito | JWT from Cognito User Pool | Built-in | Medium |
| Lambda Authorizer | Custom (any token/header) | Configurable (up to 1 hour) | High |
Secrets Manager vs Parameter Store​
Applications need credentials, API keys, and connection strings. Storing these in code or environment variables is a security risk. AWS provides two services for secret management:
| Feature | Secrets Manager | Parameter Store (Standard) |
|---|---|---|
| Automatic rotation | Built-in rotation with Lambda | No built-in rotation |
| Cost | $0.40/secret/month + API calls | Free (standard tier) |
| Max size | 64 KB | 4 KB (standard) / 8 KB (advanced) |
| Cross-account access | Supported via resource policy | Not supported (standard) |
| RDS integration | Native rotation for RDS, Redshift, DocumentDB | Manual |
| Encryption | Always encrypted with KMS | Optional encryption with KMS |
When to use Secrets Manager: Database credentials, API keys, and any secret that benefits from automatic rotation. The cost is justified by the built-in rotation capability.
When to use Parameter Store: Configuration values, feature flags, and non-sensitive parameters. Use the SecureString type with KMS for sensitive values that do not need rotation.
Flashcards​
What AWS resources can WAF be attached to?
Click to revealCloudFront distributions, Application Load Balancers, API Gateway REST APIs, and AppSync GraphQL APIs.