AWS Shield is a managed service that provides protection against DDoS attacks for web applications running on AWS. AWS Shield Standard is available to all AWS customers at no additional cost. AWS Shield Advanced is an optional paid service available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced provides additional protections against larger and more sophisticated attacks for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53.
Q. What is AWS Shield Standard?
AWS Shield Standard provides protection for all AWS customers against common and most frequently occurring Infrastructure (layer 3 and 4) attacks like SYN/UDP Floods, Reflection attacks, and others to support high availability of your applications on AWS.
Q. What is AWS Shield Advanced?
AWS Shield Advanced provides enhanced protections for your applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks. The DDoS cost protection feature of AWS Shield Advanced protects your AWS bill against higher fees due to Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53 usage spikes during a DDoS attack.
Q. What is DDoS cost protection?
AWS Shield Advanced includes DDoS cost protection, a safeguard from scaling charges as a result of a DDoS attack that causes usage spikes on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53. If any of these services scale up in response to a DDoS attack, you can request credits via the regular AWS Support channel.
Q. Can I use AWS Shield to protect web sites not hosted in AWS?
Yes, AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS.
Q. Can I use IPv6 with all AWS Shield features?
Yes. All of AWS Shield’s detection and mitigations work with IPv6 and IPv4 without any discernable changes to performance, scalability or availability of the service.
Q. Are there any pre-requisites to activate AWS Shield Advanced?
Yes. The AWS Account you want to subscribe for AWS Shield Advanced must have AWS Business Support or AWS Enterprise Support. See AWS Support website for more details on support plans.
Q. How can I test AWS Shield?
AWS Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing and other simulated events are frequently indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans to or originating from the AWS environment. Visit our Penetration testing page to request permissions.
Q. In which AWS regions is AWS Shield Standard available?
AWS Shield Standard is available on all AWS services in every AWS Region and AWS edge location worldwide.
Please refer to Regional Products and Services for details of AWS Shield Standard availability by region.
Q. In which AWS regions is AWS Shield Advanced available?
AWS Shield Advanced is available globally on all Amazon CloudFront and Amazon Route 53 edge locations worldwide. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon EC2, Elastic Load Balancing, or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on Elastic Load Balancing in the following AWS Regions - Northern Virginia, Northern California, Ohio, Oregon, Ireland, Tokyo, Sydney and Frankfurt.
Please refer to Regional Products and Services for details of AWS Shield Advanced availability by region.
Q. Is AWS Shield HIPAA eligible?
Yes, AWS has expanded its HIPAA compliance program to include AWS Shield as a HIPAA eligible service. If you have an executed Business Associate Agreement (BAA) with AWS, you can use AWS Shield to safeguard your web applications running on AWS from Distributed Denial of Service (DDoS) attacks. For more information, see HIPAA Compliance.
Q. What types of attacks can AWS Shield help me stop?
AWS Shield helps protects your website from all types of DDoS attacks including Infrastructure layer attacks (like UDP floods), State exhaustion attacks (like TCP SYN floods), and Application layer attacks (like HTTP GET or POST floods). See the AWS WAF and AWS Shield Advanced Developer Guide for examples.
Q. What types of attacks can AWS Shield Standard help protect me from?
AWS Shield Standard automatically provides protection for web applications running on AWS against the most common, frequently occurring Infrastructure layer attacks like UDP floods, and State exhaustion attacks like TCP SYN floods. Customers can also use AWS WAF to protect against Application layer attacks like HTTP POST or GET floods. Find more details on how to deploy application layer protections in the AWS WAF and AWS Shield Advanced Developer Guide.
Q. How many resources can I enable for AWS Shield Standard protection?
There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.
Q. How many resources can I enable for AWS Shield Advanced protection?
You can enable up to 100 AWS resources (e.g., load balancers, Amazon CloudFront distributions, Amazon Route 53 delegation sets) for AWS Shield Advanced protection. If you want to enable more than 100, you can request for a limit increase by creating an AWS Support case.
Q. Can I activate AWS Shield Advanced protection via API?
Yes. AWS Shield Advanced can be activated via APIs. You can also add or remove AWS resources from AWS Shield Advanced protection via APIs.
Q. How quickly are attacks mitigated?
Typically, 99% of infrastructure layer attacks detected by AWS Shield are mitigated in less than 1 second for attacks on Amazon CloudFront and Amazon Route 53, and less than 5 minutes for attacks on Elastic Load Balancing. The remaining 1% of infrastructure attacks are typically mitigated in under 20 minutes. Application layer attacks are mitigated by writing rules on AWS WAF, which are inspected and mitigated inline with incoming traffic.
Responding to attacks
Q. What tools does AWS Shield Standard provide me to mitigate DDoS attacks?
AWS Shield Standard automatically protects your web applications running on AWS against the most common, frequently occurring DDoS attacks. You can get the full benefits of AWS Shield Standard by following the best practices of DDoS resiliency on AWS.
Q. What tools does AWS Shield Advanced provide me to mitigate DDoS attacks?
AWS Shield Advanced manages mitigation of layer 3 and layer 4 DDoS attacks. This means that your designated web applications are protected from attacks like UDP Floods, or TCP SYN floods. In addition, for application layer (layer 7) attacks, you can use AWS WAF to apply your own mitigations, or you can engage the 24X7 AWS DDoS Response Team (DRT), who can write rules on your behalf to mitigate Layer 7 DDoS attacks.
Q. How can I contact the AWS DDoS Response Team?
You can engage the AWS DDoS Response Team (DRT) via regular AWS support, or contact AWS Support.
Q. How quickly can I engage the AWS DDoS Response Team (DRT)?
Response times for DRT depends on the AWS Support plan you are subscribed to. We will make every reasonable effort to respond to your initial request within the corresponding timeframes. See the AWS Support website for more details about AWS Support plans.
Visibility and reporting
Yes. With AWS Shield Advanced you will get notification of DDoS attacks via CloudWatch metrics.
Q. How quickly will I get an attack notifications?
Typically, AWS Shield Advanced provides notification of an attack within a few minutes of attack detection.
Q. Can I get a history of all DDoS attacks on my AWS resources?
Yes. With AWS Shield Advanced you will be able to see the history of all incidents in the trailing 13 months.
Q. How can I see if my AWS WAF rules are working?
AWS WAF includes two different ways to see how your website is being protected: one-minute metrics are available in CloudWatch and Sampled Web Requests are available in the AWS WAF API or management console. These allow you to see which requests were blocked, allowed, or counted and what rule was matched on a given request (i.e., this web request was blocked due to an IP address condition, etc.). For more information see the AWS WAF and AWS Shield Advanced Developer Guide.
Q. How am I charged for AWS Shield Standard?
AWS Shield Standard is built into the AWS services that you already use for your web applications. There are no additional costs for AWS Shield Standard.
Q. How am I charged for AWS Shield Advanced?
With AWS Shield Advanced, you pay a monthly fee of $3,000 per month per organization. In addition, you also pay for the Data Transfer usage fees for AWS resources enabled for advanced protection. AWS Shield Advanced charges are in addition to standard fees on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53. Please see the AWS Shield Pricing page for more details.
Q. How can I enable AWS Shield Advanced across multiple AWS Accounts?
If your organization has multiple AWS accounts, then you can subscribe multiple AWS Accounts to AWS Shield Advanced. You will pay the monthly fee once as long as the AWS accounts are all under a single consolidated billing, and you own all the AWS accounts and resources in those accounts.