Edge Security
The edge protection stack, layer by layer
A request to a public AWS app passes through three independent controls before it reaches your origin, and each one judges a different property of the request. Amazon CloudFront[1] is the content delivery network at the front: it terminates TLS at the edge location nearest the viewer, caches responses, and forwards cache misses to the origin. AWS Shield[2] sits with CloudFront and absorbs distributed denial-of-service (DDoS) floods at the network and transport layers. AWS WAF[3], a web application firewall, inspects the HTTP and HTTPS requests that survive and decides per request whether to allow, block, count, or challenge them.
Why three controls and not one
The split follows the OSI layer each attack targets. A volumetric DDoS is a layer 3/4 problem: millions of packets, no single one malicious, so the defense is absorption capacity, which is Shield's job. An SQL injection is a layer 7 problem: one crafted request, so the defense is content inspection, which is WAF's job. Caching and TLS termination are delivery concerns, which is CloudFront's job. Trying to make one control do all three would mean inspecting every packet of a flood for SQL syntax, which does not scale. Layering lets each control work at the layer where the signal is cheapest to read.
How they attach
You associate a WAF web ACL (access control list) with the CloudFront distribution, the Application Load Balancer (ALB), the Amazon API Gateway stage, or the AWS AppSync API that fronts your app. Shield Standard applies automatically and free to CloudFront, Amazon Route 53, and AWS Global Accelerator; Shield Advanced is a subscription you add to protected resources. Because WAF and Shield both bind to the same edge resource, a CloudFront distribution can run a web ACL and carry Shield Advanced at once, with no conflict between them.
AWS WAF rules: managed groups, rate-based, geo, and labels
AWS WAF protects against the OWASP Top 10[4] application risks through rules you compose in a web ACL, evaluated top to bottom until one terminates the request. The cheapest and broadest defense is the AWS Managed Rules[5], pre-built rule groups AWS maintains so you do not hand-write attack signatures.
The managed rule group families
Baseline groups apply broadly: the Core rule set (CRS, AWSManagedRulesCommonRuleSet) covers the common OWASP risks, Admin protection blocks exposed admin paths, and Known bad inputs catches request patterns tied to exploitation. Use-case groups target a stack: the SQL database group hardens against SQL injection, and there are OS and application-specific groups. IP reputation groups (Amazon IP reputation list, Anonymous IP list) block known-bad and anonymizing sources. A separate tier of intelligent threat mitigation, Bot Control, account takeover prevention (ATP), and account creation fraud prevention (ACFP), carries additional fees because it fingerprints clients rather than matching signatures.
Your own rules on top
Beyond managed groups you add custom statements. A rate-based rule[6] counts requests per aggregation key over a trailing evaluation window of 60, 120, 300, or 600 seconds (default 300), and acts once a key exceeds the limit, whose lowest allowed setting is 10. You choose the aggregation key: source IP, an IP taken from a forwarded header such as X-Forwarded-For, or custom keys, which is the "client fingerprinting" the blueprint names. A geo-match statement filters by country (CountryCodes), an IP set matches address ranges you maintain, and string/regex statements match request components.
Labels chain rules together
A matching rule can attach a label[7] to the request instead of immediately blocking, and a later rule can match that label. This lets you build staged logic, for example let the Bot Control group label a request as a verified bot, then a downstream rule decides whether that category is allowed. Every rule action is one of Allow, Block, Count (observe without acting, the tuning mode), or Captcha/Challenge (issue a token-backed challenge the client must solve).
Shield Standard versus Shield Advanced
AWS Shield comes in two tiers, and the exam leans on knowing exactly what the paid tier buys. Shield Standard[2] is automatic and free for every AWS customer, defending CloudFront, Route 53, and Global Accelerator against the common, most frequent network and transport-layer DDoS attacks with no configuration.
What Advanced adds
Shield Advanced[8] is a paid subscription that extends protection to Elastic IP addresses, the Application Load Balancer, Classic Load Balancer, CloudFront, Global Accelerator, and Route 53 hosted zones. It adds four things Standard lacks: 24/7 access to the Shield Response Team (SRT), the AWS experts who help during an active attack; near-real-time attack diagnostics and CloudWatch metrics; automatic application-layer DDoS mitigation, where Shield deploys WAF rules on your behalf during an attack; and DDoS cost protection, which refunds the scaling charges (extra CloudFront data transfer, ALB capacity, EC2 scale-out) you incur because of a covered attack.
