Skip to content

Shield

1. What is AWS Shield?

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. It provides detection and mitigation against large-scale, sophisticated DDoS attacks, helping maintain application availability and performance.

AWS Shield protects your resources such as:

  • Amazon CloudFront

  • Elastic Load Balancing (ELB)

  • Amazon Route 53

  • Global Accelerator

  • Amazon API Gateway

2. AWS Shield Tiers

AWS Shield Standard (Free)

  • Automatic protection against most common, volumetric DDoS attacks.

  • Included at no extra cost for all AWS customers.

  • Protects CloudFront, ELB, Route 53, and Global Accelerator.

AWS Shield Advanced (Paid)

  • Enhanced DDoS protection with near real-time detection and mitigation.

  • Access to the DDoS Response Team (DRT) 24/7.

  • Detailed attack diagnostics and metrics.

  • Cost protection: DDoS-related scaling and mitigation charges are covered.

  • Integration with AWS WAF for combined protection.

  • Protection for Elastic IP addresses and resources beyond Standard scope.

  • Advanced mitigation against sophisticated attacks including application layer.

3. Key Features

Feature Description
Automatic Attack Detection Immediate detection of common network and transport attacks.
DDoS Mitigation Mitigates large volumetric attacks automatically.
DDoS Response Team (DRT) Access 24/7 access to AWS security experts (Shield Advanced).
Real-time Visibility & Metrics Detailed attack diagnostics and alerts.
Cost Protection Financial protection against scaling charges during attacks (Advanced).
Integration with AWS WAF Layered application and network layer protection.
Global Threat Environment Dashboard Updates on emerging threats and trends (Advanced).

4. How AWS Shield Works

  • AWS Shield monitors traffic to your AWS resources.

  • When it detects anomalies resembling DDoS activity, it automatically triggers mitigation strategies.

  • For Shield Standard, mitigation happens without user intervention.

  • For Shield Advanced, you get detailed reports, alerts, and can engage the DDoS Response Team.

  • Shield Advanced also supports custom mitigation controls and integrates with AWS Firewall Manager.

5. Use Cases

  • Protect websites and APIs against volumetric DDoS attacks.

  • Secure critical infrastructure like DNS (Route 53) from reflection and amplification attacks.

  • Safeguard against complex DDoS attacks targeting network, transport, and application layers.

  • Enable automatic incident response with expert assistance during large attacks.

  • Maintain uptime and performance for globally distributed applications.

6. Pricing

Tier Cost Description
Shield Standard Included free with AWS services protection.
Shield Advanced Base monthly fee (currently $3,000/month) plus usage fees based on data transfer and protected resources.

For detailed and updated pricing, see AWS Shield Pricing.

7. How to Use AWS Shield

For Shield Standard

  • No setup needed; protection is automatic for supported services (CloudFront, ELB, Route 53, Global Accelerator).

For Shield Advanced

  1. Subscribe to Shield Advanced

    • In AWS Console → AWS Shield → Subscribe to Shield Advanced.

  2. Add Resources to Protect

    • Select resources like CloudFront distributions, Elastic IPs, ALBs to protect.

  3. Configure Alerts and Notifications

    • Use Amazon CloudWatch alarms and SNS for real-time alerts.

  4. Engage DDoS Response Team (DRT)

    • If under attack, open a support case for help.

  5. Integrate with AWS WAF

    • Use WAF rules to block or allow traffic during/after attacks.

8. Integration with Other AWS Services

Service Integration Purpose
AWS WAF Protect applications at network and application layers.
Amazon CloudFront Protect CDN content at edge locations globally.
Elastic Load Balancer Protect load balanced applications.
Amazon Route 53 Protect DNS from DNS query floods.
AWS Firewall Manager Centralized security policy management including Shield Advanced and WAF.
Amazon CloudWatch Monitor Shield metrics and trigger alerts.

9. Best Practices

  • Use Shield Standard by default as it is free and provides basic protection.

  • Subscribe to Shield Advanced for critical workloads requiring higher-level protection.

  • Combine AWS Shield with AWS WAF for comprehensive layer 3-7 protection.

  • Enable CloudWatch monitoring and create alerts for early detection.

  • Regularly review your resource protection coverage.

  • Have a runbook for incident response with the DDoS Response Team.

  • Use Firewall Manager to manage Shield and WAF across multiple accounts in an organization.

10. FAQs

Q: Does AWS Shield protect against all types of DDoS attacks?
A: AWS Shield Standard protects against most common network/transport layer DDoS attacks. Shield Advanced adds protections for complex attacks and provides expert support.

Q: Is AWS Shield Standard free?
A: Yes, it is included at no additional cost for AWS customers.

Q: Can I use AWS Shield for non-AWS resources?
A: No, AWS Shield protects only AWS-hosted resources.

Q: How quickly does Shield respond to attacks?
A: Shield Standard mitigates automatically and near-instantly. Shield Advanced provides faster mitigation and expert intervention.

Q: What kind of notifications can I receive during an attack?
A: You can configure Amazon CloudWatch alarms and SNS notifications for attack alerts.