WAF & Shield Bundle

AWS WAF and AWS Shield (Standard, Advanced, and the new network security director) — the edge protection layer for web applications. WAF inspects and filters individual HTTP(S) requests at Layer 7; Shield defends against volumetric and protocol-level DDoS attacks at Layers 3/4 and 7. The exam consistently tests whether you know which layer a described attack actually operates at.

Preventive — primary role Infrastructure Protection Detective — visibility/dashboards

L7

WAF — application layer

L3/L4 + L7

Shield — network/transport + app layer

Mar 2026

Anti-DDoS AMR becomes default (supersedes L7AM)

Jun 2025

Shield network security director (preview)

The Core Mental Model — Two Layers of Edge Defense

WAF Filters Requests; Shield Absorbs Floods

AWS WAF — a Layer 7 web application firewall that inspects individual HTTP(S) requests against rules (managed or custom) and takes an action (allow/block/count/CAPTCHA/challenge) per request. Deployed on CloudFront, ALB, API Gateway, AppSync, and Cognito. This is about request CONTENT and INTENT — SQL injection, XSS, bad bots, credential stuffing, fake account creation.
AWS Shield Standard — automatic, free, always-on protection against common, most-frequent network/transport layer (Layer 3/4) DDoS attacks for every AWS customer, no opt-in required.
AWS Shield Advanced — a paid subscription adding enhanced detection/mitigation for larger, more sophisticated DDoS attacks (including Layer 7), near-real-time visibility, cost protection against DDoS-related usage spikes, and 24/7 access to the Shield Response Team (SRT).
AWS Shield network security director — a newer (preview, June 2025) capability that's NOT primarily about DDoS mitigation — it's about VISIBILITY: mapping your network topology, identifying missing/misconfigured network security services, and recommending remediation, essentially a security-posture advisor layered on top of Shield's traditional DDoS focus.

⚠️ The Recurring Exam Theme

The exam tests layer recognition above almost everything else here: SQL injection, XSS, bad bots, credential stuffing → WAF (it's about request CONTENT). A volumetric flood of raw packets trying to exhaust bandwidth or connection state → Shield (it's about request/packet VOLUME, regardless of content). A question describing BOTH an HTTP flood AND content-based attack patterns may need both services working together, with Shield Advanced's automatic mitigation actually deploying WAF rules on your behalf during a Layer 7 DDoS event.

Exam Domain Mapping

Domain	Where This Bundle Shows Up
Infrastructure Security	The centerpiece — WAF rule design, Shield tier selection, DDoS mitigation mechanics
Threat Detection & Incident Response	Shield Advanced automatic mitigation, SRT engagement during an active DDoS event
Data Protection	WAF Fraud Control protecting login/signup pages from credential-based attacks
Management & Security Governance	Firewall Manager-centralized WAF/Shield policy across an Organization, network security director's posture recommendations

Decision Tree — Mental Model

Threat

SQL injection, XSS, bad bots, credential stuffing, fake account creation (content-based, Layer 7); volumetric packet/connection floods aiming to exhaust bandwidth or state (Layer 3/4); sophisticated app-layer request floods (Layer 7 DDoS)

↓

Security Goal

Filter malicious request content at the edge, and absorb/mitigate volumetric attacks before they reach the application

↓

AWS Service

The WAF & Shield Bundle

WAF — managed/custom rules, Bot Control, Fraud Control Shield Standard — always-on L3/4 Shield Advanced — sophisticated DDoS, L7, SRT Network security director — posture visibility

↓

Implementation

Attach a Web ACL with AWS Managed Rules + Bot Control/Fraud Control where relevant; subscribe to Shield Advanced for business-critical internet-facing resources; enable automatic application-layer DDoS mitigation; centralize policy via Firewall Manager.

↓

Monitoring

WAF logs and sampled request dashboards; Shield Advanced's Global Threat Environment Dashboard and mitigation metrics; network security director's topology/misconfiguration findings.

↓

Remediation

Tune/tighten WAF rules based on logged false positives/negatives; engage the SRT during an active, severe DDoS event; act on network security director's specific remediation recommendations.

