AWS Infrastructure Protection Services

AWS is best known for being the leading Infrastructure as a service provider.

In recent years, AWS has been adding to its portfolio infrastructure protection services that used to be in the exclusive domain of security vendors.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

Following the AWS Perimeter Security Webinar on August 5, and in order to provide our customers with the best professional, impartial advice, we have reviewed the capabilities, pros and cons of the AWS Infrastructure protection services.

This is by no means a comprehensive review of everything, but it’s a summary of key points.

What’s included in AWS Infrastructure protection services?

AWS Web Application Firewall

Commonly known as WAF. First released in 2015, the WAF service today is a mature product, with self defined rules and managed rules packages that you can procure on the AWS marketplace. AWS WAF addresses application layer security issues like content injection, remote command execution, cross site scripting, and more.

AWS Firewall Manager

This service, aka FMS, simplifies your AWS WAF administration and helps you enforce WAF rules on the resources across all the accounts in an AWS Organization by using AWS Config in the background. AWS Firewall Manager also enables you to selectively apply the rules to specific resources. In order to use FMS and reap its benefits, you must have an AWS organization, and must use AWS Config.

AWS Shield Advanced

AWS Shield standard is enabled free of charge for all AWS customers, and provides you with protection from common, most frequently occurring network and transport layer DDoS attacks.

AWS Shield Advanced provides additional protections for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced provides the following benefits over AWS Shield standard:

  • Customizable protection rules
  • Faster mitigation
  • A 24/7 response team (requires AWS premium support).
  • Full visibility into attack metrics, and access to global threat data.
  • Insurance against the economic impact of a DDoS attack.

The Good

Let’s start with the good things about AWS infrastructure protection.

If you already have an AWS account, it is extremely easy to start with AWS infrastructure protection, without signing contracts and without any commitment (except for Shield Advanced).

As commitments are not required, WAF and FMS are very economical on small scale operations. You can have an enterprise grade service even if you are just dipping your toes into cloud computing.

WAF, FMS and Shield are all well integrated with the other AWS services, and can be deployed to existing infrastructure almost without modifications to IT architecture.

The Bad

Not all is good about AWS infrastructure protection.

If Bots are an issue to your operation, and they probably are, then know that the Bot protection provided by AWS is seriously lagging behind competing services. The AWS Bot protection provided in the WAF, is limited to IP reputation and Geo blocking, which is not good enough for modern apps and modern bots.

Cloudfront and WAF performance lags behind the performance of competing services.

Globaldots runs periodical benchmarks for Cloudfront and other CDN performance for static and dynamic traffic, and our measurements show that while Cloudfront usually improves the performance of both static and dynamic traffic, the competition does it better. This is especially true when you want to apply protection to non-AWS resources, but also true for AWS.

The AWS Shield Advanced is not a network protection service like Neustar or Akamai Prolexic. Instead, it is a resource protection service. You have to specify which of the relevant computing resources in your accounts to protect. It kind of makes sense, as AWS are protecting their network anyway. However, it means that you don’t get any protection for assets out of AWS.

The Ugly

We mentioned the good and the bad, but some AWS infrastructure protection features are neither good nor bad, but simply unexpected, so you have to be aware of them nonetheless.

On a small scale these things do not really matter, but as your usage grows so does the surprise factor.

AWS infrastructure protection services, in particular AWS WAF and AWS Firewall Manager, have a convoluted cost structure. While this is true about most of AWS services, with most other services it is easier to translate existing infrastructure into AWS architecture. In this case, you really cannot anticipate what your costs are going to be without expert help.

When you start using AWS Infrastructure protection, you will notice that there are hidden costs nobody mentioned. The following AWS services are all used within the context of security, and have their own, individual costs that are significant with larger usage: AWS Cloudwatch for security events and metrics, S3 to store logs, API calls, AWS Config for the Firewall Manager, inter-regional traffic between WAF nodes and your assets, and even egress traffic going to non-AWS origins.

Of course, if you want access to the DDOS response team, you have to have an expensive support plan to start with.

Conclusion

AWS infrastructure protection may be an excellent choice for you. It is easy to start using, well integrated, and even makes economic sense in many cases. Consider using AWS WAF, AWS FMS, or AWS Shield Advanced if most of the following applies to you:

  • You are an exclusively AWS shop and do not have a cross-cloud or hybrid cloud shop.
  • You have multiple AWS accounts in an AWS Organization
    The AWS Cloudfront performance is good enough and you do not need more.
  • You are a small startup, with no spare energy to negotiate contracts and start commitments
  • You are an enterprise with centralized Security and Compliance teams and sensitive workloads
  • Your workloads do not generate a lot of traffic

Additionally, consider using AWS Shield Advanced if you are willing to pay $3000/month for insurance against DDOS incurred expenses.

If you have any questions about AWS infrastructure protection services, or cloud computing in general, contact us today to help you out with your performance and security needs.

Latest Articles

Complying with AWS’s RI/SP Policy Update: Save More, Stress Less

Shared Reserved Instances (RIs) and Savings Plans (SPs) have been a common workaround for reducing EC2 costs, but their value has always been limited. On average, these shared pools deliver only 25% savings on On-Demand costs—far below the 60% savings achievable with automated reservation tools. For IT and DevOps teams, the trade-offs include added complexity, […]

Itay Tal Head of Cloud Services
5th December, 2024
The Future of Cybersecurity: Shlomo Kramer’s Bold Predictions for the SASE Era

What does the next decade of cybersecurity hold? Few can answer that better than Shlomo Kramer—co-founder of Check Point and Imperva, and founder & CEO of Cato Networks. In a candid conversation on the CloudNext podcast, Shlomo shared bold predictions and actionable strategies for navigating the challenges and opportunities ahead. From the rise of SASE […]

Ganesh The Awesome Senior Pre & Post-Sales Engineer at GlobalDots
4th December, 2024
Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services