AWS Shield Standard
AWS Shield Standard provides always-on network flow monitoring which inspects incoming traffic to AWS and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time.
Inline attack mitigation
Automated mitigation techniques are built-into AWS Shield Standard, giving you protection against common, frequently occurring infrastructure attacks. Automatic mitigations are applied inline to your applications, so there is no latency impact. AWS Shield Standard uses techniques like deterministic packet filtering, and priority based traffic shaping to automatically mitigate network layer attacks. You can also mitigate application layer DDoS attacks by using AWS WAF. With AWS WAF you only pay for what you use. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
AWS Shield Advanced
AWS Shield Advanced provides enhanced detection for attack traffic directed toward your protected Elastic IP address, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator or Amazon Route 53 resources. Using additional region- and resource-specific monitoring techniques, AWS Shield Advanced detects and alerts you of smaller DDoS attacks. AWS Shield Advanced also detects application layer attacks like HTTP floods or DNS query floods by baselining traffic on your resource and identifying anomalies.
Advanced attack mitigation
AWS Shield Advanced provides more sophisticated automatic mitigations for attacks targeting your applications running on protected Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources. Using advanced routing techniques, AWS Shield Advanced automatically deploys additional mitigation capacity to protect against larger DDoS attacks. For customers with Business or Enterprise support, the AWS DDoS Response Team (DRT) also applies manual mitigations for more complex and sophisticated DDoS attacks. For application layer attacks, you can use AWS WAF at no additional charge for AWS Shield Advanced protected resources to set up proactive rules like rate based blacklisting to automatically block bad traffic, or respond immediately to incidents as they happen. You can also engage directly with the DRT to place AWS WAF rules on your behalf in response to an application layer DDoS attack. The DRT will diagnose the attack and, with your permission, can apply mitigations on your behalf.
Visibility and attack notification
AWS Shield Advanced gives you complete visibility into DDoS attacks with near real-time notification via Amazon CloudWatch and detailed diagnostics on the “AWS WAF and AWS Shield” Management Console or APIs. You can also view a summary of prior attacks from the “AWS WAF and AWS Shield” Management Console.
DDoS cost protection
AWS Shield Advanced comes with DDoS cost protection, to safeguard against scaling charges resulting from DDoS-related usage spikes on protected Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53 resources. If any of these protected resources scale up in response to a DDoS attack, you can request AWS Shield Advanced service credits via your regular AWS Support channel.
For customers on Business or Enterprise support plans, AWS Shield Advanced gives you 24x7 access to the AWS DDoS Response Team (DRT), who can be engaged before, during, or after a DDoS attack. The DRT will help triage the incidents, identify root causes, and apply mitigations on your behalf.
AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable protections directly on Elastic IP or Elastic Load Balancing (ELB) instances in all regions where AWS Shield Advanced is available.
Centralized protection management
AWS Shield Advanced customers can use AWS Firewall Manager to apply AWS Shield Advanced and AWS WAF protections across their entire organization at no additional cost. Using AWS Firewall Manager, you can automatically configure policies covering multiple accounts and resources. Firewall Manager automatically audits accounts to find new or unprotected resources, and ensures AWS Shield Advanced and AWS WAF protections are universally applied. To learn more about AWS Firewall Manager, visit the product website.