AWS Certified Security Specialty: Network Edge Security Cram Sheet
Design, implement, and troubleshoot security controls for network edge services
AWS Certified Security Specialty: Network Edge Security
This cram sheet focuses on Domain 3.1: Design, implement, and troubleshoot security controls for network edge services. It covers the essential tools used to defend the perimeter: AWS WAF, AWS Shield, Amazon CloudFront security, and S3 Origin Access.
Topic Weighting
| Domain Section | Exam Weight (Approx.) | Criticality |
|---|---|---|
| Domain 3: Infrastructure Security | 26% | High |
| Task 3.1: Edge Services | ~8-10% | Critical |
[!IMPORTANT] Expect at least 5-8 questions specifically on WAF rule logic, Shield Advanced benefits, and securing CloudFront origins.
Key Concepts Summary
1. AWS WAF (Web Application Firewall)
- Layer 7 Protection: Inspects HTTP/S traffic for SQL injection (SQLi), Cross-Site Scripting (XSS), and bad bots.
- Deployment: Can be associated with CloudFront (Global), ALB, API Gateway, and AppSync (Regional).
- Web ACLs: Contain rules that evaluate traffic. Rules can be Allow, Block, Count, or CAPTCHA.
- Rule Groups: Collections of rules (AWS Managed, Marketplace, or Custom).
2. AWS Shield (DDoS Protection)
- Shield Standard: Automatic, free protection for all customers against common L3/L4 attacks (e.g., SYN floods).
- Shield Advanced: Paid subscription ($3,000/mo) providing L7 DDoS mitigation, 24/7 access to the Shield Response Team (SRT), and cost protection (credits for scaling spikes during attacks).
3. Amazon CloudFront Security
- OAC (Origin Access Control): The modern way to ensure S3 buckets are only accessible via CloudFront. Replaces OAI and supports SSE-KMS.
- Field-Level Encryption: Encrypts sensitive data (e.g., credit card numbers) at the edge before it reaches the origin.
- Security Headers: Use CloudFront Functions or Lambda@Edge to inject
Strict-Transport-Security(HSTS),Content-Security-Policy(CSP), andX-Frame-Options.
Visual: Edge Request Flow
Formula / Equation Sheet
| Feature | AWS WAF | AWS Shield Advanced | AWS Network Firewall |
|---|---|---|---|
| OSI Layer | Layer 7 (Application) | Layers 3, 4, and 7 | Layers 3 through 7 |
| Scope | Web traffic (HTTP/S) | DDoS Volumetric/State | Full VPC Traffic (IP/Port/Domain) |
| Logging | Kinesis Firehose / S3 / CW | CloudWatch Metrics | S3 / CloudWatch / Firehose |
| Primary Goal | Prevent exploits (OWASP) | Maintain availability | Perimeter/Inter-VPC filtering |
Mnemonics / Memory Triggers
- "WAF is for Web": Remember WAF only handles HTTP/S (Layer 7). It cannot block a ping (ICMP) or SSH (Port 22).
- "OAC = Awesome Compatibility": Remember OAC is better than OAI because it supports SSE-KMS and all S3 regions.
- "SRT for the SOS": If you see a question about "human expertise during an attack," the answer is Shield Response Team (SRT), which requires Shield Advanced.
Common Pitfalls
- ❌ Pitfall: Thinking WAF protects against all DDoS attacks.
- ✅ Reality: WAF handles Layer 7 DDoS (Request floods) via Rate-Based Rules. Shield handles Layer 3/4 volumetric attacks.
- ❌ Pitfall: Using OAI for new S3 buckets with KMS encryption.
- ✅ Reality: OAI does not support KMS. You must use Origin Access Control (OAC).
- ❌ Pitfall: Manually associating WAF Web ACLs across 50 accounts.
- ✅ Reality: Use AWS Firewall Manager to centrally deploy WAF rules and Shield policies across an entire Organization.
Worked Examples
Scenario: Protecting a Global API from Bot Scraping
Requirement: Block requests from a specific country and limit any single IP to 100 requests per 5 minutes.
Step-by-Step Solution:
- Create Web ACL: Define the scope as "Global" for CloudFront.
- Add Geo-Match Rule: Select the specific country to "Block."
- Add Rate-Based Rule: Set the limit to 100 and the action to "Block" or "CAPTCHA."
- Priority Check: Ensure the Geo-Match rule has a higher priority (processed first) than the rate-limit rule.
Visual: Layered Defense (TikZ)
\begin{tikzpicture}[node distance=1.5cm, every node/.style={fill=white, font=\small}] % Layers \draw[fill=blue!10] (0,0) rectangle (6,4); \node at (3,3.7) {\textbf{Edge Infrastructure}};
% Boxes \draw[thick] (1,0.5) rectangle (5,1.2) node[midway] {Origin (S3/ALB)}; \draw[thick, fill=orange!20] (1,1.5) rectangle (5,2.2) node[midway] {AWS WAF (Layer 7)}; \draw[thick, fill=red!20] (1,2.5) rectangle (5,3.2) node[midway] {AWS Shield (L3/L4)};
% Arrows \draw[->, thick] (3,4.5) -- (3,3.2); \draw[->, thick] (3,2.5) -- (3,2.2); \draw[->, thick] (3,1.5) -- (3,1.2);
\node[anchor=west] at (6.2, 2.8) {Blocks Volumetric Attacks}; \node[anchor=west] at (6.2, 1.8) {Blocks SQLi/XSS/Bad Bots}; \end{tikzpicture}
Practice Set
- Which service allows you to deploy a WAF rule across multiple AWS accounts in an organization?
- Answer: AWS Firewall Manager.
- To provide a custom error page when a user is blocked by WAF, where should you configure the response?
- Answer: In the WAF Web ACL "Custom Response" settings or via CloudFront Error Pages.
- True/False: Shield Standard protects against Layer 7 attacks.
- Answer: False. Standard is L3/L4 only. Advanced or WAF is needed for L7.
- What header is required to enforce HTTPS connections from the browser to CloudFront?
- Answer: Strict-Transport-Security (HSTS).
Recall Blanks
- To restrict S3 access to CloudFront and support KMS, use _______ _______ _______ (OAC).
- The _______ _______ _______ (SRT) provides manual assistance during DDoS attacks for Shield Advanced subscribers.
- WAF rules use - rules to prevent a single IP from overwhelming an endpoint with requests.
- To encrypt data at the edge before it reaches the origin, use - encryption in CloudFront.
- AWS _______ _______ is the centralized service to manage WAF, Shield, and Security Group policies across accounts.