Which AWS service or feature offers HTTP attack protection to users running public-facing web applications?

Explanations:

Security groups are virtual firewalls that control inbound and outbound traffic to AWS resources but do not specifically provide HTTP attack protection. They operate at the instance level and are not designed to handle application layer attacks.

Network ACLs (Access Control Lists) are used to control traffic at the subnet level in a VPC. While they can restrict traffic, they do not offer specific protection against HTTP attacks, such as SQL injection or cross-site scripting, which are common in web applications.

AWS WAF (Web Application Firewall) is specifically designed to protect web applications from common web exploits that could compromise security, such as SQL injection and cross-site scripting. It allows users to create rules that can block, allow, or monitor web requests based on customizable conditions.

AWS Shield Standard provides DDoS protection for AWS services but does not specifically focus on HTTP attack protection. It automatically protects against the most common DDoS attacks but does not include the advanced features for application-level protection that AWS WAF offers.