Shield
DDoS prevention service
Shiel Standard
Free service that is automatically activated
- Provides protection from attacks such as SYN/UDP floods, reflection attacks and other L3-4 attacks
Shield Advanced
Optional DDoS mitigation service ($3000 per month per organization)
- Protect against more sophisticated attack on EC2, ELB, CloudFront, AWS Global Accelerator and Route 53
- 24/7 access to AWS DDoS response team
- Protect against higher fees during usage spikes due to DDoS
WAF
Layer 7 protection against common web vulnerabilities
Deploy on:
- Application Load Balancer
- API Gateway
- CloudFront
- AppSync GraphQL API
- Cognito User Pool
You can define Web ACL Rules:
- IP Set: up to 10k IP
- HTTP hearders, body, URI strings
- Size constraints, geo-match
- Rate-based rules - DDoS protection
Firewall Manager
Manage rules in all accounts of an AWS Organization. Create common set of security rules:
- WAF rules, shield advanced, security groups, Network Firewall, Route 53 firewall etc
Network Firewall
Network Firewall
Protect your entire VPC
- From Layer 3 to 7
- Any direction, you can inspect
- VPC to VPC
- Ingress, egress
- Direct Connect, S2S VPN
- Internally, Network firewall uses the AWS Gateway Load Balancer
- Can be managed via Firewall Manager
AWS Network Firewall provides some advantages over NACLs alone. NACLs provide only stateless packet filtering, whereas AWS Network Firewall provides web filtering, intrusion detection and prevention, stateless and stateful packet filtering, and centralized visibility of all your traffic.
Link to original