3.4.2.5. Combining Security Controls for Defense in Depth (ACM, WAF, Config, Security Hub, GuardDuty, Detective, Network Firewall)

3.4.2.5. Combining Security Controls for Defense in Depth (ACM, WAF, Shield)

Defense in depth means no single security control failure exposes the system. Each layer catches what the previous layer missed.

Security layers from edge to data:

1. Edge (CloudFront + Shield + WAF): DDoS protection, web application firewall, geo-blocking
2. Network (VPC + NACLs + Security Groups): Network segmentation, port filtering
3. Compute (EC2/ECS + Inspector + SSM): Vulnerability scanning, patching, hardening
4. Application (Cognito + API Gateway): Authentication, authorization, rate limiting
5. Data (KMS + Macie + S3 policies): Encryption, data classification, access control
6. Audit (CloudTrail + Config + Security Hub): Logging, compliance, finding aggregation

AWS Shield:

• Shield Standard: Free, automatic DDoS protection for all AWS resources (L3/L4)
• Shield Advanced: $3,000/month — L7 DDoS protection, DRT (DDoS Response Team) access, cost protection during attacks, WAF credits

Combining WAF + Shield + CloudFront:

Internet → CloudFront (Shield + WAF) → ALB (Security Group) → EC2 (Inspector patched)
                                                                    ↓
                                                               RDS (KMS encrypted, private subnet)

AWS Network Firewall provides stateful inspection for VPC traffic — IDS/IPS capabilities that security groups and NACLs can't provide. Use for compliance environments requiring deep packet inspection.

Exam Trap: Shield Standard protects against network-layer DDoS (SYN floods, UDP reflection). Application-layer attacks (HTTP floods) require WAF rate-limiting rules. If the exam describes an application-layer DDoS (millions of legitimate-looking HTTP requests), Shield alone isn't enough — you need WAF with rate-based rules.