The numbers that get tested
Shield Advanced costs $3,000 per month per payer account[9] in an AWS Organization, not per organization and not per protected resource, with a 1-year subscription commitment, plus data-transfer-out fees for protected resources. Subscribe once on the payer (management/consolidated-billing) account and the fee is not multiplied across member accounts under the same payer. Note the team name is the Shield Response Team (SRT); the old name DDoS Response Team (DRT) is retired and should not appear in new content.
When the answer is Advanced
The exam steers you to Advanced when the scenario needs human DDoS support during an incident, a financial guarantee against attack-driven bills, protection on resources Standard does not cover such as an Elastic IP on EC2, or automatic L7 mitigation. If the scenario only needs basic protection on a CloudFront-fronted site and mentions no budget guarantee or SRT, Standard already covers it and Advanced is the over-engineered distractor.
Locking the origin: OAC, response headers, and CORS
WAF only protects what funnels through it, so an attacker who reaches the origin directly bypasses every rule. The fix is to make the origin reachable only through CloudFront. Origin access control (OAC)[10] signs each request CloudFront sends to an Amazon S3 origin with SigV4, and the bucket policy then permits only that distribution and denies everyone else. OAC supersedes the legacy origin access identity (OAI) and supports SSE-KMS encrypted objects and all AWS Regions.
Security response headers
CloudFront can attach security headers to every response through a response headers policy[11], so you do not rebuild this on each origin. The policy can set HTTP Strict Transport Security (HSTS) to force HTTPS, X-Content-Type-Options: nosniff to stop MIME sniffing, X-Frame-Options to block clickjacking, and a Content-Security-Policy. These travel back to the browser and harden the client side of the application.
Cross-origin resource sharing
S3 CORS[12] is a browser security control, not a server firewall: it tells the browser which other origins may read responses from your bucket via JavaScript. You configure AllowedOrigins, AllowedMethods, and AllowedHeaders on the bucket. CORS only relaxes the browser's same-origin policy for the origins you list; it never grants AWS-level access, so it is not an authorization mechanism and a permissive * origin is a finding, not a convenience.
Exam pattern recognition
A stem describing "users can reach the S3 bucket URL directly and skip the WAF rules" points to OAC plus a restrictive bucket policy. A stem about "the browser blocks the front-end from calling the API on another domain" points to CORS, not IAM or a security group. A stem asking to "enforce HTTPS and prevent clickjacking from the CDN" points to a CloudFront response headers policy. Confusing CORS (a browser read-permission list) with an authorization control is the classic trap here.
Integrating outside data and rules: OCSF and third-party WAF
The C03 exam adds edge integrations that cross the AWS boundary in both directions, so know what each one carries. Going out, Amazon Security Lake[13] centralizes security data, including AWS WAF logs, into a data lake in your own S3 and converts it into the Open Cybersecurity Schema Framework (OCSF)[14] stored as Apache Parquet. OCSF is a vendor-neutral schema, so a third-party SIEM or analytics tool queries one normalized format instead of parsing each source's native log shape, and subscribers read the data through Amazon Athena, Amazon Redshift, or AWS Lake Formation.
Why OCSF matters at the edge
WAF emits detailed logs of every inspected request, but in its native JSON. Normalizing to OCSF means a downstream tool correlates a WAF block with a VPC Flow Log or a CloudTrail event using shared field names, which is the whole point of "ingesting data in OCSF format" that the blueprint calls out. Security Lake collects WAFv2 logs natively, alongside CloudTrail, Route 53 resolver query logs, VPC Flow Logs, EKS audit logs, and Security Hub findings, and can take custom sources you map into OCSF.
Third-party WAF rules
Going the other way, you do not have to write or rely solely on AWS rules. The AWS Marketplace offers managed rule groups[15] from third-party security vendors (for example F5, Fortinet, Imperva), and you subscribe to one and reference it in your web ACL exactly like an AWS managed group. They evaluate in priority order alongside AWS groups and your custom rules, so you can combine a vendor's specialized signatures with the AWS Core rule set in one policy.
Exam pattern recognition
A stem about "ingest security findings from multiple AWS and third-party tools into one queryable schema" points to Security Lake with OCSF, not to raw S3 logging or a manual ETL pipeline. A stem about "apply a specific commercial vendor's WAF ruleset" points to a Marketplace managed rule group, not to rebuilding those signatures as custom AWS WAF rules.
Edge protection layers: what each one inspects and stops
| Property | CloudFront | AWS WAF | AWS Shield |
|---|---|---|---|
| OSI layer | L3-L7 delivery / TLS | L7 HTTP/HTTPS | L3/L4 (Standard), +L7 (Advanced) |
| Primary job | Caching, TLS, request routing | Filter app-layer attacks | Absorb / mitigate DDoS |
| Stops | Origin overload, latency | OWASP Top 10, bots, rate floods | Volumetric / protocol DDoS |
| Cost model | Per request + data transfer | Per web ACL + rule + request | Standard free; Advanced $3,000/mo per payer |
| Key control | OAC, response headers policy | Managed + rate-based + geo rules | SRT access, cost protection (Advanced) |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Layer the edge: CloudFront for delivery, WAF for L7, Shield for DDoS
An internet-facing app gets layered protection where each control works at a different OSI layer: CloudFront terminates TLS and caches, AWS WAF inspects HTTP/HTTPS requests for application-layer attacks, and AWS Shield absorbs L3/L4 DDoS floods. They stack on the same edge resource rather than compete, so one CloudFront distribution can carry both a WAF web ACL and Shield at once. Match the control to the layer the attack targets: a volumetric flood is absorption (Shield), a crafted request is inspection (WAF).
Trap Reaching for a security group or NACL to stop an OWASP-style web attack; those filter at L3/L4 inside the VPC and never inspect HTTP request content the way a WAF web ACL does.
- WAF is the OWASP Top 10 control, delivered through managed rule groups
AWS WAF defends against the OWASP Top 10 web risks (injection, broken access control, and the rest) through AWS Managed Rules, pre-built rule groups you enable instead of hand-writing signatures. The baseline Core rule set (CRS,
AWSManagedRulesCommonRuleSet) covers the broad common attacks, while Known bad inputs and the SQL database group target specific classes. Managed groups are maintained by AWS and updated as new threats emerge, so they are the first reach for generic web protection.Trap Writing custom string/regex rules to reproduce SQL-injection or XSS protection AWS already ships; the AWS managed Core rule set and SQL database group cover the OWASP classes and stay maintained for you.
- Web ACL rules evaluate in priority order; first terminating match wins
A web ACL runs its rules from lowest to highest priority number and stops at the first rule whose action terminates evaluation. Each rule action is Allow, Block, Count, or Captcha/Challenge: Allow and Block are terminating, Count only tallies and lets evaluation continue (the safe tuning mode), and Challenge issues a token-backed test. If no rule matches, the web ACL's default action (Allow or Block) decides.
Trap Assuming Count blocks traffic; Count is observe-only, used to test a rule's match volume before switching it to Block, so a rule left on Count stops nothing.
- Rate-based rules throttle per key over a 60/120/300/600s window
A WAF rate-based rule counts requests per aggregation key over a trailing evaluation window of 60, 120, 300, or 600 seconds, defaulting to 300 (5 minutes), and acts on a key once it exceeds the limit. The lowest rate limit you can set is 10 requests, and WAF looks back over the window continuously rather than resetting on a fixed schedule. This is the standard defense against HTTP floods and brute-force bursts when no signature matches.
Trap Treating the evaluation window as a fixed bucket that resets every N seconds; WAF re-estimates the rate frequently over a rolling look-back, so a client cannot dodge it by timing requests to a window boundary.
- Choose the rate-based aggregation key, including custom client fingerprinting
A rate-based rule aggregates by source IP by default, but you can aggregate by an IP pulled from a forwarded header such as
X-Forwarded-For(use this when CloudFront or a proxy fronts the app so the real client IP survives), or by custom keys built from headers, cookies, or query strings. Custom-key aggregation is the "client fingerprinting" the blueprint names: it lets you rate-limit per session token or per API key rather than per IP.Trap Aggregating on source IP alone behind CloudFront, which collapses many clients onto the CDN's edge IPs; use IP-in-header (X-Forwarded-For) so the rate limit tracks the true viewer.
