---

Introduction

Security is one of the most important responsibilities of every cloud architect and developer.

Deploying a Spring Boot application without proper security can expose it to attacks such as:

• DDoS Attacks
• SQL Injection
• Cross-Site Scripting (XSS)
• Brute Force Login
• Bot Attacks
• Port Scanning
• Cross-Site Request Forgery (CSRF)
• Remote Code Execution (RCE)

AWS provides multiple security layers to protect applications.

The three most important services are:

• AWS Security Groups
• AWS WAF
• AWS Shield

Together they provide defense-in-depth from the network layer through the application layer.

---

Learning Objectives

After completing this article, you will understand:

• AWS Security Groups
• Network ACL vs Security Group
• AWS WAF
• Web ACL
• Managed Rules
• Custom Rules
• Rate Limiting
• IP Blocking
• SQL Injection Protection
• XSS Protection
• AWS Shield Standard
• AWS Shield Advanced
• Spring Boot Security Architecture
• Production Best Practices

---

Enterprise Security Layers

Layer 7  → AWS WAF
Layer 4  → Security Groups
Layer 3  → VPC
Layer 2  → AWS Network
Layer 1  → AWS Infrastructure

---

Enterprise Architecture

flowchart TD

Internet

Route53

CloudFront

AWSShield

AWSWAF

ALB

SpringBoot

Redis

Aurora

Internet --> Route53
Route53 --> CloudFront
CloudFront --> AWSShield
AWSShield --> AWSWAF
AWSWAF --> ALB
ALB --> SpringBoot
SpringBoot --> Redis
SpringBoot --> Aurora

---

Why Multiple Security Layers?

Without security:

Internet

↓

Spring Boot

Every request reaches your application.

Problems:

• SQL Injection
• XSS
• DDoS
• Password attacks
• Bots

---

With AWS Security

Internet

↓

Shield

↓

WAF

↓

Load Balancer

↓

Spring Boot

Most attacks are blocked before they reach the application.

---

Security Groups

Security Groups are virtual firewalls.

They control:

• Inbound Traffic
• Outbound Traffic

Applied to:

• EC2
• ECS
• EKS Nodes
• RDS
• ElastiCache
• Neptune

---

Security Group Architecture

flowchart LR

ALB

SecurityGroup

SpringBoot

Aurora

ALB --> SecurityGroup
SecurityGroup --> SpringBoot
SpringBoot --> Aurora

---

Example Security Group Rules

ALB

Inbound

80

443

From

0.0.0.0/0

---

Spring Boot

Inbound

8080

Only from:

ALB Security Group

---

Database

Inbound

5432

Only from:

Spring Boot Security Group

---

Security Groups are Stateful

Request

↓

Response

Automatically allowed.

No return rule required.

---

Network ACL

Network ACL protects entire subnets.

Unlike Security Groups:

• Stateless
• Allow Rules
• Deny Rules

---

Security Group vs Network ACL

Security Group	Network ACL
Stateful	Stateless
Instance Level	Subnet Level
Allow Only	Allow + Deny
Easier to Manage	More Granular

---

AWS WAF

AWS WAF is a Web Application Firewall.

Protects against:

• SQL Injection
• Cross-Site Scripting
• Bots
• HTTP Flood
• Bad IPs
• Rate Abuse

Works at Layer 7.

---

WAF Architecture

flowchart LR

Internet

AWSWAF

ALB

SpringBoot

Internet --> AWSWAF
AWSWAF --> ALB
ALB --> SpringBoot

---

What is a Web ACL?

A Web ACL is a collection of WAF rules.

Example:

Allow Good Traffic

↓

Block SQL Injection

↓

Block XSS

↓

Rate Limit

↓

Allow Request

---

AWS Managed Rules

AWS provides pre-built rules for:

• SQL Injection
• XSS
• Linux
• Windows
• PHP
• Known Bad Inputs
• Anonymous IPs
• Bot Protection

No coding required.

---

SQL Injection Protection

Attack

' OR 1=1 --

WAF blocks it before it reaches Spring Boot.

---

Cross Site Scripting

Attack

<script>alert(1)</script>

Blocked by WAF.

---

Rate Limiting

Example

Limit

2000 Requests

Per 5 Minutes

Requests above the limit:

Blocked automatically.

---

IP Blocking

Example

Block

192.168.100.10

or

Entire Country

if required.

---

Geo Blocking

Allow

USA
Canada

Block

Other Countries

Useful for internal enterprise applications.

---

Bot Protection

AWS Managed Bot Control identifies:

• Scrapers
• Credential Stuffing
• Fake Browsers
• Automated Attacks

---

Custom Rules

Create rules for:

• HTTP Headers
• Cookies
• URI Paths
• Request Size
• IP Addresses
• Query Parameters

---

WAF Flow

flowchart LR

Browser

WAF

Rules

SpringBoot

Browser --> WAF
WAF --> Rules
Rules --> SpringBoot

---

AWS Shield

AWS Shield protects against DDoS attacks.

Automatically enabled.

---

Shield Standard

Free.

Protects:

• CloudFront
• Route53
• Global Accelerator
• Elastic Load Balancer

Against common DDoS attacks.

---

Shield Advanced

Enterprise version.

Additional features:

• Advanced Detection
• 24×7 DDoS Response Team
• Cost Protection
• Detailed Analytics

Used by large enterprises.