Final Summary

Must Memorize

WAF = Layer 7, content-based request filtering. Shield = Layer 3/4 (always) + Layer 7 (Advanced) DDoS volumetric/flood protection
Shield Standard is automatic, free, always-on for every AWS customer — no opt-in required
Shield Advanced adds: sophisticated DDoS detection, cost protection, near-real-time visibility, and 24/7 SRT access (SRT itself requires Business Support or higher)
The Anti-DDoS Managed Rule Group became the DEFAULT Layer 7 DDoS solution March 26, 2026, superseding the older Layer 7 Auto Mitigation (L7AM) feature
Shield network security director (preview, June 2025) is about network security POSTURE VISIBILITY, not DDoS mitigation itself

Must Understand

Why Shield Advanced's automatic mitigation actually WORKS BY deploying custom WAF rules on your behalf — the two services are integrated, not separate silos
WAF Fraud Control's two distinct rule groups: Account Takeover Prevention (protects EXISTING accounts/login) vs Account Creation Fraud Prevention (protects sign-up/new account creation)
The distinction triangle: WAF (content filtering) vs Shield (volumetric DDoS) vs network security director (posture visibility)

Can De-prioritize

Exact dollar pricing for Shield Advanced subscription/WCU costs
Console UI navigation specifics
Full list of every Bot Control inspection-level rule name

Exam appearance probability: HIGH

Core Services — Deep Dive

AWS WAF — Core Concepts Layer 7 request filtering

Web ACLThe container holding the set of rules applied to incoming requests for a protected resource

Deployment surfacesAmazon CloudFront, Application Load Balancer (ALB), API Gateway, AWS AppSync, Amazon Cognito

Rule actionsAllow, Block, Count (log only, no action — useful for testing), CAPTCHA, Challenge (silent verification)

AWS Managed RulesPre-built rule groups for OWASP Top 10, known bad inputs, and other common web threats — maintained and updated by AWS

Web ACL Capacity Units (WCU)Each rule consumes a WCU budget; exceeding 1,500 WCUs in a single Web ACL incurs additional, non-standard cost

One-click integrations exist directly from CloudFront and ALB to quickly create an initial protection pack (Web ACL) with common-threat rules pre-configured.
A 2026 console update introduced an updated, unified experience for accessing WAF functionality from anywhere in the console.

Bot Control & Fraud Control High — frequently tested specifics

Bot ControlManaged rule group giving visibility/control over bot traffic — scrapers, scanners, crawlers. Inspection levels range from Common (traditional, static signature-based detection of self-identifying bots) up to Targeted (behavioral, ML-based detection via TGT_ML_-prefixed rules, periodically retrained)

Account Takeover Prevention (ATP)Protects an application's EXISTING-account LOGIN page — checks submitted email/password combinations against a regularly-updated stolen-credential database, aggregates by IP/session to catch credential stuffing and brute-force attempts

Account Creation Fraud Prevention (ACFP)Protects an application's SIGN-UP/registration page — verifies submitted credentials, email domains, phone numbers, and address fields in real time, blocking sign-up if information is flagged as stolen or has bad reputation

Optional SDKsJavaScript and iOS/Android SDKs provide additional device-level telemetry to better distinguish real users from automated bot attempts during login/sign-up

ATP response inspectionFor CloudFront distributions specifically, ATP also inspects the APPLICATION'S RESPONSES to login attempts (not just the incoming request) to track success/failure rates and refine detection

ATP and ACFP can be used independently OR together, and Bot Control can be layered alongside both — they're complementary, addressing different stages (login vs sign-up) and different threat types (credential-based vs general bot traffic).
"Block attackers attempting to log in with credentials stolen from an unrelated data breach" → ATP, specifically its stolen-credential-database check, not Bot Control generally.
"Prevent attackers from mass-creating fake accounts using disposable email domains" → ACFP, specifically protecting the sign-up page.

