What is the difference between AWS Shield, AWS WAF, AWS GaurdDuty, AWS Firewall Manager and AWS Inspector

Amazon have lots of services and some of these are kind of overlapping. While attempting practice Tests, I used to get confused about what is exact different between these and when to use which server. Below article is my notes about these services.

AWS Shield

  • Protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS.
  • AWS Shield is a managed service
  • Infrastructure (Layer 3 and 4) security
  • AWS Shield Standard is automatically enabled to all AWS customers at no additional cost.
  • There are two tiers of AWS Shield
    • Standard and
    • Advanced. (With Shield advanced, you get WAF)
  • When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks
  • For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced.
  • AWS Shield Advanced is available globally on
    • all Amazon CloudFront,
    • AWS Global Accelerator, and
    • Amazon Route 53 edge locations.

AWS WAF

  • Blocks common attack patterns, such as SQL injection or cross-site scripting.
  • level 7
  • Can handle http/https
  • Fully managed
  • OWASP Top 10 assessment
  • AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources
  • customize rules that filter out specific traffic patterns.
  • You can deploy AWS WAF on
    • Amazon CloudFront as part of your CDN solution,
    • the Application Load Balancer that fronts your web servers or
    • origin servers running on EC2,
    • Amazon API Gateway for your REST APIs, or
    • AWS AppSync for your GraphQL APIs.
  • Web data on site.
  • Traffic filtering

Amazon GuardDuty

  • Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
  • Detective service and not preventive
  • GuardDuty is a monitoring service that analyzes AWS CloudTrail management and Amazon S3 data events, VPC flow logs, and DNS logs to generate security findings for your account. Once GuardDuty is enabled, it starts monitoring your environment immediately. GuardDuty can be disabled at any time to stop it from processing all AWS CloudTrail events, VPC Flow Logs, and DNS logs.
  • GuardDuty is a Regional service, meaning any of the configuration procedures you follow on this page must be repeated in each region that you want to monitor with GuardDuty.
  • Analyzes and processes the following Data sources:
    • VPC Flow Logs,
    • AWS CloudTrail management event logs,
    • CloudTrail S3 data event logs, and
    • DNS logs.
  • It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment.

AWS Firewall Manager

  • AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organizations.
  • Using AWS Firewall Manager, you can easily roll out AWS WAF rules for your Application Load Balancers, API Gateways, and Amazon CloudFront distributions. You can create AWS Shield Advanced protections for your Application Load Balancers, ELB Classic Load Balancers, Elastic IP Addresses and CloudFront distributions. You can also configure new Amazon Virtual Private Cloud (VPC) security groups and audit any existing VPC security groups for your Amazon EC2, Application Load Balancer (ALB) and ENI resource types. You can deploy AWS Network Firewalls across accounts and VPCs in your organization. Finally, with AWS Firewall Manager, you can also associate your VPCs with Amazon Route 53 Resolvers DNS Firewall rules.
  • Integrated with Organizations to enable AWS WAF rules across multiple AWS accounts. (Global rules, local rules/account wise can still be applied)

Amazon Inspector

Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.

  • Select workloads to assess and define frequency
  • Supports only EC2 at the moment
  • Amazon Inspector provides you with security assessments of your applications’ settings and configurations while Amazon GuardDuty helps with analysing the entirety of your AWS accounts for potential threats.

References

Videos

  • https://www.youtube.com/watch?v=WI4EVgShkn0&t=1s
  • https://www.youtube.com/watch?v=eLQIVLTALDk
  • https://www.youtube.com/watch?v=lU_zPruIL9w&t=10s
  • https://www.youtube.com/watch?v=4P_J3OiH42g&t=16s

Documentation

  • https://aws.amazon.com/shield/faqs/
  • https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
CategoriesUncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *