AWS Certified Solutions Architect - Associate (SAA-C03) #5 Domain 1-4 Secure Architectures — WAF , Shield , Cognito , Secrets Manager

6 min read

In #4 VPC Security we nailed down the network boundary. This post, the last of the security domain, climbs one layer higher to deal with application-layer attack defense (WAF , Shield) and user authentication and credential management (Cognito , Secrets Manager). The roles of these four services are easy to mix up on the exam, so accurately distinguishing “what problem does this service solve?” is the key.

WAF — web application firewall #

AWS WAF is a web firewall that operates at layer 7 (HTTP/HTTPS). You gather rules into a Web ACL, and it inspects requests to allow, block, or count them.

Rule types #

  • Managed rule groups — predefined rules provided by AWS and the Marketplace (common vulnerabilities, known malicious IPs, etc.)
  • SQL injection / XSS matching — blocks the classic web-attack patterns
  • IP set matching — allow/block specific IPs or ranges
  • Geo matching — block/allow at the country level
  • Rate-based rules — block an IP that exceeds a request count over a time window (layer 7 flood mitigation)
  • String/regex matching — pattern inspection of headers, URI, and body

Where it attaches #

WAF connects to CloudFront, the Application Load Balancer (ALB), API Gateway, AppSync, and Cognito User Pool. All are layer 7 entry points. An NLB (Network Load Balancer) is layer 4, so WAF can’t attach to it. This distinction shows up on the exam.

Shield — DDoS defense #

ItemShield StandardShield Advanced
CostFree (applied automatically)3,000 USD/month +
Defense layersL3/L4L3/L4/L7
Response supportNoneDDoS Response Team (SRT)
Cost protectionNoneRefund of scaling costs caused by DDoS
WAFSeparateWAF included

Shield Standard is L3/L4 DDoS defense applied automatically and for free to every AWS customer. No separate setup is needed. On top of that, if you need L7 DDoS defense, a specialized response team, refunds of auto-scaling costs caused by DDoS, and detailed reports, you use Shield Advanced (paid).

On the exam, the answer to “do you get basic DDoS protection at no extra cost?” is Shield Standard (yes, automatic and free). If “large-scale L7 DDoS, cost protection, and specialized response are needed,” it’s Advanced.

Cognito — User Pool vs. Identity Pool #

Cognito does two different things. Mix the two up and you’ll get authentication questions wrong almost every time.

AspectUser PoolIdentity Pool (Federated Identities)
Problem solvedAuthentication — who are you, log inAuthorization — access to AWS resources
OutputJWT tokens (ID/Access/Refresh)Temporary AWS credentials (STS)
Typical featuresSign-up, login, MFA, social/SAML federationExchanges an authenticated identity for AWS credentials
One line“Logs the user in”“Gives the user temporary AWS access”
  • User Pool — a user directory and authentication server. It provides sign-up, login, MFA, and password policies, and you can attach social (Google, Facebook), SAML, and OIDC federation. On successful login it issues JWT tokens.
  • Identity Pool — takes an authenticated identity (User Pool, social, SAML) and exchanges it for STS temporary AWS credentials. Like when a mobile app user needs to upload directly to S3, it lets them access AWS resources without embedding a long-term key in the app.

The two are often used together: log in with the User Pool → present that token to the Identity Pool → obtain temporary AWS credentials.

Secrets Manager vs. Parameter Store #

Two services for safely storing credentials and configuration values without hardcoding them.

ItemSecrets ManagerSSM Parameter Store
Primary useSecrets (DB credentials, API keys)Config values + secrets (SecureString)
Automatic rotationBuilt-in support (RDS, etc.)None (implement yourself with Lambda)
Cost$0.40/month per secret + APIStandard parameters free
EncryptionKMSKMS (SecureString)
Cross-accountSupportedLimited

The key branch point is automatic rotation. If the requirement is “automatically rotate DB credentials on a schedule,” Secrets Manager is the answer (especially RDS, Redshift, and DocumentDB, which have built-in integration). Conversely, if it’s “a simple config value and you want to save cost,” Parameter Store fits. Parameter Store can also store secrets KMS-encrypted as a SecureString, but automatic rotation isn’t provided out of the box.

Exam question patterns #

  • “Block web attacks like SQL injection / XSS.” → WAF
  • “Block a specific country / rate-limit an IP.” → WAF (geo / rate-based rules)
  • “Can you attach WAF to an NLB?” → No (L4). Connect to CloudFront/ALB/API GW/AppSync
  • “Do you get basic DDoS protection at no extra cost?” → Shield Standard (automatic, free)
  • L7 DDoS + cost protection + response team.” → Shield Advanced
  • “User login/sign-up/social login.” → Cognito User Pool
  • Temporary AWS credentials for an authenticated user.” → Cognito Identity Pool
  • Automatically rotate DB credentials.” → Secrets Manager
  • “Simple config value, cost savings.” → Parameter Store

Common traps #

1) Trying to attach WAF to an NLB #

WAF attaches only to layer 7 entry points (CloudFront/ALB/API Gateway/AppSync). An NLB is layer 4, so it’s not a target.

2) Thinking Shield Standard is paid #

Standard is automatic and free for all customers. The paid one is Advanced.

3) Misunderstanding that the User Pool gives AWS credentials #

The User Pool goes as far as login and JWT tokens. AWS credentials are issued by the Identity Pool via STS.

4) Thinking Parameter Store has built-in automatic rotation #

Built-in automatic rotation is Secrets Manager. Parameter Store you have to implement yourself.

Wrap-up #

What this post locked in:

  • WAF — a layer 7 web firewall. SQLi , XSS , geo , rate rules. Connects to CloudFront/ALB/API GW/AppSync (not NLB)
  • Shield — Standard is automatic and free (L3/L4). Advanced is paid (L7, response team, cost protection)
  • Cognito — the User Pool does authentication (JWT); the Identity Pool does temporary AWS credentials. The two are used together
  • Secrets Manager vs. Parameter Store — if you need automatic rotation, Secrets Manager; if it’s simple and low-cost, Parameter Store

With this, we finish the security domain (30%). Following the layers down — IAM (identity) → KMS (data) → VPC (network) → WAF , Cognito (application , user) — we’ve laid out the big picture of security.

Next — Domain 2-1 Resilient Architectures #

The next domain is Resilience (26%). We move on to designs that keep a service from stopping even through a failure.

#6 Domain 2-1 Multi-AZ , Auto Scaling , ELB covers high availability using Availability Zones (AZs), how Auto Scaling groups and their policies work, the types of ELB (ALB , NLB , GLB) and how to choose, and the structure for filtering out failed instances with health checks.

X