Network Security (WAF, Shield, Network Firewall, VPC)
Difficulty: hard
Overview
AWS provides layered network security across different OSI layers.
AWS WAF (Web Application Firewall) — Layer 7:
- Attach to: CloudFront, ALB, API Gateway, AppSync, Cognito User Pool
- Web ACL → Rules → Rule Groups → Managed Rule Groups
- Rule actions: Allow, Block, Count, CAPTCHA, Challenge
- Rate-based rules: Block IPs exceeding X requests per 5 minutes (auto-detects IPs)
- Managed Rule Groups (AWS): CommonRuleSet, SQLiRuleSet, AmazonIpReputationList, AnonymousIpList, KnownBadInputsRuleSet, BotControlRuleSet
- WAF logs → Kinesis Firehose → S3/CloudWatch/OpenSearch for analysis
- S3 Bucket Keys tip: Geo match rules block/allow by country
AWS Shield:
| Feature | Standard | Advanced |
|---|---|---|
| Cost | Free (auto) | $3,000/month |
| Layer | 3 & 4 | 3, 4 & 7 |
| DDoS Response Team (DRT) | ❌ | ✅ |
| Attack diagnostics | ❌ | ✅ |
| Cost protection | ❌ | ✅ |
| Proactive engagement | ❌ | ✅ |
| Covers | All AWS customers | Explicit enrollment per resource |
AWS Network Firewall — Layer 3/4/7:
- Managed stateful/stateless firewall for VPC
- Deploy in a dedicated firewall subnet; traffic routed through it
- Supports: IP/port rules, domain-based filtering, IPS (Suricata-compatible rules)
- Stateful: tracks connection state; Stateless: per-packet inspection
- Use for: blocking outbound to malicious domains, enforcing TLS inspection
AWS Firewall Manager:
- Centrally manage WAF, Shield Advanced, Network Firewall, Security Groups across an Organization
- Automatic enforcement on new accounts/resources
- Requires: AWS Organizations, Firewall Manager administrator account, AWS Config enabled
VPC Security — Security Groups vs NACLs:
| Feature | Security Group | NACL |
|---|---|---|
| State | Stateful (return traffic auto-allowed) | Stateless (must allow both directions) |
| Level | Instance/ENI | Subnet |
| Rules | Allow only | Allow + Deny |
| Rule evaluation | All rules evaluated | Lowest rule number wins |
| Default | Deny all inbound, allow all outbound | Allow all (default NACL) |
VPC Flow Logs:
- Capture IP traffic metadata (NOT content) for VPC, subnet, or ENI
- Fields: srcaddr, dstaddr, srcport, dstport, protocol, action (ACCEPT/REJECT), bytes
- Deliver to CloudWatch Logs or S3; query with Athena or Logs Insights
Practice Linked Questions
Q1. What protection does AWS Shield Standard provide to all AWS customers?
Select one answer before revealing.
Q2. A web application is receiving a coordinated HTTP flood attack where a single IP sends 5,000 requests per minute. Which AWS WAF feature automatically blocks this IP?
Select one answer before revealing.
Q3. What is the MOST significant security difference between a VPC Security Group and a Network Access Control List (NACL)?
Select one answer before revealing.
Q4. A company wants to ensure ALL Application Load Balancers across 50 AWS accounts in an Organization have AWS WAF Web ACLs automatically applied, including new accounts. Which service enables this with minimal operational overhead?
Select one answer before revealing.
Q5. EC2 instances in a private subnet need to access Amazon S3 without traversing the internet. Which VPC endpoint type is appropriate for S3, and what does it NOT support?
Select one answer before revealing.
Q6. A company's web application (behind CloudFront + ALB) is experiencing a DDoS attack at both Layer 3 (volumetric) and Layer 7 (HTTP flood) levels. Which TWO services provide the MOST comprehensive protection? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q7. A company wants to inspect ALL outbound VPC traffic to the internet for malicious domains using deep packet inspection (DNS and HTTP/HTTPS). Which AWS service is MOST appropriate?
Select one answer before revealing.
Q8. A company needs to expose a private microservice (running on ECS behind an NLB) to Lambda functions in different VPCs across multiple AWS accounts without exposing it to the internet. Which approach is CORRECT?
Select one answer before revealing.
Q9. A company must ensure that all S3 access from EC2 instances in their VPC goes exclusively through a VPC Gateway Endpoint (not the internet). Which TWO configurations enforce this? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q10. Which AWS WAF Managed Rule Groups are available from AWS (not third-party) for common threat protection? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q11. A company runs a multi-tier application on AWS. The web tier (EC2 instances behind an ALB) handles customer authentication. A security engineer discovers that the ALB access logs show unusual 400-error spikes and the WAF is not blocking the source IPs. GuardDuty has a finding: "UnauthorizedAccess:EC2/TorIPCaller". What is the MOST likely threat and BEST immediate response? (Scenario question)
Select one answer before revealing.