Adding Layers of Defense with AWS Shield

While AWS WAF can provide several protections to your CloudFront origins and application load balancers, AWS Shield protects against more complex DDoS attacks, such as volumetric attacks. The following table compares AWS Shield and AWS WAF.

Protection from	AWS WAF	AWS Shield
	HTTP Floods	State-Exhaustion Attacks
	DNS Query Floods	Volumetric Attacks
	SQL Injection
	Cross-Site Scripting
	Remote File Injection

Table 3.1: AWS WAF versus AWS Shield

With the preceding comparison between the two services covered, we will dive deeper into the details of the AWS Shield service in the following subsections.

The Two Tiers of AWS Shield

Your environment and how much protection you require at which level will determine the AWS Shield tier that you implement. Currently, there are two tiers available:

• AWS Shield Standard: This first tier is freely available to anyone with an AWS account. AWS Shield Standard provides basic protection against DDoS attacks.
• AWS Shield Advanced: This second tier is a premium tier with additional features and protection. These additional features come with additional costs.

Figure 3.5: AWS Shield versus Shield Advanced features

In summary, AWS Shield is a basic DDoS protection service, while AWS Shield Advanced provides enhanced protection and additional features for more complex and sophisticated DDoS attacks.

Strengthening the Security Posture of Your AWS Account

Having explored the different types of attacks you may be subject to, you might be wondering how you can effectively protect your organization against all the threats it will face. This section deals with the steps you can take for the same.

When running a Cloud Security Posture Assessment (CPSA) against your account(s), you will need to create a role that will give read-only permissions to the service or tool performing the assessment. The assessment thoroughly reviews an organization’s cloud security policies, processes, and controls. It can also include an examination of the technical infrastructure that supports the organization’s cloud environment. The assessor can uncover potential weaknesses that an attacker would exploit by reviewing the account’s access controls, conducting vulnerability assessments, and analyzing security logs.

The following is a list of some of the vulnerabilities that are commonly found during a CSPA and reported back to the customer:

• RDS: Backups are not enabled and data is vulnerable
• EC2: An EC2 instance exposed directly to the internet increases the attack surface
• CloudTrail: Log file validation is not enabled, preventing additional integrity checks
• IAM: The root user has multifactor authentication (MFA) attached, which leaves the root account at risk of password hijacking

There are hundreds more checks that encompass a CPSA. These checks range from critical, high, medium, and low to informational. These checks are not there to simply show you where there are vulnerabilities in your account. Instead, the main goal of CPSA checks is to help your organization find areas that contain risks and weaknesses and develop an actionable plan to correct these items, improving your account’s overall security posture. AWS provides a service that helps with organizing your CPSA as you continually work to plug vulnerabilities found in your account. This service is AWS Security Hub, and we will provide a full overview of it in Chapter 6, Event Management with Security Hub and GuardDuty.