- Geo-match and IP sets filter by country and address range at the edge
A geo-match statement blocks or allows requests by country code (
CountryCodes), and an IP set is a reusable list of CIDR ranges a rule references to allow trusted sources or block known-bad ones. Both run in the same web ACL as your managed and rate-based rules, so you enforce geography and IP allow/deny lists at the edge before traffic reaches the origin. Geo-match reads the request's resolved country, not a self-declared header.Trap Believing geo-match guarantees a user's location; it maps the connecting IP to a country, so a VPN or proxy in another country defeats it, making geo-blocking a coarse control rather than strong access enforcement.
- WAF labels let one rule's match drive a later rule
A matching WAF rule can attach a label to the request instead of terminating, and a downstream rule can match that label to make a combined decision. This builds staged logic, for example letting the Bot Control group label a request as a verified or known bot, then a later rule decides whether that bot category is permitted. Labels turn a flat rule list into composable detection without duplicating match conditions.
- Bot Control, ATP, and ACFP are paid intelligent-threat rule groups
Most AWS managed rule groups are free with WAF, but the intelligent threat mitigation tier carries additional fees because it fingerprints and challenges clients rather than matching signatures: Bot Control (automated traffic), account takeover prevention (ATP, credential-stuffing on login), and account creation fraud prevention (ACFP, fake-signup abuse). Reach for these when the threat is automation or credential abuse, not a payload pattern, and budget for the extra cost.
Trap Assuming every AWS managed rule group is free; Bot Control, ATP, and ACFP add per-request fees on top of base WAF charges, so enabling them blindly can surprise the bill.
- Captcha and Challenge actions verify clients with tokens
Beyond Allow/Block/Count, WAF offers Captcha and Challenge actions that interrupt a suspicious request and require the client to prove it is a real browser. Captcha shows a puzzle to a human; Challenge runs a silent background check (a token-backed JavaScript challenge) with no user interaction. Both issue a token the client presents on later requests, which is why they pair with Bot Control to slow automated clients without blocking legitimate users outright.
- Shield Standard is free and automatic on CloudFront, Route 53, Global Accelerator
AWS Shield Standard protects every customer at no cost and with no configuration, defending against the common, most frequent network and transport-layer (L3/L4) DDoS attacks. It applies automatically to CloudFront, Amazon Route 53, and AWS Global Accelerator, so an app fronted by CloudFront already has baseline DDoS coverage. Standard does not include the Shield Response Team, attack diagnostics, or cost protection.
- Shield Advanced is $3,000/mo per payer account with a 1-year commitment
Shield Advanced is a paid subscription priced at $3,000 per month per payer account in an AWS Organization, with a 1-year commitment, plus data-transfer-out fees for protected resources. Because the fee is per payer (the management/consolidated-billing account), you subscribe once and it is not multiplied across every member account under that payer. The cost is the same whether you protect one resource or many.
Trap Reading the price as $3,000 per organization or per protected resource; it is $3,000 per month per payer account, so consolidating accounts under one payer is what keeps the fee from multiplying.
- Shield Advanced buys SRT, cost protection, and automatic L7 mitigation
Shield Advanced adds four things Standard lacks: 24/7 access to the Shield Response Team (SRT) for help during an active attack, near-real-time attack diagnostics and metrics, automatic application-layer DDoS mitigation where Shield deploys WAF rules on your behalf, and DDoS cost protection that refunds the scaling charges (extra data transfer, ALB capacity, EC2 scale-out) caused by a covered attack. It also extends coverage to Elastic IPs, ALB, CLB, and Route 53 hosted zones.
Trap Picking Shield Standard when the scenario needs human support during an attack or a refund for attack-driven scaling bills; only Advanced includes the SRT and DDoS cost protection.
4 questions test this
- A company experienced a large DDoS attack targeting their AWS Global Accelerator accelerator, which caused increased data transfer costs.…
- A gaming company uses AWS Global Accelerator to route UDP traffic to Amazon EC2 instances for their real-time multiplayer game. During a…
- A company uses AWS Organizations with multiple accounts and wants to deploy AWS Shield Advanced protection consistently across all Amazon…
- A company protects its public-facing workloads with AWS Shield Advanced. The architecture includes an Amazon CloudFront distribution, an…
- Use the name Shield Response Team (SRT), not DDoS Response Team
AWS renamed the DDoS Response Team to the Shield Response Team (SRT), the experts a Shield Advanced subscriber can engage 24/7 during a DDoS event. Use SRT in current content; the old DRT name is retired and a distractor that says DRT is using stale terminology.
