AWS Certified Solutions Architect - Associate (SAA-C03) #5 Domain 1-4 Secure Architectures — WAF , Shield , Cognito , Secrets Manager
In #4 VPC Security we nailed down the network boundary. This post, the last of the security domain, climbs one layer higher to deal with application-layer attack defense (WAF , Shield) and user authentication and credential management (Cognito , Secrets Manager). The roles of these four services are easy to mix up on the exam, so accurately distinguishing “what problem does this service solve?” is the key.
WAF — web application firewall #
AWS WAF is a web firewall that operates at layer 7 (HTTP/HTTPS). You gather rules into a Web ACL, and it inspects requests to allow, block, or count them.
Rule types #
- Managed rule groups — predefined rules provided by AWS and the Marketplace (common vulnerabilities, known malicious IPs, etc.)
- SQL injection / XSS matching — blocks the classic web-attack patterns
- IP set matching — allow/block specific IPs or ranges
- Geo matching — block/allow at the country level
- Rate-based rules — block an IP that exceeds a request count over a time window (layer 7 flood mitigation)
- String/regex matching — pattern inspection of headers, URI, and body
Where it attaches #
WAF connects to CloudFront, the Application Load Balancer (ALB), API Gateway, AppSync, and Cognito User Pool. All are layer 7 entry points. An NLB (Network Load Balancer) is layer 4, so WAF can’t attach to it. This distinction shows up on the exam.
Shield — DDoS defense #
| Item | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free (applied automatically) | 3,000 USD/month + |
| Defense layers | L3/L4 | L3/L4/L7 |
| Response support | None | DDoS Response Team (SRT) |
| Cost protection | None | Refund of scaling costs caused by DDoS |
| WAF | Separate | WAF included |
Shield Standard is L3/L4 DDoS defense applied automatically and for free to every AWS customer. No separate setup is needed. On top of that, if you need L7 DDoS defense, a specialized response team, refunds of auto-scaling costs caused by DDoS, and detailed reports, you use Shield Advanced (paid).
On the exam, the answer to “do you get basic DDoS protection at no extra cost?” is Shield Standard (yes, automatic and free). If “large-scale L7 DDoS, cost protection, and specialized response are needed,” it’s Advanced.
Cognito — User Pool vs. Identity Pool #
Cognito does two different things. Mix the two up and you’ll get authentication questions wrong almost every time.
| Aspect | User Pool | Identity Pool (Federated Identities) |
|---|---|---|
| Problem solved | Authentication — who are you, log in | Authorization — access to AWS resources |
| Output | JWT tokens (ID/Access/Refresh) | Temporary AWS credentials (STS) |
| Typical features | Sign-up, login, MFA, social/SAML federation | Exchanges an authenticated identity for AWS credentials |
| One line | “Logs the user in” | “Gives the user temporary AWS access” |
- User Pool — a user directory and authentication server. It provides sign-up, login, MFA, and password policies, and you can attach social (Google, Facebook), SAML, and OIDC federation. On successful login it issues JWT tokens.
- Identity Pool — takes an authenticated identity (User Pool, social, SAML) and exchanges it for STS temporary AWS credentials. Like when a mobile app user needs to upload directly to S3, it lets them access AWS resources without embedding a long-term key in the app.
The two are often used together: log in with the User Pool → present that token to the Identity Pool → obtain temporary AWS credentials.
Secrets Manager vs. Parameter Store #
Two services for safely storing credentials and configuration values without hardcoding them.
| Item | Secrets Manager | SSM Parameter Store |
|---|---|---|
| Primary use | Secrets (DB credentials, API keys) | Config values + secrets (SecureString) |
| Automatic rotation | Built-in support (RDS, etc.) | None (implement yourself with Lambda) |
| Cost | $0.40/month per secret + API | Standard parameters free |
| Encryption | KMS | KMS (SecureString) |
| Cross-account | Supported | Limited |
The key branch point is automatic rotation. If the requirement is “automatically rotate DB credentials on a schedule,” Secrets Manager is the answer (especially RDS, Redshift, and DocumentDB, which have built-in integration). Conversely, if it’s “a simple config value and you want to save cost,” Parameter Store fits. Parameter Store can also store secrets KMS-encrypted as a SecureString, but automatic rotation isn’t provided out of the box.
Exam question patterns #
- “Block web attacks like SQL injection / XSS.” → WAF
- “Block a specific country / rate-limit an IP.” → WAF (geo / rate-based rules)
- “Can you attach WAF to an NLB?” → No (L4). Connect to CloudFront/ALB/API GW/AppSync
- “Do you get basic DDoS protection at no extra cost?” → Shield Standard (automatic, free)
- “L7 DDoS + cost protection + response team.” → Shield Advanced
- “User login/sign-up/social login.” → Cognito User Pool
- “Temporary AWS credentials for an authenticated user.” → Cognito Identity Pool
- “Automatically rotate DB credentials.” → Secrets Manager
- “Simple config value, cost savings.” → Parameter Store
Common traps #
1) Trying to attach WAF to an NLB #
WAF attaches only to layer 7 entry points (CloudFront/ALB/API Gateway/AppSync). An NLB is layer 4, so it’s not a target.
2) Thinking Shield Standard is paid #
Standard is automatic and free for all customers. The paid one is Advanced.
3) Misunderstanding that the User Pool gives AWS credentials #
The User Pool goes as far as login and JWT tokens. AWS credentials are issued by the Identity Pool via STS.
4) Thinking Parameter Store has built-in automatic rotation #
Built-in automatic rotation is Secrets Manager. Parameter Store you have to implement yourself.
Wrap-up #
What this post locked in:
- WAF — a layer 7 web firewall. SQLi , XSS , geo , rate rules. Connects to CloudFront/ALB/API GW/AppSync (not NLB)
- Shield — Standard is automatic and free (L3/L4). Advanced is paid (L7, response team, cost protection)
- Cognito — the User Pool does authentication (JWT); the Identity Pool does temporary AWS credentials. The two are used together
- Secrets Manager vs. Parameter Store — if you need automatic rotation, Secrets Manager; if it’s simple and low-cost, Parameter Store
With this, we finish the security domain (30%). Following the layers down — IAM (identity) → KMS (data) → VPC (network) → WAF , Cognito (application , user) — we’ve laid out the big picture of security.
Next — Domain 2-1 Resilient Architectures #
The next domain is Resilience (26%). We move on to designs that keep a service from stopping even through a failure.
#6 Domain 2-1 Multi-AZ , Auto Scaling , ELB covers high availability using Availability Zones (AZs), how Auto Scaling groups and their policies work, the types of ELB (ALB , NLB , GLB) and how to choose, and the structure for filtering out failed instances with health checks.