AWS Managed Security Services: Shield, WAF, GuardDuty, and Security Hub

This guide covers the core AWS-managed services designed to protect infrastructure, detect threats, and centralize security management. These services form the backbone of a "defense-in-depth" strategy on AWS.

Learning Objectives

By the end of this module, you should be able to:

• Differentiate between AWS Shield Standard and Advanced for DDoS protection.
• Configure AWS WAF rules to mitigate common web exploits like SQL injection and XSS.
• Explain how Amazon GuardDuty uses machine learning to identify threats across VPC Flow Logs, DNS logs, and CloudTrail.
• Centralize security findings from multiple accounts and services using AWS Security Hub.
• Determine the appropriate security control based on specific compliance and protection requirements.

Key Terms & Glossary

• DDoS (Distributed Denial of Service): An attempt to make an online service unavailable by overwhelming it with traffic from multiple sources.
• WORM (Write Once, Read Many): Data storage technology that prevents files from being edited or deleted after they are written, crucial for log integrity.
• Finding: A potential security issue identified by an AWS security service (e.g., GuardDuty or Inspector).
• Web ACL (Access Control List): A set of rules in AWS WAF that defines which web requests to allow or block based on conditions.
• Threat Detection: The process of identifying malicious actors or activities within an environment, often using behavioral analysis.

The "Big Idea"

Modern security in the cloud is not a single "firewall" but a multi-layered ecosystem. Protection starts at the edge (Shield/WAF), moves into the network and account level (GuardDuty), and is managed through a single pane of glass (Security Hub). This architecture ensures that even if one layer is bypassed, others are in place to detect and mitigate the threat while alerting administrators immediately.

Formula / Concept Box

Hierarchical Outline

• Infrastructure Protection
  • AWS Shield
    • Standard: Free, protects against most common L3/L4 attacks.
    • Advanced: Paid, includes 24/7 Shield Response Team (SRT) access and cost protection.
  • AWS WAF (Web Application Firewall)
    • Protects CloudFront, ALB, and API Gateway.
    • Uses Managed Rule Groups for rapid deployment against common threats.
• Threat Detection & Monitoring
  • Amazon GuardDuty
    • Data Sources: VPC Flow Logs, DNS Query Logs, CloudTrail Event Logs.
    • Detection Types: Account compromise, instance compromise, and malicious IP callers.
• Centralized Governance
  • AWS Security Hub
    • Aggregates findings from GuardDuty, Inspector, Macie, and IAM Access Analyzer.
    • Automated compliance checks against CIS Foundations and PCI DSS standards.
  • AWS Firewall Manager
    • Centrally manages WAF, Shield, and Security Group rules across an entire AWS Organization.

Visual Anchors

Security Finding Pipeline

Traffic Protection Flow

\begin{tikzpicture}[node distance=2cm] \draw[thick] (-3,0) -- (8,0); \node (internet) at (-4,0) {Internet}; \node (shield) [draw, fill=blue!10, minimum width=2cm, minimum height=1cm] at (0,0) {AWS Shield}; \node (waf) [draw, fill=orange!10, minimum width=2cm, minimum height=1cm] at (3,0) {AWS WAF}; \node (resource) [draw, fill=green!10, minimum width=2cm, minimum height=1cm] at (6,0) {ALB / CloudFront};

\draw[->, >=stealth, thick] (internet) -- (shield); \draw[->, >=stealth, thick] (shield) -- (waf); \draw[->, >=stealth, thick] (waf) -- (resource);

\node[below=0.5cm of shield] {DDoS Protection}; \node[below=0.5cm of waf] {Layer 7 Filtering}; \node[below=0.5cm of resource] {Entry Point}; \end{tikzpicture}

Definition-Example Pairs

• AWS WAF $\rightarrow$ A service that filters HTTP/S traffic.
  • Example: Creating a rule to block any request that contains the string <script> to prevent cross-site scripting (XSS) attacks.
• Amazon GuardDuty $\rightarrow A continuous security monitoring service.
  • Example: Detecting that an EC2 instance is communicating with a known Bitcoin mining command-and-control server.
• AWS Security Hub \rightarrow$ A security posture management service.
  • Example: Seeing a single dashboard alert that an S3 bucket in Account B is public, alongside a GuardDuty alert from Account C.

Worked Examples

Problem: Multi-Account Threat Management

Scenario: A company has 50 AWS accounts. They want to ensure that any threat detected in any account is visible to the central security team, and they must ensure all accounts follow the CIS AWS Foundations Benchmark.

Step-by-Step Solution:

1. Enable GuardDuty in all accounts using AWS Organizations for threat detection.
2. Enable Security Hub in all accounts and designate one account as the "Administrator" account.
3. Invite all member accounts to the Security Hub administrator account to aggregate findings.
4. Enable the CIS Foundations Benchmark standard within Security Hub to automate compliance auditing.
5. Result: The central team can now see real-time threats and compliance scores for the entire organization in one place.

Checkpoint Questions

1. Which service is best suited for blocking traffic from a specific country to your web application?
2. What three main log sources does Amazon GuardDuty analyze for threat detection?
3. How does AWS Shield Advanced differ from Shield Standard regarding the Shield Response Team (SRT)?
4. True or False: AWS Security Hub can ingest findings from third-party security products.

▶Click to see answers

1. AWS WAF (using Geo-match conditions).
2. VPC Flow Logs, DNS Logs, and CloudTrail Event Logs.
3. Shield Advanced provides 24/7 access to the SRT, while Standard does not.
4. True.

Muddy Points & Cross-Refs

• GuardDuty vs. Inspector: Many students confuse these. GuardDuty monitors the environment for active threats (behavior), while Amazon Inspector scans instances/containers for vulnerabilities (software flaws).
• WAF vs. Network Firewall: WAF is specifically for Layer 7 (HTTP/S). If you need to filter non-HTTP protocols (like SSH or RDP) at the network level, use AWS Network Firewall or Security Groups.
• Log Immutability: To ensure logs are not tampered with, use S3 Object Lock (WORM) on your central Log Archive bucket.

Comparison Tables

Detection vs. Protection

Shield Standard vs. Advanced