AWS Shield Standard Automatic, free, always-on

CoverageNetwork and transport layer (Layer 3/4) protection against the most common, frequently-occurring DDoS attack vectors

CostFree, automatically included for every AWS customer — no opt-in or subscription required

Mitigation techniquesPacket validation (ensuring inspected packets conform to expected protocol structure for IP/TCP/UDP/ICMP/DNS/NTP), ACLs and shapers (rate-limiting traffic matching specific attack-vector attributes), TCP SYN proxy (stateless SYN-flood mitigation via SYN cookies on CloudFront/Route 53)

Shield's detection/mitigation is designed to provide coverage even against ZERO-DAY attack vectors not explicitly known to the service beforehand — not purely signature-based.

AWS Shield Advanced High — paid, expanded protection

What it adds over StandardEnhanced detection/mitigation for larger and more sophisticated DDoS attacks (including Layer 7), near-real-time visibility/metrics, cost protection against DDoS-related usage spikes (EC2/ELB/CloudFront/Global Accelerator/Route 53), 24/7 SRT access

WAF integrationShield Advanced subscription covers the cost of STANDARD WAF capabilities for protected resources — but NON-standard costs (Bot Control, CAPTCHA action, Web ACLs over 1,500 WCUs, inspecting request bodies beyond default size) are still billed separately

Automatic application layer (L7) DDoS mitigationShield Advanced maintains a managed rule group in the protected resource's Web ACL, combining a rate-based rule (tracking known DDoS-source IP volume) with baseline-deviation detection (comparing current traffic against historic patterns) — when triggered, Shield Advanced creates, evaluates, and deploys additional CUSTOM WAF rules automatically

Anti-DDoS Managed Rule Group (AMR) — March 26, 2026Became the new DEFAULT solution for HTTP request flood protection, superseding the older Layer 7 Auto Mitigation (L7AM) feature — detects and mitigates attacks within SECONDS rather than minutes. Existing Shield Advanced customers can continue using the legacy L7AM solution if already configured; new customers needing legacy access must contact AWS Support

Health-based detectionRoute 53 health checks can inform Shield Advanced's event detection and mitigation decisions

Shield Response Team (SRT)Security engineers specializing in DDoS event response — can monitor WAF request data/logs during an event, craft custom mitigation rules, and (with granted permissions) manage resources on your behalf. Requires Business Support plan or higher to engage

"Automatically detect and mitigate a sophisticated, fast-moving HTTP request flood within seconds, using the current AWS-recommended default mechanism" → Anti-DDoS Managed Rule Group (post-March-2026), not the legacy L7AM.

AWS Shield Network Security Director High — exam-fresh, preview June 2025

What it actually isNOT a DDoS mitigation feature — a network security POSTURE visibility and recommendation tool, expanding Shield's scope beyond pure DDoS protection

Network topology visibilityShows the AWS resources in your account/network and how they're connected to each other and to the internet

Misconfiguration identificationIdentifies missing or misconfigured network security services across your environment

Remediation recommendationsRecommends specific steps to correct identified gaps

Practical starting pointCan be used to identify resources NOT currently protected by AWS WAF at all, serving as a discovery step before adding WAF/Shield protection where it's missing

"We want a single tool to visualize our network topology, identify which resources lack proper network security configuration, and get specific remediation guidance" → Shield network security director, NOT Shield Advanced's DDoS mitigation capabilities, which solve a different problem (active attack response, not posture discovery).

AWS Exam Thinking

Requirement → Keywords → Expected Answer → why every distractor fails.

Block SQL injection and cross-site scripting attempts against a web application

SQL injectionXSSrequest content

Expected Answer

AWS WAF (AWS Managed Rules — OWASP Top 10 / known bad inputs)

Distractor	Why it's wrong
Shield Standard or Advanced	Shield addresses volumetric/flood DDoS attacks, not content-based injection/XSS payload inspection — wrong layer/threat model entirely

Protect against attackers attempting to log in using credentials stolen from an unrelated, third-party data breach

credential stuffingstolen credentialslogin page

Expected Answer

WAF Fraud Control — Account Takeover Prevention (ATP)

Distractor	Why it's wrong
Bot Control alone	Detects general automated bot traffic, but doesn't specifically check submitted credentials against a stolen-credential database the way ATP does
ACFP	Protects the SIGN-UP page against fraudulent new accounts, not the LOGIN page against stolen-credential reuse

