Pilotcore Pilotcore

What are AWS WAF, Shield, and Firewall Manager?

The are some critical services to be aware from if you plan to host publicly accessible web applications in AWS.

4 min read
What are AWS WAF, Shield, and Firewall Manager?

Pilotcore Want to get up and running fast in the cloud? We provide cloud and DevOps consulting to startups and small to medium-sized enterprise. Schedule a no-obligation call today.

What are AWS WAF, AWS Shield and AWS Firewall Manager?

AWS WAF, AWS Shield and AWS Firewall Manager are essential tools to help protect your resources and keep your applications running smoothly. Using these services can improve your security posture and better defend against potential attacks. AWS WAF is a level 7 web application firewall that protects your web applications from known web exploits that might harm application availability and security or use too many resources. AWS Shield is a managed DDoS protection service provided by Amazon Web Services. AWS Firewall Manager provides a security management solution that allows you to manage firewalls and intrusion prevention systems (IPS)

In this article, we'll take a closer look at each of these services and how they can help you secure your applications and resources.

AWS Web Application Firewall (WAF)

AWS WAF is the web app firewall AWS offers to help protect your web apps from common web exploits that may affect the availability of your application, compromise its security, or cause spikes in costs by consuming excessive resources. Amazon's WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.

AWS WAF includes a set of predefined rules that you can add to your web ACLs (Web Access Control Lists), or through a process of AWS WAF optimization, you can create your own rules that allow, block, or monitor (count) web requests based on conditions that you specify, such as the IP addresses that web requests originate from or the values of query strings.

You can apply AWS WAF API protection to API Gateway and use your Web ACLs with load balancers and CloudFront distributions.

The current version of AWS WAF is significantly improved from the original AWS WAF Classic, so if you already have a WAF classic deployment, contact us about an AWS WAF migration.


Cost is calculated based on $5 per AWS WAF web ACL per month, $1 per rule per month, and $0.60 per million web requests per month. For example, you may have a single web ACL on your CloudFront distribution with five rules in place and fewer than a million web requests processed in a given month, your monthly charge will be $10.60. The pricing is quite reasonable given the benefits of the service.

AWS Shield

AWS Shield is a managed, multi-layered DDoS protection service that safeguards critical applications running in AWS. It provides always-on threat detection and automatic inline mitigation to minimize application downtime and latency, so it is not necessary to engage with AWS Support to benefit from DDoS protection.

There are two tiers of AWS Shield: Standard and Advanced.

AWS Shield Standard is included to all AWS customers at no additional charge with all supported AWS services and provides always-on detection for infrastructure Layer 3 and 4 attacks, including SYN/UDP floods, fragmented packet attacks, and other vectors and volumetric attacks.

AWS Shield Advanced provides always-on detection and mitigation of DDoS attacks for your web applications running on AWS. It includes all the features of AWS Shield Standard, plus additional features to help protect against sophisticated DDoS attacks.

Shield Advanced uses machine learning and other advanced techniques to detect and mitigate DDoS attacks before they can cause any significant impact. It also provides real-time visibility into attack trends and anomalies, so you can quickly adapt your defences as new threats emerge. In addition, AWS Shield Advanced offers proactive engagement with AWS Support, so you can get expert help in mitigating large and sophisticated DDoS attacks.

AWS Shield Cost

AWS Shield Standard is free and automatically enabled. AWS Shield Advanced costs $3,000 per month.

AWS Firewall Manager

AWS Firewall Manager is a security management solution that allows you to centrally manage firewalls and intrusion prevention systems (IPS) across your AWS accounts. You don't have to choose between AWS Firewall Manager vs WAF because the two work together. With Firewall Manager, you can easily configure and deploy application-level firewall rules across your AWS accounts and resources. Firewall Manager also provides comprehensive insights and visibility into the security state of your AWS environment. Firewall Manager has policies for AWS WAF monitoring, AWS Shield, Amazon VPC security groups, AWS Network Firewall, Amazon Route 53 Resolver DNS Firewall and AWS marketplace sellers Palo Alto Cloud Next-generation firewalls.

AWS Firewall Manager Costs

Costs for Firewall Manager come from the underlying service you are using. The services are listed above.

Benefits to WAF, Shield and Firewall Manager

Benefits of using AWS WAF, AWS Shield and AWS Firewall Manager include:

  • Improved security: By deploying web application firewall rules and web ACLs across your AWS accounts, you can help protect your applications from common exploits. Additionally, real-time visibility into attack trends and anomalies can help you to more quickly identify and respond to potential threats based on IP addresses, cross site scripting, SQL injection, bot traffic and more.

  • Reduced operational overhead: Firewall Manager allows you to centrally manage firewall rules across your AWS environment, which can help to reduce the operational overhead associated with managing multiple firewalls.

  • Cost savings: Using Firewall Manager, you can automatically apply cost-saving IPS rules across your AWS accounts. Additionally, AWS WAF costs are low; you can use FW Manager to help you meet your organization's compliance requirements.

  • Increased security: With Firewall Manager, you can apply best practices for firewall rule management across your AWS environment. This can help to increase the overall security of your applications.

AWS WAF, AWS Shield and AWS Firewall Manager are all web application security tools that can help protect your web applications from common threats. While each tool has unique features and benefits, they all share the goal of protecting your applications and data. When deciding which tool is right for your organization, you must consider your security needs and requirements. However, these three tools can provide an AWS intrusion prevention system and an extra layer of security for your web applications. It should be considered as part of a comprehensive security strategy.

Are you looking for assistance from an AWS consultancy? Pilotcore is here for you! Contact us today for a free consultation.

Peak of a mountain

Your Pilot in the Cloud

Contact us today to discuss your cloud strategy! There is no obligation.

Let's Talk