- Origin access control (OAC) makes the S3 origin reachable only via CloudFront
OAC signs each request CloudFront sends to an S3 origin with SigV4, and the bucket policy then permits only that distribution and denies direct access, so an attacker cannot bypass WAF by hitting the bucket URL. OAC is the current mechanism and supersedes the legacy origin access identity (OAI); unlike OAI it supports SSE-KMS encrypted objects and all Regions. Without it, a public bucket lets traffic skip the entire edge stack.
Trap Using the legacy origin access identity (OAI) for a new distribution serving SSE-KMS objects; OAI does not support KMS-encrypted origins, so OAC is the correct current choice.
- Set security response headers with a CloudFront response headers policy
A CloudFront response headers policy attaches security headers to every response without changing the origin: HSTS to force HTTPS,
X-Content-Type-Options: nosniffto stop MIME sniffing,X-Frame-Optionsto block clickjacking, and a Content-Security-Policy. Centralizing them at the distribution means one policy hardens the browser side across all origins behind it, rather than re-implementing headers on each backend.- S3 CORS is a browser read-permission list, not an authorization control
Cross-origin resource sharing (CORS) on an S3 bucket tells the browser which other origins may read responses via JavaScript, configured through
AllowedOrigins,AllowedMethods, andAllowedHeaders. It only relaxes the browser's same-origin policy for the origins you list and grants no AWS-level access, so it never replaces IAM or a bucket policy. A wildcard*origin is a misconfiguration finding, not a convenience.Trap Treating CORS as an access-control or authorization mechanism; it is a browser-side read-permission hint, so loosening it to
*exposes responses to any site's scripts without changing who can authenticate to the bucket.- Security Lake normalizes WAF and other logs to OCSF in Parquet
Amazon Security Lake centralizes security data, including AWS WAF logs, into a data lake in your own S3 and converts it to the Open Cybersecurity Schema Framework (OCSF) stored as Apache Parquet. OCSF is a vendor-neutral schema, so a third-party SIEM queries one normalized format and correlates a WAF block with a VPC Flow Log or CloudTrail event by shared field names. Subscribers read the data through Athena, Redshift, or Lake Formation rather than parsing each source's native log shape.
Trap Building a custom ETL pipeline to merge findings from many AWS and third-party tools into one schema; Security Lake already normalizes to OCSF in Parquet, which is the intended answer for unified, queryable security data.
- Subscribe to third-party WAF rule groups from the AWS Marketplace
You do not have to author every WAF rule: the AWS Marketplace offers managed rule groups from third-party vendors (such as F5, Fortinet, Imperva) that you subscribe to and reference in a web ACL exactly like an AWS managed group. They evaluate in priority order alongside AWS groups and your custom rules, so you can combine a vendor's specialized signatures with the AWS Core rule set in one policy.
Trap Re-implementing a commercial vendor's WAF signatures as custom AWS rules; subscribing to that vendor's Marketplace managed rule group is the supported path and keeps the signatures vendor-maintained.
- WAF inspects only HTTP/HTTPS, so non-web protocols need other controls
AWS WAF is a web application firewall: it only inspects layer-7 HTTP and HTTPS requests on the resources a web ACL attaches to (CloudFront, ALB, API Gateway, AppSync). Raw TCP/UDP services, or attacks below L7, fall outside WAF entirely and rely on Shield for DDoS plus VPC controls like security groups and Network Firewall. Knowing this boundary keeps you from proposing a web ACL for a non-HTTP workload.
Trap Proposing a WAF web ACL to protect a non-HTTP service (such as a custom TCP listener on an NLB); WAF inspects only HTTP/HTTPS, so that traffic needs Shield and VPC-layer controls instead.
- Attach a single web ACL to CloudFront, ALB, API Gateway, or AppSync
A WAF web ACL associates with CloudFront distributions (global scope), or with regional resources: an Application Load Balancer, an Amazon API Gateway stage, an AWS AppSync GraphQL API, a Cognito user pool, or an App Runner service. CloudFront web ACLs use the CLOUDFRONT scope in us-east-1; regional web ACLs are created in the resource's own Region. Front the app at the outermost internet-facing resource so WAF sees traffic before it fans in.