Mitigate a large-scale volumetric flood of raw network traffic attempting to exhaust bandwidth/connection state

volumetric floodbandwidth exhaustionL3/L4

Expected Answer

AWS Shield (Standard automatically; Advanced for sophisticated/large-scale events)

Distractor	Why it's wrong
AWS WAF alone	Operates at Layer 7 on individual request content — not designed to absorb/mitigate raw volumetric Layer 3/4 floods

Automatically detect and mitigate a sophisticated HTTP request flood within seconds, using the current AWS-recommended approach

HTTP request floodwithin secondscurrent default

Expected Answer

Shield Advanced's Anti-DDoS Managed Rule Group (default since March 26, 2026)

Distractor	Why it's wrong
Layer 7 Auto Mitigation (L7AM)	The OLDER, now-superseded mechanism — still usable by existing customers, but no longer the current default for new configurations and slower (minutes vs seconds)

Visualize network topology and identify resources lacking proper network security configuration, with remediation guidance

network topologyposture visibilityremediation guidance

Expected Answer

AWS Shield network security director

Distractor	Why it's wrong
Shield Advanced's DDoS mitigation capabilities	Focused on actively detecting/mitigating attacks, not discovering/visualizing general network security posture and configuration gaps

Integrations

Amazon CloudFront / ALB / API Gateway / AppSync / Cognito

WhatWAF Web ACLs attach directly to these services; one-click integrations exist for CloudFront and ALB

Shield Advanced ↔ WAF

WhatShield Advanced's automatic application-layer DDoS mitigation works BY creating and deploying custom WAF rules in the protected resource's Web ACL — the two services are functionally integrated, not separate

Amazon Route 53

WhatHealth checks inform Shield Advanced's health-based event detection; TCP SYN proxy protection is available on Route 53 (and CloudFront)

AWS Firewall Manager

WhatCentralizes WAF and Shield policy deployment across an entire AWS Organization — supports Bot Control, ATP, rule action overrides, centralized logging to S3, CAPTCHA/Challenge configuration, and Token Domains

Amazon CloudWatch

WhatShield Advanced publishes mitigation metrics; WAF can log sampled and full request data for analysis

Amazon S3

WhatCentralized WAF logging destination, configurable with logging filters via Firewall Manager

Costs, Limits & Quotas

Pricing Model

AWS WAFPer Web ACL/month, per rule/month, per million requests — pay-per-request model with no minimum commitment

Bot Control / Fraud ControlAdditional fees on top of standard WAF charges; Bot Control offers a free usage tier for common use cases

CAPTCHA / ChallengeBilled per attempt/response, regardless of outcome — a single CAPTCHA response can generate multiple billed attempts

Shield StandardFree, automatically included

Shield AdvancedSubscription fee (prorated hourly) + usage-based fees; subscription covers STANDARD WAF costs for protected resources, but not Bot Control/CAPTCHA/oversized Web ACLs/extended body inspection

Common Cost Mistakes

Exceeding 1,500 WCUs in a single Web ACL without realizing this triggers additional, non-standard cost even under a Shield Advanced subscription
Enabling Bot Control or CAPTCHA broadly without accounting for their separate billing from baseline WAF protection
Subscribing to Shield Advanced for resources that don't actually face meaningful DDoS risk, when Shield Standard's automatic baseline coverage would suffice

Cost Optimization

Use Count mode when testing new WAF rules to validate behavior before committing to Block, avoiding accidental legitimate-traffic blocking costs/incidents
Reserve Shield Advanced specifically for business-critical, internet-facing resources genuinely at DDoS risk
Use Firewall Manager to centralize and standardize WAF/Shield policy, avoiding redundant per-account rule duplication

Limits & Quotas

Web ACL Capacity Units1,500 WCUs is the threshold above which additional, non-standard costs apply

SRT engagementRequires Business Support plan or higher, in addition to a Shield Advanced subscription

Anti-DDoS AMR rolloutBecame the default March 26, 2026 — existing customers can retain legacy L7AM; new customers need an AWS Support request for legacy access

TCP SYN proxy availabilityCurrently available on Amazon CloudFront and Amazon Route 53 specifically, not universally across all resource types

⚠️ Exam trap

AWS Managed Rules groups are explicitly documented as NOT a replacement for your own security responsibilities — they add a layer of protection, but the resources you select and how you configure them remain your responsibility. A question implying "just enable AWS Managed Rules and security is fully handled" is testing whether you recognize this isn't a complete, hands-off solution.