---

DDoS Protection Flow

flowchart LR

AttackTraffic

Shield

WAF

ALB

SpringBoot

AttackTraffic --> Shield
Shield --> WAF
WAF --> ALB
ALB --> SpringBoot

---

Complete Security Architecture

flowchart TD

Users

Route53

CloudFront

Shield

WAF

ALB

SpringBoot

Redis

Aurora

CloudWatch

CloudTrail

Users --> Route53
Route53 --> CloudFront
CloudFront --> Shield
Shield --> WAF
WAF --> ALB
ALB --> SpringBoot
SpringBoot --> Redis
SpringBoot --> Aurora

SpringBoot --> CloudWatch
SpringBoot --> CloudTrail

---

Spring Security

Even with AWS security:

Spring Boot should still implement:

• Spring Security
• JWT Authentication
• OAuth2
• CSRF Protection
• Input Validation
• Output Encoding

Security must exist at every layer.

---

Security Checklist

Application

• JWT
• OAuth2
• HTTPS
• Input Validation

Network

• Security Groups
• NACL

AWS

• WAF
• Shield
• IAM
• KMS
• Secrets Manager

---

Monitoring

Monitor:

• Blocked Requests
• Allowed Requests
• SQL Injection Attempts
• XSS Attempts
• Rate Limited Requests
• DDoS Events

Using:

• CloudWatch
• AWS WAF Logs
• CloudTrail

---

Common Security Issues

Database Public

Wrong

Public Access

YES

Correct

Private Access

YES

---

SSH Open

Wrong

22

0.0.0.0/0

Correct

Allow only:

Your office VPN

or

Bastion Host

---

Missing HTTPS

Always use:

443

Never expose production APIs over HTTP.

---

Missing Rate Limiting

Enable WAF rate limiting.

Prevent brute-force attacks.

---

Production Architecture

flowchart TD

Internet

Route53

CloudFront

Shield

WAF

ALB

SpringBootAZ1

SpringBootAZ2

Redis

Aurora

SecretsManager

CloudWatch

CloudTrail

Internet --> Route53
Route53 --> CloudFront
CloudFront --> Shield
Shield --> WAF
WAF --> ALB

ALB --> SpringBootAZ1
ALB --> SpringBootAZ2

SpringBootAZ1 --> Redis
SpringBootAZ2 --> Redis

SpringBootAZ1 --> Aurora
SpringBootAZ2 --> Aurora

SpringBootAZ1 --> SecretsManager
SpringBootAZ2 --> SecretsManager

SpringBootAZ1 --> CloudWatch
SpringBootAZ2 --> CloudWatch

SpringBootAZ1 --> CloudTrail
SpringBootAZ2 --> CloudTrail

---

Best Practices

• Place ALB behind AWS WAF
• Enable AWS Shield Standard
• Use Shield Advanced for mission-critical applications
• Never expose databases publicly
• Restrict Security Groups to minimum required ports
• Use private subnets for backend services
• Enable WAF Managed Rule Groups
• Configure rate-based rules
• Block malicious IP addresses
• Enable CloudWatch alarms
• Enable CloudTrail logging
• Use HTTPS everywhere
• Protect APIs with JWT authentication
• Encrypt sensitive data using AWS KMS
• Store credentials in AWS Secrets Manager

---

Developer Checklist

Before production deployment:

• Security Groups configured
• Network ACL reviewed
• AWS WAF enabled
• Web ACL attached
• Managed Rules enabled
• Rate limiting configured
• AWS Shield Standard enabled
• HTTPS enabled
• JWT authentication implemented
• CloudWatch monitoring enabled
• CloudTrail logging enabled
• Secrets Manager configured
• KMS encryption enabled

---

Interview Questions

What is AWS WAF?

AWS WAF is a Layer 7 Web Application Firewall that protects web applications from common web exploits such as SQL Injection, XSS, bots, and malicious HTTP traffic.

---

What is AWS Shield?

AWS Shield is a managed DDoS protection service that safeguards AWS resources against network and transport layer attacks.

---

Difference between Shield Standard and Shield Advanced?

Shield Standard	Shield Advanced
Free	Paid
Automatic DDoS protection	Enhanced protection and response
Basic monitoring	Advanced analytics and 24×7 DDoS Response Team
Covers common attacks	Includes cost protection and additional mitigation features

---

Difference between Security Group and AWS WAF?

Security Group	AWS WAF
Network firewall	Web Application Firewall
Layer 3/4	Layer 7
Controls ports and protocols	Filters HTTP/HTTPS requests
Attached to AWS resources	Attached to CloudFront, ALB, API Gateway, etc.

---

Can AWS WAF replace Spring Security?

No.

AWS WAF protects against malicious web traffic before requests reach the application, while Spring Security handles authentication, authorization, session management, and application-level security. They complement each other.

---

What is the recommended security architecture for Spring Boot on AWS?

Internet → Route 53 → CloudFront → AWS Shield → AWS WAF → Application Load Balancer → Spring Boot → Private Databases, with IAM Roles, Secrets Manager, KMS, CloudWatch, and CloudTrail providing additional security layers.

---

Summary

In this article, we explored how to secure Spring Boot applications using AWS WAF, AWS Shield, and Security Groups.

We covered:

• Security Groups
• Network ACLs
• AWS WAF
• Web ACLs
• Managed Rules
• SQL Injection protection
• XSS protection
• Rate limiting
• Bot protection
• AWS Shield
• DDoS protection
• Production security architecture
• Monitoring
• Best practices

Building secure Spring Boot applications requires multiple layers of protection. By combining Security Groups, AWS WAF, AWS Shield, IAM, KMS, Secrets Manager, and Spring Security, you can significantly reduce the attack surface and create enterprise-grade cloud applications that are resilient against modern security threats.

---