AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.
All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications.
For higher levels of protection against attacks targeting your web applications running on Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the common network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your ELB, CloudFront or Route 53 charges.
AWS Shield Advanced is available globally on all Amazon CloudFront and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon EC2, Elastic Load Balancing, or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on Elastic Load Balancing in the following AWS Regions - Northern Virginia, Oregon, Ireland, and Tokyo.
With AWS Shield Standard your AWS resources are automatically protected from common, most frequently occurring network and transport layer DDoS attacks. You can achieve a higher level of defense by simply enabling AWS Shield Advanced protection for Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53 resources you want to protect using the management console or APIs.
With AWS Shield Advanced, you have the flexibility to write customized rules to mitigate sophisticated application layer attacks. These customizable rules can be deployed instantly, allowing you to quickly mitigate attacks. You can set up proactive rules to automatically block bad traffic, or respond to incidents as they occur. You can also engage the 24X7 AWS DDoS Response Team (DRT), who can write rules on your behalf to mitigate application layer DDoS attacks.
As an AWS customer, you automatically get network layer protection against some of the most common DDoS attacks with AWS Shield Standard. This protection does not require additional cost, resources, or time to initiate. With AWS Shield Advanced, you get "DDoS cost protection", a feature that protects your AWS bill from Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53 usage spikes as a result of a DDoS attack.
AWS Shield Standard provides always-on network flow monitoring which inspects incoming traffic to AWS and uses a combination of traffic signatures, anomaly algorithms and other analysis techniques to detect malicious traffic in real-time.
Inline Attack Mitigation
Automated mitigation techniques are built-into AWS Shield Standard, giving you protection against common, most frequently occurring infrastructure (Layer 3 and 4) attacks. Automatic mitigations are applied inline to your applications so there is no latency impact. Always-on detection and inline mitigation minimize application downtime and you don’t need to engage AWS Support to receive DDoS protection. AWS Shield Standard uses several techniques like deterministic packet filtering, and priority based traffic shaping to automatically mitigate attacks without impact to your applications. You can also mitigate application layer DDoS attacks by writing rules using AWS WAF. With AWS WAF you only pay for what you use.
AWS Shield Advanced provides enhanced detection, inspecting network flows and also monitoring application layer traffic to your Elastic Load Balancing (ELB), Amazon CloudFront, or Amazon Route 53 resources. Using additional techniques like resource specific monitoring, AWS Shield Advanced provides granular detection of DDoS attacks. AWS Shield Advanced detects application layer DDoS attacks like HTTP floods or DNS query floods by baselining traffic on your resource and identifying anomalies.
Advanced Attack Mitigation
In addition to the benefits of AWS Shield Standard, AWS Shield Advanced provides you with more sophisticated automatic mitigations. The AWS DDoS Response Team (DRT) also applies manual mitigations for more complex and sophisticated DDoS attacks. Using advanced routing techniques, AWS Shield Advanced automatically provides additional mitigation capacity to protect against large DDoS attacks. For application layer attacks, you can use AWS WAF to respond to incidents. With AWS WAF you can set up proactive rules like Rate Based Blacklisting to automatically block bad traffic, or respond immediately to incidents as they happen. There is no additional charge for using AWS WAF for application layer protection. You can also engage with the DRT on a per-incident or prior authorization basis. The DRT will diagnose the attack and, with your permission, apply mitigations on your behalf.
Visibility and Attack Notification
AWS Shield Advanced gives you complete visibility into DDoS attacks with near real-time notification via Amazon CloudWatch. Working with the DDoS Response Team (DRT) you can access post-event analysis and investigation. You can also view a summary of prior attacks from the “AWS WAF and AWS Shield” Management Console.
With AWS Shield Advanced you have access to a 24X7 DDoS Response Team (DRT), who can be engaged before, during, or after a DDoS attack. The DRT will help triage the incidents, identify root causes, and apply mitigations on your behalf. You can also engage with the DRT for any post attack analysis.
DDoS Cost Protection
AWS Shield Advanced comes with “DDoS cost protection”, a safeguard from scaling charges as a result of a DDoS attack that cause usage spikes on Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53. If any of these services scale up in response to a DDoS attack, AWS will provide service credits for charges due to usage spikes. For more details on how to request service credits, please go to AWS WAF and AWS Shield Advanced Documentation.
Your web applications running on AWS are already protected by AWS Shield Standard. To enable AWS Shield Advanced go to the “AWS WAF and AWS Shield” Management console and select the resources for which you want to enable Advanced protection.