AWS Machine Learning Associate Exam Walkthrough 91 AWS WAF and Shield - October 07
VIEW RECORDING: https://fathom.video/share/uxe_3Xbdr8...
Meeting Purpose
To discuss AWS WAF and Shield for machine learning, focusing on their features, implementation, and relevance to ML deployments.
Key Takeaways
WAF (Web Application Firewall) provides L7 protection for web apps, integrating with services like ALB, CloudFront, API Gateway, AppSync, and Cognito
Shield offers DDoS protection: Standard (free) for L3/L4, Advanced ($3k/mo) adds L7 protection, 24/7 support, and cost protection
While not ML-specific, WAF/Shield are crucial for securing ML endpoints, APIs, and web apps embedding ML outputs
Exam tip: Know WAF/Shield for questions on protecting ML inference endpoints, API security, and production ML infrastructure defense
Topics
AWS WAF (Web Application Firewall) Overview
L7 firewall service protecting web apps from common exploits (e.g., SQL injection, XSS)
Provides fine-grained control over HTTP(S) requests via Web ACLs
Integrates with: ALB, CloudFront, API Gateway, AppSync, Cognito user pools
Doesn't support: Network Load Balancer, direct EC2 instances
Web ACLs contain rule sets: allow/block/count requests, IP filtering (up to 10k IPs/set), header/body inspection, URI filtering, size constraints, geo-matching, rate-based rules
Global ACLs for CloudFront; regional for ALB and API Gateway
AWS Shield: DDoS Protection
Two tiers: Standard (free) and Advanced ($3k/mo per org)
Standard: Auto-protects AWS infrastructure (EC2, ELB, CloudFront, Route 53) against common L3/L4 attacks
Advanced features:
24/7 DDoS response team
Cost protection for attack-related usage spikes
WAF integration for auto-mitigation rules
L7 auto-mitigations with WAF
Enhanced reporting and metrics
Protects CloudFront, Global Accelerator, Route 53 hosted zones
Implementation and Architecture
For fixed IPs with WAF + ALB: Use Global Accelerator → ALB with WAF → Application
WAF console: Create Web ACL, select resource (e.g., CloudFront/ALB), add rules, set default actions
Shield Advanced setup: AWS console → Shield → Subscribe → Select resources → Enable DRT access/cost protection → Enable auto WAF mitigation → Confirm
Pricing
WAF: $5/mo per Web ACL + $1/mo per rule set + ~$0.60 per million requests
Shield Standard: Free
Shield Advanced: ~$3k/mo per organization
Relevance to Machine Learning
Protects public API Gateway/ALB endpoints serving ML predictions
Secures CloudFront delivery of web apps with embedded ML outputs (e.g., Comprehend, Rekognition)
Ensures availability/compliance for ML deployments in regulated industries
Prevents disruptions: credential stuffing, DDoS, API scraping, malicious JSON payloads
Next Steps
Implement WAF for ML-serving APIs, focusing on common attack vectors
Consider Shield Advanced for high-value ML endpoints requiring enhanced DDoS protection
Review and optimize WAF rules periodically based on emerging threats and ML-specific attack patterns
Integrate WAF/Shield metrics with ML monitoring for holistic security overview
Информация по комментариям в разработке