AWS Shield Documentation

AWS Shield is a managed distributed denial of service (DDoS) protection service that is designed to safeguard applications running on AWS. It provides dynamic detection and automatic inline mitigations that minimize application downtime and latency. There are two tiers of AWS Shield: Standard and Advanced.

AWS Shield Standard

AWS Shield Standard defends against common, frequently occurring network and transport layer DDoS attacks that target your website or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive availability protection against infrastructure (Layer 3 and 4) attacks.
Static threshold DDoS protection for underlying AWS services

AWS Shield Standard provides network flow monitoring that inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to help detect malicious traffic. Shield Standard sets static thresholds for each AWS resource type but does not provide any custom protections to AWS customers’ applications.

Inline attack mitigation

Mitigation techniques are built into AWS Shield Standard, helping to protect underlying AWS services against common, frequently occurring infrastructure attacks. Mitigations are applied inline to help protect AWS services.

AWS Shield Advanced

AWS Shield Advanced provides higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources. In addition to the network and transport layer protections that come with Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, visibility into attacks, and integration with AWS WAF, a web application firewall. Shield Advanced also gives you 24/7 access to the AWS Shield Response Team (SRT) and protection against DDoS-related spikes in your EC2, ELB, CloudFront, Global Accelerator, and Route 53 charges.
Tailored detection based on application traffic patterns

AWS Shield Advanced provides customized detection based on traffic patterns to your protected Elastic IP address, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator or Amazon Route 53 resources. Using additional region- and resource-specific monitoring techniques, AWS Shield Advanced helps detect and alert you of smaller DDoS attacks. AWS Shield Advanced also helps detect application layer attacks like HTTP floods or DNS query floods by baselining traffic on your application and identifying anomalies.

Health-based detection

AWS Shield Advanced uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation. You can define a health check in Amazon Route 53 and then associate it with a resource that is protected by Shield Advanced through the console or API. You can apply health-based detection to all resource types that Shield Advanced supports: Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53.

Advanced attack mitigation

AWS Shield Advanced provides mitigations for attacks targeting your applications running on protected Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources. AWS Shield Advanced deploys additional mitigation capacity to protect your application against DDoS attacks. For customers with Business or Enterprise support, the AWS Shield Response Team (SRT) also applies manual mitigations for more complex and sophisticated DDoS attacks that might be unique to your application. For application layer attacks, you can use AWS WAF for AWS Shield Advanced protected resources to set up proactive rules like rate-based blocking to block web requests from attacking source IP Addresses or respond to incidents as they happen. You can also engage with the SRT to place custom AWS WAF rules on your behalf in response to an application layer DDoS attack. The SRT will diagnose the attack and, with your permission, can apply mitigations on your behalf.

Proactive event response

AWS Shield Advanced is designed to automatically protect web applications by mitigating application layer (L7) DDoS events without manual intervention by you or the SRT. Shield Advanced can create WAF rules in your WebACLs to automatically mitigate an attack, or you can activate them in count-only mode.

AWS Shield Advanced offers proactive engagement from the Shield Response Team (SRT) when a DDoS event is detected. When you enable proactive engagement, the SRT will contact you if an Amazon Route 53 health check associated with your protected resource becomes unhealthy during a DDoS event. You can receive proactive engagement for network layer and transport layer events on Elastic IP addresses and Global Accelerator accelerators and for application layer attacks on CloudFront distributions and Application Load Balancers.

Protection groups

AWS Shield Advanced allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit. Reporting can also be consumed at the protection group level.

Visibility and attack notification

AWS Shield Advanced gives you visibility into DDoS attacks with notification via Amazon CloudWatch and diagnostics on the “AWS WAF and AWS Shield” Management Console or APIs. You can also view a summary of prior attacks from the “AWS WAF and AWS Shield” Management Console.

DDoS cost protection

AWS Shield Advanced comes with DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. If any of these protected resources scale up in response to a DDoS attack, you can request Shield Advanced service credits through your regular AWS Support channel.

Specialized support

For customers on Business or Enterprise support plans, AWS Shield Advanced gives you 24x7 access to the AWS Shield Response Team (SRT), who can be engaged before, during, or after a DDoS attack. The SRT will help triage the incidents, identify root causes, and apply mitigations on your behalf.

Global availability

AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable protections directly on Elastic IP or Elastic Load Balancing (ELB) instances in all regions where AWS Shield Advanced is available.

Centralized protection management

AWS Shield Advanced customers can use AWS Firewall Manager to apply AWS Shield Advanced and AWS WAF protections across their entire organization. The cost of Firewall Manager is included in the Shield Advanced subscription fee. Using AWS Firewall Manager, you can configure policies covering multiple accounts and resources. Firewall Manager audits accounts to find new or unprotected resources and ensures AWS Shield Advanced and AWS WAF protections are applied. 

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This additional information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS’s services.