Modern Cloud Security & DevSecOps

Name: Modern Cloud Security & DevSecOps
Rating: 4.5 (2 reviews)

AWS WAF, CloudFront, Lambda@Edge, and Terraform for Multi-Layered AI Bot Defense and Traffic Control

Role Play

Hot & New

Created byStarweaver Experts, Sergii Demianchuk

Last updated 4/2026

English

What you'll learn

Analyze the AI bot threat landscape and set up a local Flask application with Terraform tooling.
Deploy production AWS infrastructure with Terraform: VPC, ALB, CloudFront, WAF, and EC2 auto scaling groups.
Implement intelligent traffic routing, cache separation, and degraded content with CloudFront and Lambda@Edge.
Configure advanced WAF protections, analyze logs with Athena, and enforce a data-driven strategic bot policy.

Course content

13 sections • 65 lectures • 3h 51m total length

Welcome to the Course: Course Overview4:26
The AI Bot Problem: Definition and Strategic Outlook9:55
Introduction to real world bot traffic, key drivers behind the July 2025 surge including AI data demand, Google updates and security gaps, with strategies to manage AI bots on modern infrastructure.
Lab Environment Overview2:13
Walkthrough of the course lab components: Flask app, Terraform modules, and the final AWS architecture with CloudFront and WAF.
Multi-Layered Infrastructure Strategy Components (Part 1)2:14
Covers identification and classification, auto-scaling, caching with CloudFront, and the degraded content strategy, including missing assets solutions.
Multi-Layered Infrastructure Strategy Components (Part 2)3:45
Covers perimeter defenses with WAF, application-layer defenses with Bot Control SDK integration, and the strategic bot policy framework of allow, block, and degrade.

Flask App: Local Environment3:01
Docker Compose setup, running the container, verifying the test page, and reviewing the Dockerfile and Gunicorn entry point.
Flask App: Code Overview1:51
Application routes, templates, the WAF integration URL variable, and how the test HTML page is structured.
Terraform Installation with tfenv3:28
Installing tfenv, managing multiple Terraform versions, switching between versions, and verifying the installation.
AWS Profile and Terraform Configuration2:38
AWS CLI profile setup, exporting environment variables, verifying account identity, and configuring env.tfvars.
Build Docker Image and Push to AWS ECR2:21
Creating the ECR repository, running the build and push scripts, and verifying the image in the AWS Console.
Best Practices for Using the Terraform AWS Provider0:29
Hands-On-Learning: Local Environment Verification and ECR Push0:19
Onboarding a New Team Member: Explaining the Local Dev Environment
Flask Application and Tooling Setup

Running Terraform Scripts: Essential Introduction1:05
Terraform workflow overview, version requirements, and expectations for the infrastructure deployment sections.
Pre-Init and Network Terraform Modules6:13
Creating the S3 state bucket, DynamoDB lock table, VPC, subnets, route tables, internet gateway, and security groups.
Domain Delegation and ACM Terraform Module5:58
Route 53 hosted zone creation, NS record update at the domain registrar, and DNS-validated SSL certificates for ALB and CloudFront.
ALB Terraform Module3:14
Application Load Balancer deployment with HTTP to HTTPS redirect, certificate attachment, S3 access logging, and CloudWatch alarms.
Important Note: Project Name Prefix Differences0:44
Clarifies why the project name prefix for some variables differs in this version of the code. All concepts remain fully applicable.

Flask Application on EC2 Using Auto Scaling Group6:32
Launch template configuration, user data script, IAM role with ECR and CloudWatch permissions, and Auto Scaling group setup.
Add EC2 to AWS ALB as Target Group2:14
Target group creation, health check configuration at the /ping endpoint, and host-header-based listener rules on the ALB.
EC2 in the AWS Console and SSH Login2:36
Instance verification, Auto Scaling group status, key pair setup, SSH configuration, and confirming the Docker container is running.

