AWS Shield Standard
Static threshold DDoS protection for underlying AWS services
AWS Shield Standard provides always-on network flow monitoring which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real-time. Shield Standard sets static thresholds for each AWS resource type, but does not provide any custom protections to AWS customers’ applications.
Inline attack mitigation
Automated mitigation techniques are built-into AWS Shield Standard, giving underlying AWS services protection against common, frequently occurring infrastructure attacks. Automatic mitigations are applied inline to protect AWS services, so there is no latency impact. AWS Shield Standard uses techniques like deterministic packet filtering, and priority based traffic shaping to automatically mitigate basic network layer attacks.
AWS Shield Advanced
Tailored detection based on application traffic patterns
AWS Shield Advanced provides customized detection based on traffic patterns to your protected Elastic IP address, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator or Amazon Route 53 resources. Using additional region- and resource-specific monitoring techniques, AWS Shield Advanced detects and alerts you of smaller DDoS attacks. AWS Shield Advanced also detects application layer attacks like HTTP floods or DNS query floods by baselining traffic on your application and identifying anomalies.
AWS Shield Advanced uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation. You can define a health check in Amazon Route 53 and then associate it with a resource that is protected by Shield Advanced through the console or API. This allows Shield Advanced to detect attacks impacting the health of your application more quickly and at lower traffic thresholds, improving the DDoS resiliency of your application and preventing false positive notifications. Resource health status will also be available to the DDoS response team so that they can appropriately prioritize response to unhealthy applications first. You can apply health-based detection to all resource types that Shield Advanced supports: Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53.
Advanced attack mitigation
AWS Shield Advanced provides more sophisticated automatic mitigations for attacks targeting your applications running on protected Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources. Using advanced routing techniques, AWS Shield Advanced automatically deploys additional mitigation capacity to protect your application against DDoS attacks. For customers with Business or Enterprise support, the AWS DDoS Response Team (DRT) also applies manual mitigations for more complex and sophisticated DDoS attacks that might be unique to your application. For application layer attacks, you can use AWS WAF at no additional charge for AWS Shield Advanced protected resources to set up proactive rules like rate based blocking to automatically block web requests from attacking source IP Addresses, or respond immediately to incidents as they happen. You can also engage directly with the DRT to place custom AWS WAF rules on your behalf in response to an application layer DDoS attack. The DRT will diagnose the attack and, with your permission, can apply mitigations on your behalf, reducing the amount of time your applications might be impacted by an ongoing DDoS attack.
Proactive event response
AWS Shield Advanced offers proactive engagement from the DDoS Response Team (DRT) when a DDoS event is detected. When you enable proactive engagement, the DRT will directly contact you if an Amazon Route 53 health check associated with your protected resource becomes unhealthy during a DDoS event. This allows you to engage with experts more quickly when the availability of your application is affected by a suspected attack. You can receive proactive engagement for network layer and transport layer events on Elastic IP addresses and Global Accelerator accelerators, and for application layer attacks on CloudFront distributions and Application Load Balancers.
AWS Shield Advanced allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit. Resource grouping improves the accuracy of detection, reduces false positives, eases automatic protection of newly created resources, and accelerates the time to mitigate attacks against multiple resources. For example, if an application consists of four CloudFront distributions, you can add them to one protection group to receive detection and protection for the collection of resources as a whole. Reporting can also be consumed at the protection group level, giving a more holistic view of overall application health.
Visibility and attack notification
AWS Shield Advanced gives you complete visibility into DDoS attacks with near real-time notification via Amazon CloudWatch and detailed diagnostics on the “AWS WAF and AWS Shield” Management Console or APIs. You can also view a summary of prior attacks from the “AWS WAF and AWS Shield” Management Console.
DDoS cost protection
AWS Shield Advanced comes with DDoS cost protection, to safeguard against scaling charges resulting from DDoS-related usage spikes on protected Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53 resources. If any of these protected resources scale up in response to a DDoS attack, you can request AWS Shield Advanced service credits via your regular AWS Support channel.
For customers on Business or Enterprise support plans, AWS Shield Advanced gives you 24x7 access to the AWS DDoS Response Team (DRT), who can be engaged before, during, or after a DDoS attack. The DRT will help triage the incidents, identify root causes, and apply mitigations on your behalf. The DRT has deep expertise in rapidly responding to and mitigating DDoS attacks across AWS customers.
AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable protections directly on Elastic IP or Elastic Load Balancing (ELB) instances in all regions where AWS Shield Advanced is available.
Centralized protection management
AWS Shield Advanced customers can use AWS Firewall Manager to apply AWS Shield Advanced and AWS WAF protections across their entire organization. The cost of Firewall Manager is included in the Shield Advanced subscription fee. Using AWS Firewall Manager, you can automatically configure policies covering multiple accounts and resources. Firewall Manager automatically audits accounts to find new or unprotected resources, and ensures AWS Shield Advanced and AWS WAF protections are universally applied. This enables developers to move quickly and deploy new applications with the confidence that the appropriate protections will be automatically applied. To learn more about AWS Firewall Manager, visit the product website.