When a dev team deploys a workload in AWS, the cloud provider doesn't protect that application from all external security threats, such as distributed denial-of-service (DDoS) attacks.
Even when an AWS infrastructure works properly, external attacks can reduce workload performance or render it unavailable. These types of attacks can stop an IT team in its tracks -- not to mention cost a fortune in wasted resources.
This makes it critical to use AWS security services when you integrate additional services or migrate new workloads into your deployment.
Amazon Route 53 and AWS load balancers can help scale workloads for normal variations in traffic, and they can effectively address brief spikes in demand. Admins can mitigate more deliberate or prolonged attacks through resilient deployment strategies, such as compute clusters and multiregion storage replication. If an attack targets an AWS deployment in one region, the other region usually continues to function -- albeit at reduced performance because of redirected traffic.
Cloud architects can use additional AWS security services, such as Shield and Web Application Firewall (WAF), to guard against deliberate attacks. For example, a free version of AWS Shield provides dedicated DDoS protection against common attacks at the network and transport layers. For a fee, Shield Advanced provides more insight into attacks, better integration with other native services and a dedicated support team to assist with attack remediation.
By contrast, AWS WAF specifically guards web-based applications against attacks that might threaten website security or availability. These types of attacks include cross-site scripting, SQL injection and DDoS.
Admins can apply custom rules to prohibit other undesirable traffic types or behaviors. AWS WAF works with other Amazon cloud services to monitor workload traffic and behaviors, as well as to spot potential malicious activity as it occurs in web apps.