Amazon CloudFront Base Components1:25
Distributions, behaviors, origins, cache policies, origin request policies, and response header policies explained.
CloudFront and WAF Terraform Module (Part 1: CloudFront)7:51
CloudFront distribution with ALB and S3 origins, multiple cache behaviors, Route 53 DNS alias, and S3 log buckets.
CloudFront and WAF Terraform Module (Part 2: WAF)4:17
WAF web ACL creation, Kinesis Firehose log streaming to S3, IP sets for allow and block lists, and CloudWatch alarms.
CloudFront and WAF: AWS Console Overview and Maintenance Mode6:13
Resource inspection in the console, verifying the test page via CloudFront, and implementing maintenance mode using ALB rules and S3.
Deploy the Security Automations for AWS WAF Solution Using Terraform0:28
Auto-Scaling Surprises5:41
Auto-scaling inertia explained: metric delay, cooldown periods, container startup time, and why scaling cannot respond to two-minute bot spikes.
AWS Fargate and Commercial Practice Example5:46
Real ALB metrics and application logs showing a Petalbot and Ahrefsbot spike, CPU saturation, and auto-scaling inability to mitigate the burst.
Hands-On-Learning: Full AWS Infrastructure Deployment0:19
Infrastructure Design Review: Public vs. Private Subnets
CloudFront, WAF, and Auto-Scaling Realities

How CloudFront Works7:20
Edge locations, regional edge caches, cache policies, cache keys, TTL settings, invalidation, and the difference between CloudFront Functions and Lambda@Edge.
Degraded Content Strategy (Part 1)2:38
Use cases for serving degraded content to bots: cached full content, simplified HTML, and hybrid approaches that balance freshness with cost savings.
Degraded Content Strategy (Part 2)3:49
Concrete AWS implementation: Lambda@Edge architecture for User-Agent inspection, forwarding bot traffic to a secondary CloudFront distribution backed by S3.
Understand Cache Policies for Amazon CloudFront0:27

Routing Bots with Lambda@Edge (Part 1)6:02
Terraform packaging, IAM role, function association, and the Python logic for User-Agent detection and origin swap.
Routing Bots with Lambda@Edge (Part 2)4:58
Deployment, testing with a custom User-Agent, verifying S3 content delivery, and observing cache collision between bot and human responses.
Caching Surprises3:02
Demonstrates how bot and human cache mixing occurs when both share the same cache key, and why this produces incorrect responses for real users.
Tagging Bot Requests with CloudFront Function4:43
JavaScript CloudFront Function that adds an x-bot header, cache policy update to include the new header, and verification of separate cache behavior.
Customize at the Edge with Lambda@Edge0:28

Missing Assets Issue (Part 1)4:15
Explains how cached HTML can reference assets that no longer exist after deployment, and why crawlers behave differently from browsers.
Missing Assets Issue (Part 2)3:40
Reproduces the 404 error in the lab, demonstrates broken page rendering, and explains why per-POP caching makes detection difficult.
CloudFront Origin Shield2:21
Enabling Origin Shield in Terraform, understanding its centralized caching benefit, and proving that it does not fully solve the missing assets problem.
Immutable Asset Deployments3:51
Versioned S3 bucket for CSS and JS files, origin change in CloudFront behaviors, retention policy, and verification that old assets remain available.
Simplified Content with Inline Assets0:50
Creating self-contained HTML with inline CSS and JS for degraded content, eliminating all external asset dependencies.
Degraded Content and Immutable Assets: Key Takeaways1:21
Summary of degraded content routing, cache separation with CloudFront Functions, and immutable asset deployments as the production pattern.
Hands-On-Learning: Implement Degraded Content Routing and Cache Separation0:17
Choosing the Right Degraded Content Strategy
Solving the Missing Assets Problem

What Is WAF and How It Works3:30
WAF as a reverse proxy, AWS managed rules versus custom rules, the ACL structure, COUNT mode, and how rules are evaluated by priority.
WAF Black and White Lists in AI Bots Context5:41
IP sets for allow and block rules, combining IP conditions with User-Agent checks, and security risks of whitelisting.
WAF GEO-Country Rule and Bot Traffic5:46
GEO match rule with country codes, NOT statement for IP whitelist exceptions, and the strategy of blocking risk countries while preserving bot access.
Athena Quick Start: Extracting Real Bot Geo Data from WAF Logs6:45
Athena configuration, S3 results bucket, WAF log table creation with partitioning, and geographic bot distribution queries.