Best Practices & Common Exam Traps

8 — Best Practices

Must Know

WAF = Layer 7 content filtering; Shield = Layer 3/4 (+L7 via Advanced) volumetric DDoS
Shield Standard is free and automatic for everyone — no opt-in needed
Shield Advanced's automatic L7 mitigation works by deploying custom WAF rules — the services are integrated
Anti-DDoS Managed Rule Group is the current (March 2026+) default, superseding L7AM
Network security director is about POSTURE VISIBILITY, not active DDoS mitigation

Good Practice

Test new WAF rules in Count mode before switching to Block
Layer ATP and ACFP together when both login and sign-up pages need fraud protection
Subscribe to Shield Advanced for genuinely business-critical, internet-facing resources
Use Firewall Manager for org-wide, centralized WAF/Shield policy consistency

Advanced Practice

Use network security director as a discovery step to find resources entirely lacking WAF protection before deploying it
Use Route 53 health checks to inform Shield Advanced's health-based event detection
Engage the SRT proactively (with appropriate Support plan) for architectural DDoS-resilience recommendations, not just during active incidents
Use Bot Control's Targeted (ML-based) inspection level for sophisticated, behaviorally-evasive bot traffic that static signature detection alone would miss

9 — Common Exam Traps

Misconception	Reality
"WAF can mitigate a large-scale volumetric DDoS flood on its own"	WAF operates on individual request content at Layer 7 — large-scale volumetric mitigation is Shield's domain, though Shield Advanced's L7 mitigation does work THROUGH WAF rules
"Shield Standard requires a subscription or opt-in"	False — it's automatic and free for every AWS customer with no action required
"Account Takeover Prevention and Account Creation Fraud Prevention protect the same page"	False — ATP protects the LOGIN page (existing accounts); ACFP protects the SIGN-UP page (new account creation)
"AWS Managed Rules fully handle web application security with no further action needed"	Explicitly documented as NOT a replacement for your own security responsibilities — they add a layer, not a complete solution
"Shield network security director is just another name for Shield Advanced's DDoS dashboard"	It's a distinct capability focused on network topology visibility and configuration-gap identification, not DDoS attack monitoring/mitigation

Lookalike Comparisons

Comparison	What actually differs
WAF vs Shield	Layer 7 request-content filtering vs Layer 3/4 (+L7 via Advanced) volumetric DDoS mitigation — different threat models entirely, often used together
Shield Standard vs Shield Advanced	Free, automatic, common-attack-vector coverage vs paid, sophisticated/large-scale attack detection, cost protection, near-real-time visibility, and SRT access
ATP vs ACFP	Protects the login page against stolen-credential reuse vs protects the sign-up page against fraudulent new-account creation
Bot Control vs ATP/ACFP	General automated-traffic visibility/control (scrapers, scanners, crawlers) vs specifically credential/fraud-focused protection for login and sign-up flows
Anti-DDoS Managed Rule Group vs legacy Layer 7 Auto Mitigation (L7AM)	Current default (March 2026+), mitigates within seconds vs the older, superseded mechanism, mitigates within minutes — still usable by existing customers but no longer the default
Shield Advanced DDoS mitigation vs Shield network security director	Active attack detection/response vs proactive network security posture visibility and configuration-gap discovery — reactive vs proactive halves of Shield's expanded scope

Flashcards — 16 Cards

Click card to flip. Mark right or wrong to track score.

Click to reveal answer

1 / 16

Mark: Score: 0/0

Practice Quiz — 9 Questions

SCS-C02 scenario style, Easy → Specialty. Select an answer to reveal the explanation.

out of 9 correct