AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency to protect against Distributed Denial of Service (DDoS) attacks.
It is available globally on all CloudFront and Route 53 Edge Locations. As a result, you can protect your web applications hosted anywhere in the world by deploying CloudFront in front of them. The origin servers can be S3, EC2, ELB, or custom servers not part of AWS.
2 Tiers of AWS Shield
There are 2 tiers to the service, depending on the protection and support needs: Standard, and Advanced.
AWS Shield Standard
The Standard tier is automatically on, and protects your web application against 96% of common DDoS attacks, such as HTTP slow reads and volumetric attacks.
- Defends against most common network and transport layer DDoS attacks
- Use with CloudFront and Route 53 to have comprehensive availability protection against all known infrastructure attacks (Layer 3 and 4)
AWS Shield Advanced
- For higher level protections against EC2, ELB, CloudFront, and Route 53
- Network and transport layer protections (Standard)
- Automated application traffic monitoring (Layer 7)
- Detection and mitigation against sophisticated and large DDoS attacks, near real-time visibility into them, and integration with WAF
- 24×7 access to AWS Shield Response Team
- AWS Firewall Manager: financial protection against DDoS related spikes in charges to EC2, ELB, CloudFront, and Route 53
- AWS Shield (AWS)