JA4-Based Rate Limiting: Statistical Baseline and First-Stage Filtering (Part 1)3:54
JA4 fingerprint overview, enabling it in CloudFront and WAF, Terraform rule with custom key aggregation, and fallback behavior.
JA4-Based Rate Limiting: Statistical Baseline and First-Stage Filtering (Part 2)5:34
Athena percentile query to calculate thresholds, real traffic pattern analysis, scope-down statements, and production data examples.
Granular Rate Rules: URL-Scoped Throttling in WAF3:15
Per-URI rate limits for API endpoints and category pages using single-match and OR-condition rules in Terraform.

Requirements

AWS account, basic IAM knowledge, and Terraform installed.
Familiarity with Docker and Python (basic Flask) is helpful.

Description

Modern web applications are increasingly exposed to a surge of automated traffic driven by AI crawlers, LLM scrapers, and malicious bots. These automated requests can consume bandwidth, distort analytics, increase infrastructure costs, and degrade application performance. Traditional defense mechanisms are no longer sufficient to handle these evolving threats. This course provides a comprehensive, hands-on approach to building a robust, multi-layered defense system against AI-driven bot traffic using AWS services.

In this course, you will learn how to design and deploy a production-grade infrastructure using Terraform, AWS CloudFront, AWS WAF, Lambda@Edge, and other essential tools. Starting with a simple Flask application, you will progressively build a complete AWS environment, including networking, load balancing, auto-scaling, and edge delivery. You will then enhance this architecture with intelligent traffic routing, bot-aware caching strategies, and degraded content delivery techniques to efficiently manage bot traffic without impacting real users.

The course also emphasizes real-world problem-solving, such as handling sudden bot traffic spikes, preventing cache collisions, and resolving missing asset issues. Additionally, you will analyze traffic data using Amazon Athena to generate actionable insights and implement a strategic bot management policy based on real data.

By the end of this course, you will have the skills to design, deploy, and manage a scalable, secure, and cost-efficient AWS-based system that effectively defends against modern AI bot threats using a data-driven and infrastructure-as-code approach.

Who this course is for:

DevOps Engineers and SREs who manage production infrastructure and need to defend against automated traffic that spikes costs and degrades performance.
Cloud Architects and Security Engineers responsible for designing resilient, secure delivery pipelines on AWS and enforcing bot mitigation policies at the edge.
Software Engineers who own web application or API performance and want to understand how AI crawlers impact their systems and how to protect them using infrastructure as code.
CTOs and Tech Leads at startups or scale-ups who need a cost-effective, reproducible defense methodology that can be deployed quickly without relying on expensive third-party bot management vendors.

Modern Cloud Security & DevSecOps

What you'll learn

Explore related topics

Course content

The New Bot Economy and Defense Strategy5 lectures • 23min

Flask Application and Tooling Setup8 lectures • 14min

Core Infrastructure with Terraform5 lectures • 17min

Deploying the Flask Application on EC23 lectures • 11min

CloudFront, WAF, and Auto-Scaling Realities9 lectures • 32min

CloudFront Caching and Degraded Content4 lectures • 14min

Lambda@Edge and Cache Separation5 lectures • 19min

Solving the Missing Assets Problem8 lectures • 17min

WAF Fundamentals and Basic Controls4 lectures • 22min

Advanced Rate Limiting with JA4 and URL Scope3 lectures • 13min

Requirements

Description

Who this course is for: