AWS Infrastructure Protection Services

Francesco Altomare Southern Europe Regional Manager @ GlobalDots
4 Min read

AWS is best known for being the leading Infrastructure as a service provider.

In recent years, AWS has been adding to its portfolio infrastructure protection services that used to be in the exclusive domain of security vendors.

Reduce your AWS costs by over 50%

Discover your Cloud Saving Potential – Answer just 5 simple questions. AppsFlyer, Playtika, Lufthansa, IBM, top leading companies are already using our FinOps services.

Reduce your AWS costs 
by over 50%

Following the AWS Perimeter Security Webinar on August 5, and in order to provide our customers with the best professional, impartial advice, we have reviewed the capabilities, pros and cons of the AWS Infrastructure protection services.

This is by no means a comprehensive review of everything, but it’s a summary of key points.

What’s included in AWS Infrastructure protection services?

AWS Web Application Firewall

Commonly known as WAF. First released in 2015, the WAF service today is a mature product, with self defined rules and managed rules packages that you can procure on the AWS marketplace. AWS WAF addresses application layer security issues like content injection, remote command execution, cross site scripting, and more.

AWS Firewall Manager

This service, aka FMS, simplifies your AWS WAF administration and helps you enforce WAF rules on the resources across all the accounts in an AWS Organization by using AWS Config in the background. AWS Firewall Manager also enables you to selectively apply the rules to specific resources. In order to use FMS and reap its benefits, you must have an AWS organization, and must use AWS Config.

AWS Shield Advanced

AWS Shield standard is enabled free of charge for all AWS customers, and provides you with protection from common, most frequently occurring network and transport layer DDoS attacks.

AWS Shield Advanced provides additional protections for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced provides the following benefits over AWS Shield standard:

  • Customizable protection rules
  • Faster mitigation
  • A 24/7 response team (requires AWS premium support).
  • Full visibility into attack metrics, and access to global threat data.
  • Insurance against the economic impact of a DDoS attack.

The Good

Let’s start with the good things about AWS infrastructure protection.

If you already have an AWS account, it is extremely easy to start with AWS infrastructure protection, without signing contracts and without any commitment (except for Shield Advanced).

As commitments are not required, WAF and FMS are very economical on small scale operations. You can have an enterprise grade service even if you are just dipping your toes into cloud computing.

WAF, FMS and Shield are all well integrated with the other AWS services, and can be deployed to existing infrastructure almost without modifications to IT architecture.

The Bad

Not all is good about AWS infrastructure protection.

If Bots are an issue to your operation, and they probably are, then know that the Bot protection provided by AWS is seriously lagging behind competing services. The AWS Bot protection provided in the WAF, is limited to IP reputation and Geo blocking, which is not good enough for modern apps and modern bots.

Cloudfront and WAF performance lags behind the performance of competing services.

Globaldots runs periodical benchmarks for Cloudfront and other CDN performance for static and dynamic traffic, and our measurements show that while Cloudfront usually improves the performance of both static and dynamic traffic, the competition does it better. This is especially true when you want to apply protection to non-AWS resources, but also true for AWS.

The AWS Shield Advanced is not a network protection service like Neustar or Akamai Prolexic. Instead, it is a resource protection service. You have to specify which of the relevant computing resources in your accounts to protect. It kind of makes sense, as AWS are protecting their network anyway. However, it means that you don’t get any protection for assets out of AWS.

The Ugly

We mentioned the good and the bad, but some AWS infrastructure protection features are neither good nor bad, but simply unexpected, so you have to be aware of them nonetheless.

On a small scale these things do not really matter, but as your usage grows so does the surprise factor.

AWS infrastructure protection services, in particular AWS WAF and AWS Firewall Manager, have a convoluted cost structure. While this is true about most of AWS services, with most other services it is easier to translate existing infrastructure into AWS architecture. In this case, you really cannot anticipate what your costs are going to be without expert help.

When you start using AWS Infrastructure protection, you will notice that there are hidden costs nobody mentioned. The following AWS services are all used within the context of security, and have their own, individual costs that are significant with larger usage: AWS Cloudwatch for security events and metrics, S3 to store logs, API calls, AWS Config for the Firewall Manager, inter-regional traffic between WAF nodes and your assets, and even egress traffic going to non-AWS origins.

Of course, if you want access to the DDOS response team, you have to have an expensive support plan to start with.


AWS infrastructure protection may be an excellent choice for you. It is easy to start using, well integrated, and even makes economic sense in many cases. Consider using AWS WAF, AWS FMS, or AWS Shield Advanced if most of the following applies to you:

  • You are an exclusively AWS shop and do not have a cross-cloud or hybrid cloud shop.
  • You have multiple AWS accounts in an AWS Organization
    The AWS Cloudfront performance is good enough and you do not need more.
  • You are a small startup, with no spare energy to negotiate contracts and start commitments
  • You are an enterprise with centralized Security and Compliance teams and sensitive workloads
  • Your workloads do not generate a lot of traffic

Additionally, consider using AWS Shield Advanced if you are willing to pay $3000/month for insurance against DDOS incurred expenses.

If you have any questions about AWS infrastructure protection services, or cloud computing in general, contact us today to help you out with your performance and security needs.

Latest Articles

Cut Big Data Costs by 23%: 7 Key Practices

In this webinar, we reveal a solution that cuts big data costs by 23% and enhances system efficiency - without changing a single line of code. We’ll also explore 7 key practices that will free your engineers to process and analyze data at the pace and scale they need - and ensure they never lose control of the process.

Developer AXE-WEB
15th April, 2024
Project FOCUS: A New Age of FinOps Visibility

It’s easy for managers and team leaders to get caught up in the cultural scrum of FinOps. Hobbling many FinOps projects, however, is a lack of on-the-ground support for the DevOps teams that are having to drive this widespread change – this is how all too many FinOps projects become abandoned on the meeting room […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th March, 2024
Optimize Your Cloud Spend with a FinOps Maturity Assessment

Achieving FinOps is a tall order: it demands a degree of organizational self-awareness that some companies are constantly battling for. Consider the predicament that many teams find themselves in: while their cloud environments may contain a number of small things that could be optimized, there are no single glaring mistakes that are consuming massive quantities […]

Nesh (Steven Puddephatt) Senior Solutions Engineer @ GlobalDots
27th March, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

Unlock Your Cloud Potential