What AWS capability should be used to protect against common web-based exploits?

Using AWS WAF (Web Application Firewall) is specifically designed to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF allows you to create custom rules to filter and monitor HTTP and HTTPS requests based on specific criteria, such as the request IP address, HTTP headers, or query string parameters. This enables you to block attacks like SQL injection or cross-site scripting, which are common in web applications.

In addition to its proactive rule-creation capabilities, AWS WAF also provides managed rule sets, which include pre-configured rules that address common threats. This makes it a powerful tool for web application protection, as it combines flexibility with ease of use. By applying it directly to your web applications, you can enhance their security posture effectively.

While other options like AWS Shield and AWS GuardDuty serve protective roles within the AWS ecosystem, they focus on different aspects of security. AWS Shield offers DDoS protection, and AWS GuardDuty provides threat detection by monitoring for malicious or unauthorized behavior. However, they do not specifically target web application vulnerabilities in the way that AWS WAF does. AWS Firewall Manager helps manage firewall rules across multiple accounts but does not directly provide the same level of targeted application-level protections