AWS Infrastructure Protection Services

AWS is best known for being the leading Infrastructure as a service provider.

In recent years, AWS has been adding to its portfolio infrastructure protection services that used to be in the exclusive domain of security vendors.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Following the AWS Perimeter Security Webinar on August 5, and in order to provide our customers with the best professional, impartial advice, we have reviewed the capabilities, pros and cons of the AWS Infrastructure protection services.

This is by no means a comprehensive review of everything, but it’s a summary of key points.

What’s included in AWS Infrastructure protection services?

AWS Web Application Firewall

Commonly known as WAF. First released in 2015, the WAF service today is a mature product, with self defined rules and managed rules packages that you can procure on the AWS marketplace. AWS WAF addresses application layer security issues like content injection, remote command execution, cross site scripting, and more.

AWS Firewall Manager

This service, aka FMS, simplifies your AWS WAF administration and helps you enforce WAF rules on the resources across all the accounts in an AWS Organization by using AWS Config in the background. AWS Firewall Manager also enables you to selectively apply the rules to specific resources. In order to use FMS and reap its benefits, you must have an AWS organization, and must use AWS Config.

AWS Shield Advanced

AWS Shield standard is enabled free of charge for all AWS customers, and provides you with protection from common, most frequently occurring network and transport layer DDoS attacks.

AWS Shield Advanced provides additional protections for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced provides the following benefits over AWS Shield standard:

  • Customizable protection rules
  • Faster mitigation
  • A 24/7 response team (requires AWS premium support).
  • Full visibility into attack metrics, and access to global threat data.
  • Insurance against the economic impact of a DDoS attack.

The Good

Let’s start with the good things about AWS infrastructure protection.

If you already have an AWS account, it is extremely easy to start with AWS infrastructure protection, without signing contracts and without any commitment (except for Shield Advanced).

As commitments are not required, WAF and FMS are very economical on small scale operations. You can have an enterprise grade service even if you are just dipping your toes into cloud computing.

WAF, FMS and Shield are all well integrated with the other AWS services, and can be deployed to existing infrastructure almost without modifications to IT architecture.

The Bad

Not all is good about AWS infrastructure protection.

If Bots are an issue to your operation, and they probably are, then know that the Bot protection provided by AWS is seriously lagging behind competing services. The AWS Bot protection provided in the WAF, is limited to IP reputation and Geo blocking, which is not good enough for modern apps and modern bots.

Cloudfront and WAF performance lags behind the performance of competing services.

Globaldots runs periodical benchmarks for Cloudfront and other CDN performance for static and dynamic traffic, and our measurements show that while Cloudfront usually improves the performance of both static and dynamic traffic, the competition does it better. This is especially true when you want to apply protection to non-AWS resources, but also true for AWS.

The AWS Shield Advanced is not a network protection service like Neustar or Akamai Prolexic. Instead, it is a resource protection service. You have to specify which of the relevant computing resources in your accounts to protect. It kind of makes sense, as AWS are protecting their network anyway. However, it means that you don’t get any protection for assets out of AWS.

The Ugly

We mentioned the good and the bad, but some AWS infrastructure protection features are neither good nor bad, but simply unexpected, so you have to be aware of them nonetheless.

On a small scale these things do not really matter, but as your usage grows so does the surprise factor.

AWS infrastructure protection services, in particular AWS WAF and AWS Firewall Manager, have a convoluted cost structure. While this is true about most of AWS services, with most other services it is easier to translate existing infrastructure into AWS architecture. In this case, you really cannot anticipate what your costs are going to be without expert help.

When you start using AWS Infrastructure protection, you will notice that there are hidden costs nobody mentioned. The following AWS services are all used within the context of security, and have their own, individual costs that are significant with larger usage: AWS Cloudwatch for security events and metrics, S3 to store logs, API calls, AWS Config for the Firewall Manager, inter-regional traffic between WAF nodes and your assets, and even egress traffic going to non-AWS origins.

Of course, if you want access to the DDOS response team, you have to have an expensive support plan to start with.

Conclusion

AWS infrastructure protection may be an excellent choice for you. It is easy to start using, well integrated, and even makes economic sense in many cases. Consider using AWS WAF, AWS FMS, or AWS Shield Advanced if most of the following applies to you:

  • You are an exclusively AWS shop and do not have a cross-cloud or hybrid cloud shop.
  • You have multiple AWS accounts in an AWS Organization
    The AWS Cloudfront performance is good enough and you do not need more.
  • You are a small startup, with no spare energy to negotiate contracts and start commitments
  • You are an enterprise with centralized Security and Compliance teams and sensitive workloads
  • Your workloads do not generate a lot of traffic

Additionally, consider using AWS Shield Advanced if you are willing to pay $3000/month for insurance against DDOS incurred expenses.

If you have any questions about AWS infrastructure protection services, or cloud computing in general, contact us today to help you out with your performance and security needs.

Latest Articles

From 2024 to 2025: The Evolving DDoS Threat Landscape

The numbers from the DDoS landscape tell a troubling story. In Q3 2024, DDoS attacks reached unprecedented levels, reaching a record-breaking Tbps and billion packet-per-second attack. These hyper-volumetric campaigns tested the resilience of global networks against attackers who are becoming faster, smarter, and more resourceful. They also became a wake-up call for IT leaders who […]

13th February, 2025
Universal ZTNA: How Does it Compare to Traditional ZTNA?

How will you protect your network as cloud-first strategies and hybrid workforces redefine the modern business landscape? While Traditional Zero-Trust Network Access (ZTNA) solutions laid the foundation for secure access, Universal ZTNA is rewriting the rules. Imagine a solution that unifies your security policies across all environments, simplifies management, and scales easily. That’s Universal ZTNA. […]

12th February, 2025
4 Common Kafka Installation Errors – And Proven Steps to Avoid Them

Apache Kafka is the platform of choice for real-time data processing, but getting it up and running can feel like an uphill battle.  With high throughput and fault tolerance, companies like Spotify rely on this distributed streamlining platform to deliver seamless services for over 600 million global users – supporting everything from log aggregation and […]

9th February, 2025
4 Proven Ways to Minimize Your AWS MSK Cost

The very tools designed to streamline cloud operations can sometimes stretch budgets thin. One good example is managing the costs associated with Amazon Managed Streaming for Apache Kafka (MSK). While AWS MSK simplifies deploying and scaling Kafka clusters, the costs can stack up if not optimized. Here’s how you can rethink your AWS MSK deployment […]

3rd February, 2025

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services