Home Resources Blog AWS Infrastructure Protection Services

AWS Infrastructure Protection Services

Francesco Altomare, Southern Europe Regional Manager @ GlobalDots
27.08.2020
image 4 Min read

AWS is best known for being the leading Infrastructure as a service provider.

In recent years, AWS has been adding to its portfolio infrastructure protection services that used to be in the exclusive domain of security vendors.

Following the AWS Perimeter Security Webinar on August 5, and in order to provide our customers with the best professional, impartial advice, we have reviewed the capabilities, pros and cons of the AWS Infrastructure protection services.

This is by no means a comprehensive review of everything, but it’s a summary of key points.

What’s included in AWS Infrastructure protection services?

AWS Web Application Firewall

Commonly known as WAF. First released in 2015, the WAF service today is a mature product, with self defined rules and managed rules packages that you can procure on the AWS marketplace. AWS WAF addresses application layer security issues like content injection, remote command execution, cross site scripting, and more.

AWS Firewall Manager

This service, aka FMS, simplifies your AWS WAF administration and helps you enforce WAF rules on the resources across all the accounts in an AWS Organization by using AWS Config in the background. AWS Firewall Manager also enables you to selectively apply the rules to specific resources. In order to use FMS and reap its benefits, you must have an AWS organization, and must use AWS Config.

AWS Shield Advanced

AWS Shield standard is enabled free of charge for all AWS customers, and provides you with protection from common, most frequently occurring network and transport layer DDoS attacks.

AWS Shield Advanced provides additional protections for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced provides the following benefits over AWS Shield standard:

  • Customizable protection rules
  • Faster mitigation
  • A 24/7 response team (requires AWS premium support).
  • Full visibility into attack metrics, and access to global threat data.
  • Insurance against the economic impact of a DDoS attack.

The Good

Let’s start with the good things about AWS infrastructure protection.

If you already have an AWS account, it is extremely easy to start with AWS infrastructure protection, without signing contracts and without any commitment (except for Shield Advanced).

As commitments are not required, WAF and FMS are very economical on small scale operations. You can have an enterprise grade service even if you are just dipping your toes into cloud computing.

WAF, FMS and Shield are all well integrated with the other AWS services, and can be deployed to existing infrastructure almost without modifications to IT architecture.

The Bad

Not all is good about AWS infrastructure protection.

If Bots are an issue to your operation, and they probably are, then know that the Bot protection provided by AWS is seriously lagging behind competing services. The AWS Bot protection provided in the WAF, is limited to IP reputation and Geo blocking, which is not good enough for modern apps and modern bots.

Cloudfront and WAF performance lags behind the performance of competing services.

Globaldots runs periodical benchmarks for Cloudfront and other CDN performance for static and dynamic traffic, and our measurements show that while Cloudfront usually improves the performance of both static and dynamic traffic, the competition does it better. This is especially true when you want to apply protection to non-AWS resources, but also true for AWS.

The AWS Shield Advanced is not a network protection service like Neustar or Akamai Prolexic. Instead, it is a resource protection service. You have to specify which of the relevant computing resources in your accounts to protect. It kind of makes sense, as AWS are protecting their network anyway. However, it means that you don’t get any protection for assets out of AWS.

The Ugly

We mentioned the good and the bad, but some AWS infrastructure protection features are neither good nor bad, but simply unexpected, so you have to be aware of them nonetheless.

On a small scale these things do not really matter, but as your usage grows so does the surprise factor.

AWS infrastructure protection services, in particular AWS WAF and AWS Firewall Manager, have a convoluted cost structure. While this is true about most of AWS services, with most other services it is easier to translate existing infrastructure into AWS architecture. In this case, you really cannot anticipate what your costs are going to be without expert help.

When you start using AWS Infrastructure protection, you will notice that there are hidden costs nobody mentioned. The following AWS services are all used within the context of security, and have their own, individual costs that are significant with larger usage: AWS Cloudwatch for security events and metrics, S3 to store logs, API calls, AWS Config for the Firewall Manager, inter-regional traffic between WAF nodes and your assets, and even egress traffic going to non-AWS origins.

Of course, if you want access to the DDOS response team, you have to have an expensive support plan to start with.

Conclusion

AWS infrastructure protection may be an excellent choice for you. It is easy to start using, well integrated, and even makes economic sense in many cases. Consider using AWS WAF, AWS FMS, or AWS Shield Advanced if most of the following applies to you:

  • You are an exclusively AWS shop and do not have a cross-cloud or hybrid cloud shop.
  • You have multiple AWS accounts in an AWS Organization
    The AWS Cloudfront performance is good enough and you do not need more.
  • You are a small startup, with no spare energy to negotiate contracts and start commitments
  • You are an enterprise with centralized Security and Compliance teams and sensitive workloads
  • Your workloads do not generate a lot of traffic

Additionally, consider using AWS Shield Advanced if you are willing to pay $3000/month for insurance against DDOS incurred expenses.

If you have any questions about AWS infrastructure protection services, or cloud computing in general, contact us today to help you out with your performance and security needs.

Learn More

You’ll Need Zero Trust, But You Won’t Get It with a VPN
SD-WAN and SASE
Eyal Webber Zvik, Cato Networks 12.01.23

Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy. Zero Trust Security is […]

Read more
4 Ways Where Remote Access VPNs Fall Short
SD-WAN and SASE
Eyal Webber Zvik, Cato Networks 09.01.23

The Global Content Delivery Network (CDN) market is expected to grow by $42.4 billion between now and 2032.

Read more
slider item
Content Delivery Network (CDN)
Francesco Altomare, Southern Europe Regional Manager @ GlobalDots 04.01.23

A Content Delivery Network (CDN) is a globally distributed network of web servers or Points of Presence (PoP) whose purpose is to provide faster content delivery. The content is replicated and stored throughout the CDN so the user can access the data that is stored at a location that is geographically closest to the user. […]

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo