How I Built a Frontline Defense for My Website
Using AWS WAF and Shield
As a associate system administrator I worked on Redhat Linux servers, including user management, permissions, services, and performance monitoring Automated routine administrative tasks using Bash scripting and cron jobs, reducing manual effort by ~30% I am aws certified sysops administrator and Google Certified Cloud Engineer. Determined to transition my career into cloud architect /Cloud Support role
When you deploy a web application on the public internet, you immediately open the door to two distinct types of digital threats:
Volumetric Floods (Layer 3/4): Brute-force Distributed Denial of Service (DDoS) attacks aiming to consume your bandwidth and knock your infrastructure offline.
Application-Layer Exploits (Layer 7): Crafty, targeted web requests attempting to exploit vulnerabilities in your code (such as SQL Injections or Cross-Site Scripting).
To ensure my web application remained highly available, secure, and resilient, I set out to construct a robust, multi-layered security perimeter. By combining AWS Shield and AWS WAF (Web Application Firewall), I established an edge-defense architecture capable of deflecting automated bots and sophisticated attackers alike.
In this guide, I’ll take you step-by-step through how I built this frontline defense, monitored its activity, and how you can do the same for your infrastructure.
The Architectural Blueprint
Before diving into the AWS Console, it helps to understand how traffic flows through this defense mechanism. By placing our security resources at the AWS edge (via Amazon CloudFront), malicious traffic is filtered before it ever reaches our origin servers.
Part 1: The Foundation — Understanding AWS Shield Standard
My first step wasn't to write complex firewall rules; it was to understand what baseline protections were already active.
Upon navigating to the AWS WAF & Shield dashboard, I was reminded of an incredibly vital cloud security detail: every AWS customer receives AWS Shield Standard automatically and completely free of charge.
What does Shield Standard actually do?
Shield Standard works silently in the background. It provides always-on monitoring and inline mitigation against the most common, high-volume network and transport layer attacks (like SYN floods or UDP reflection attacks).
Knowing this fundamental baseline protection was already safeguarding my infrastructure gave me the perfect foundation to build upon. However, Shield Standard doesn't inspect application payloads. For that, we need to introduce a smarter gatekeeper: AWS WAF.
Part 2: The Intelligent Gatekeeper — Building an AWS WAF Web ACL
While Shield Standard handles massive infrastructure floods, AWS WAF provides deep application-layer inspection. The core structural component of AWS WAF is the Web Access Control List (Web ACL), which acts as the central container for our security rules.
Step 1: Create the Web ACL
Navigate to the AWS WAF & Shield console.
Click on Create web ACL.
Configuration: Provide a clear, descriptive name (e.g.,
MyFirstWebACL).Resource Type: Because my website is globally distributed via an Amazon CloudFront distribution, I selected CloudFront distributions. This ensures the firewall operates directly at AWS edge locations worldwide, stopping malicious requests as close to the source as possible.
Step 2: Create a Custom IP Blocking Rule
To test the power of my new firewall, I started with a fundamental security scenario: blocking traffic from a known malicious or troublesome IP address.
Creating an IP Set: First, I created an IP Set named
BadIPs. Think of an IP Set as a reusable, named list of IP addresses. For testing purposes, I added a sample address (1.2.3.4/32).Writing the Rule: Inside the Web ACL configuration, I added a custom rule named
BlockBadIPs. I configured the logic to match requests if the source IP address resides within theBadIPsIP set.Setting the Action: I set the action to Block.
With this simple rule active, any incoming request from an IP address listed in BadIPs is instantly terminated at the edge, returning a 403 Forbidden error to the client without burdening my backend servers.
Part 3: Proactive Monitoring — Configuring CloudWatch Alarms
A strong defense shouldn’t be silent. If my application is actively being targeted or if a sudden spike in malicious traffic occurs, I want to know immediately—not hours after the fact. To turn this passive defense into an active monitoring system, I integrated Amazon CloudWatch and Amazon SNS (Simple Notification Service).
I created a custom CloudWatch Alarm mapped to a specific metric emitted by AWS WAF: BlockedRequests.
Alarm Configuration Settings:
Metric:
BlockedRequests(Sum)Period: 1 minute
Threshold Condition: Greater than or equal to
100
For the alarm's action, I linked it to an SNS Topic subscribed to my personal technical email address. Now, if AWS WAF suddenly blocks 100 or more bad requests within a single minute, CloudWatch switches to an In alarm state and fires off an immediate email notification to my inbox.
Part 4: Moving Beyond the Basics — AWS Shield Advanced
While the combination of Shield Standard and custom WAF rules provides incredible value, I also took some time to explore the enterprise-tier alternative: AWS Shield Advanced.
For mission-critical production environments, upgrading to Shield Advanced unlocks a suite of premium protections:
24/7 Access to the SRT: Direct access to the AWS Shield Response Team (SRT) to help write custom rules during an active, sophisticated attack.
Cost Protection: Financial mitigation against economic scaling spikes (e.g., if a DDoS attack causes your CloudFront or Auto Scaling costs to skyrocket, AWS provides service credits for those spikes).
Automatic Application-Layer Mitigation: Shield Advanced can automatically create and deploy WAF rules on your behalf by analyzing traffic patterns during an anomaly.
Extending the Defense: Production Best Practices
If you're looking to take your edge security a step further, consider implementing these additional AWS WAF layers:
Leverage AWS Managed Rule Groups: Instead of writing every rule from scratch, subscribe to the Core Rule Set (CRS) managed by AWS. This automatically protects your application against common vulnerabilities listed in the OWASP Top 10 (like SQL Injection, scripting exploits, and local file inclusions).
Implement Rate Limiting: Prevent brute-force login attempts and web scraping by adding a rate-based rule. For example, you can automatically block any IP address that exceeds 2,000 requests in a rolling 5-minute window.
Geo-Blocking: If your business operations only serve a specific geographic region, you can use AWS WAF to instantly block traffic originating from countries outside your target market, drastically reducing your attack surface area.
Summary Key Takeaways
Building this frontline defense reinforced three major cloud security lessons:
Shield Standard is your silent bodyguard: It provides an exceptional, zero-cost network baseline defense for every single AWS account.
AWS WAF is your granular gatekeeper: It gives you total control over application-layer traffic, allowing you to intercept, inspect, and filter traffic based on IPs, headers, body strings, or pre-built vendor rules.
Observability transforms security: Coupling your firewall with CloudWatch Alarms ensures you move away from a reactive security posture and into an active, aware operational state.
Protecting your web application doesn’t have to be overwhelmingly complex. Start with a clean Web ACL, implement a couple of core rules, and let AWS's global edge infrastructure do the heavy lifting for you!