In recent years, AWS has been adding to its portfolio infrastructure protection services that used to be in the exclusive domain of security vendors.
Following the AWS Perimeter Security Webinar on August 5, and in order to provide our customers with the best professional, impartial advice, we have reviewed the capabilities, pros and cons of the AWS Infrastructure protection services.
This is by no means a comprehensive review of everything, but it's a summary of key points.
What’s included in AWS Infrastructure protection services?
AWS Web Application Firewall
Commonly known as WAF. First released in 2015, the WAF service today is a mature product, with self defined rules and managed rules packages that you can procure on the AWS marketplace. AWS WAF addresses application layer security issues like content injection, remote command execution, cross site scripting, and more.
AWS Firewall Manager
This service, aka FMS, simplifies your AWS WAF administration and helps you enforce WAF rules on the resources across all the accounts in an AWS Organization by using AWS Config in the background. AWS Firewall Manager also enables you to selectively apply the rules to specific resources. In order to use FMS and reap its benefits, you must have an AWS organization, and must use AWS Config.
AWS Shield Advanced
AWS Shield standard is enabled free of charge for all AWS customers, and provides you with protection from common, most frequently occurring network and transport layer DDoS attacks.
AWS Shield Advanced provides additional protections for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced provides the following benefits over AWS Shield standard:
- Customizable protection rules
- Faster mitigation
- A 24/7 response team (requires AWS premium support).
- Full visibility into attack metrics, and access to global threat data.
- Insurance against the economic impact of a DDoS attack.
Let's start with the good things about AWS infrastructure protection.
If you already have an AWS account, it is extremely easy to start with AWS infrastructure protection, without signing contracts and without any commitment (except for Shield Advanced).
As commitments are not required, WAF and FMS are very economical on small scale operations. You can have an enterprise grade service even if you are just dipping your toes into cloud computing.
WAF, FMS and Shield are all well integrated with the other AWS services, and can be deployed to existing infrastructure almost without modifications to IT architecture.
Not all is good about AWS infrastructure protection.
If Bots are an issue to your operation, and they probably are, then know that the Bot protection provided by AWS is seriously lagging behind competing services. The AWS Bot protection provided in the WAF, is limited to IP reputation and Geo blocking, which is not good enough for modern apps and modern bots.
Cloudfront and WAF performance lags behind the performance of competing services.
Globaldots runs periodical benchmarks for Cloudfront and other CDN performance for static and dynamic traffic, and our measurements show that while Cloudfront usually improves the performance of both static and dynamic traffic, the competition does it better. This is especially true when you want to apply protection to non-AWS resources, but also true for AWS.
The AWS Shield Advanced is not a network protection service like Neustar or Akamai Prolexic. Instead, it is a resource protection service. You have to specify which of the relevant computing resources in your accounts to protect. It kind of makes sense, as AWS are protecting their network anyway. However, it means that you don’t get any protection for assets out of AWS.
We mentioned the good and the bad, but some AWS infrastructure protection features are neither good nor bad, but simply unexpected, so you have to be aware of them nonetheless.
On a small scale these things do not really matter, but as your usage grows so does the surprise factor.
AWS infrastructure protection services, in particular AWS WAF and AWS Firewall Manager, have a convoluted cost structure. While this is true about most of AWS services, with most other services it is easier to translate existing infrastructure into AWS architecture. In this case, you really cannot anticipate what your costs are going to be without expert help.
When you start using AWS Infrastructure protection, you will notice that there are hidden costs nobody mentioned. The following AWS services are all used within the context of security, and have their own, individual costs that are significant with larger usage: AWS Cloudwatch for security events and metrics, S3 to store logs, API calls, AWS Config for the Firewall Manager, inter-regional traffic between WAF nodes and your assets, and even egress traffic going to non-AWS origins.
Of course, if you want access to the DDOS response team, you have to have an expensive support plan to start with.
AWS infrastructure protection may be an excellent choice for you. It is easy to start using, well integrated, and even makes economic sense in many cases. Consider using AWS WAF, AWS FMS, or AWS Shield Advanced if most of the following applies to you:
- You are an exclusively AWS shop and do not have a cross-cloud or hybrid cloud shop.
- You have multiple AWS accounts in an AWS Organization
The AWS Cloudfront performance is good enough and you do not need more.
- You are a small startup, with no spare energy to negotiate contracts and start commitments
- You are an enterprise with centralized Security and Compliance teams and sensitive workloads
- Your workloads do not generate a lot of traffic
Additionally, consider using AWS Shield Advanced if you are willing to pay $3000/month for insurance against DDOS incurred expenses.
If you have any questions about AWS infrastructure protection services, or cloud computing in general, contact us today to help you out with your performance and security needs.