4.1.1. Edge Security Strategies and Threat Modeling
First Principle: Effective edge security starts with threat modeling — understanding who your attackers are, what methods they use, and what they're targeting — then selecting edge controls that specifically counter those threats.
Common Edge Threats:
| Threat | Method | Edge Defense |
|---|---|---|
| DDoS (volumetric) | Flood with traffic to exhaust capacity | Shield Standard/Advanced, CloudFront |
| DDoS (application) | Slow HTTP attacks, request floods | WAF rate-based rules |
| Web exploits | SQL injection, XSS, SSRF | WAF managed rules (OWASP Top 10) |
| Bot abuse | Credential stuffing, scraping | WAF Bot Control |
| Geographic targeting | Attacks from specific countries | CloudFront geo restrictions |
Edge Security Architecture:
Shield Standard is automatic and free — provides protection against most common Layer 3/4 DDoS attacks for all AWS resources. Shield Advanced adds dedicated DDoS response team, cost protection, enhanced detection, and Layer 7 DDoS mitigation. Shield Advanced requires explicit enrollment and covers specific resources (CloudFront, ALB, EIP, Global Accelerator).
⚠️ Exam Trap: Shield Standard protects against Layer 3/4 DDoS (network floods). Shield Advanced adds Layer 7 (application-layer) DDoS protection. If a question describes an HTTP flood attack, Shield Standard alone is insufficient — you need Shield Advanced with WAF.
Scenario: A financial services company needs to protect both their website (CloudFront) and their API (ALB) against DDoS attacks, including application-layer HTTP floods. They enable Shield Advanced on both resources and configure WAF rate-based rules as the Layer 7 defense.
Reflection Question: Why does effective DDoS defense require controls at both the network layer (Shield) and the application layer (WAF)?