3 questions test this
- A company is deploying a global web application using Amazon CloudFront. The security team needs to protect the distribution from SQL…
- A security engineer is deploying an AWS WAF web ACL to protect an Amazon CloudFront distribution serving a global e-commerce application.…
- A retail company uses an Application Load Balancer (ALB) for its e-commerce site. The security team wants to add a third-party managed rule…
- Security Lake custom sources must be OCSF Parquet partitioned by region/accountId/eventDay
A Security Lake custom source must deliver OCSF-conformant Apache Parquet objects written under its assigned prefix with the partition layout region=/accountId=/eventDay=/ (eventDay has no separators). This partitioning is what lets the source's Glue crawler register partitions for Athena pruning. Deliver each distinct OCSF event class as its own custom source, and run the source's Glue crawler when the schema gains fields.
Trap Pushing raw JSON or a single mixed-class feed — each OCSF event class needs its own custom source in Parquet with the region/accountId/eventDay partitions.
6 questions test this
- A security engineer is configuring a third-party intrusion prevention system (IPS) as a custom source in Amazon Security Lake. The vendor's…
- A company has enabled Amazon Security Lake in its delegated administrator account and ingests AWS native sources. The security team plans…
- A security operations team has deployed a third-party extended detection and response (XDR) platform that emits multiple types of…
- A company operates a third-party DNS firewall in a colocation facility. The security team will forward query logs to Amazon Security Lake…
- A security engineer is building an AWS Glue ETL job that converts third-party intrusion detection alerts into Open Cybersecurity Schema…
- A company collects logs from a third-party network appliance and wants to register them as a custom source in Amazon Security Lake so that…
- A Security Lake data-access subscriber reads OCSF objects from S3 via an SQS/HTTPS notification and external ID
A data-access subscriber reads OCSF Parquet objects directly from the Security Lake S3 bucket: Security Lake provisions a subscriber IAM role and an SQS queue (or HTTPS endpoint) so the consumer is notified of new objects and assumes the role to read them. You supply the partner account ID and a unique external ID, which Security Lake enforces as an sts:ExternalId condition on every AssumeRole.
Trap Choosing query (Lake Formation/Athena) access when the consumer must read raw S3 objects without Athena — that requires data access, not query access.
3 questions test this
- A security platform team in account A operates Amazon Security Lake as the delegated administrator for the organization. A partner SOC team…
- A delegated administrator for Amazon Security Lake created a subscriber with data access for a partner AWS account. Engineers in the…
- A company registered a third-party endpoint detection product as an Amazon Security Lake custom source that writes OCSF Parquet objects. A…
- Cross-account Security Lake readers need kms:Decrypt in the data-lake key policy
When the Security Lake bucket is encrypted with a customer-managed KMS key in the delegated-administrator account, any cross-account principal that reads or writes objects (a subscriber role on GetObject, a Glue crawler, or a collector on PutObject) must be granted kms:Decrypt and kms:GenerateDataKey in that key's policy, not just in its identity policy. ListBucket can succeed while GetObject fails with a KMS AccessDenied when this is missing; the key must be single-Region.
Trap Granting KMS actions only in the reader's identity policy — a cross-account customer-managed key also needs them in the key policy in the source account.
- Shield Advanced proactive engagement requires Route 53 health checks on protected resources
Shield Advanced proactive engagement (and faster health-based detection) requires Amazon Route 53 health checks associated with each protected resource so the Shield Response Team can correlate a detected event with real application impact, plus configured emergency contacts and Business or Enterprise Support. Without the health checks the SRT will not reach out even when proactive engagement is enabled.
Trap Enabling proactive engagement and adding emergency contacts but skipping the Route 53 health-check association the SRT depends on.
7 questions test this
- A company has deployed AWS Shield Advanced to protect their Amazon CloudFront distributions and Application Load Balancers. The security…
- A global media company uses AWS Global Accelerator standard accelerators to route traffic to Application Load Balancers (ALBs) across…
- A security architect is designing a DDoS-resilient architecture for a company's global web application using Amazon CloudFront and AWS…
- A media streaming company is deploying AWS Shield Advanced to protect its Amazon CloudFront distributions against application layer DDoS…
- A financial services company has subscribed to AWS Shield Advanced to protect its Amazon CloudFront distributions and Application Load…
- A security engineer is configuring AWS Shield Advanced for a company's global web application that uses Amazon CloudFront distributions.…
- A company has subscribed to AWS Shield Advanced and wants the Shield Response Team (SRT) to proactively contact them during detected DDoS…
- CloudFront geo restriction blocks at the edge before WAF; per-path geo rules need WAF
CloudFront's built-in geographic restriction (allowlist/blocklist) is the most efficient way to block whole countries because it rejects requests at the edge before they reach AWS WAF, so blocked requests never appear in WAF logs or counts. When you need geo decisions combined with conditions (e.g. restrict only /trading to the US), use a WAF web ACL that ANDs a geo-match statement with a URI-path match instead.
Trap Expecting requests blocked by CloudFront geo restriction to still be logged or counted by WAF — they are dropped before WAF runs.
5 questions test this
- A company has enabled both CloudFront geographic restrictions to blocklist a specific country and an AWS WAF web ACL associated with the…
- A global media company uses Amazon CloudFront to deliver streaming content. They need to implement a solution that allows users from…
- A financial services company uses Amazon CloudFront to deliver a web application with different content paths: /public for marketing…
- A financial services company hosts a web application behind Amazon CloudFront and needs to block access from specific countries due to…
- A media streaming company distributes video content through Amazon CloudFront and must restrict access to users in specific countries due…
- AWS Marketplace WAF rule groups are per-account and billed until removed from every web ACL
An AWS Marketplace managed WAF rule-group subscription is scoped to the single account that subscribed, so each account (e.g. production vs sandbox) must subscribe separately before the rule group is selectable. To stop the charges you must remove the rule group from every web ACL and Firewall Manager policy that references it in addition to unsubscribing; pin a managed rule group to a static version so vendor updates require review before taking effect.
Trap Assuming an org-wide or another account's Marketplace subscription carries over, or that unsubscribing alone stops billing while a web ACL still references it.
3 questions test this
- A security engineer is adding an AWS Marketplace managed rule group to an AWS WAF web ACL. The vendor publishes new versions of the rule…
- A developer in a sandbox AWS account successfully subscribed to and added a third-party AWS Marketplace managed rule group to an AWS WAF…
- A security engineer subscribed to a third-party AWS Marketplace managed rule group and added it to a production AWS WAF web ACL. After…
- Firewall Manager centrally deploys WAF, Shield Advanced, and DNS Firewall policies across the org
AWS Firewall Manager is the least-overhead way to enforce a single security policy across all accounts and new resources in an AWS Organization: it can push WAF web ACLs (including AWS and Marketplace managed rule groups), Shield Advanced protections with automatic application-layer mitigation, and Route 53 Resolver DNS Firewall rule groups, auto-remediating onto in-scope and newly created resources.
Trap Scripting per-account web ACLs or rule-group associations for org-wide coverage when a Firewall Manager policy applies and auto-remediates everywhere.
4 questions test this
- A multinational enterprise uses AWS Organizations with accounts in multiple AWS Regions. The security team wants to deploy consistent Route…
- A company uses AWS Organizations with multiple AWS accounts that host public-facing Application Load Balancers and Amazon CloudFront…
- A company uses AWS Organizations with multiple accounts and wants to deploy AWS Shield Advanced protection consistently across all Amazon…
- A security engineer subscribed to a third-party AWS Marketplace managed rule group and added it to a production AWS WAF web ACL. After…
Also tested in
References
- What is Amazon CloudFront?
- How AWS Shield works (DDoS overview)
- What is AWS WAF?
- OWASP Top 10 Whitepaper
- AWS Managed Rules rule groups list
- Rate-based rule statement
- Using labels on web requests in AWS WAF
- AWS Shield Advanced summary
- AWS Shield pricing
- Restricting access to an Amazon S3 origin (origin access control)
- Understanding response headers policies
- Using cross-origin resource sharing (CORS) with Amazon S3
- What is Amazon Security Lake?
- Open Cybersecurity Schema Framework (OCSF) schema Whitepaper
- Managed rule groups in AWS WAF (including AWS Marketplace)