AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency to protect against Distributed Denial of Service (DDoS) attacks.

It is available globally on all CloudFront and Route 53 Edge Locations.  As a result, you can protect your web applications hosted anywhere in the world by deploying CloudFront in front of them.

The origin servers can be S3, EC2, ELB, or custom servers not part of AWS.

2 Tiers of AWS Shield

There are 2 tiers to the service, depending on the protection and support needs: Standard, and Advanced.

Shield Standard

The Standard tier is automatically on, and protects your web application against 96% of common DDoS attacks, such as HTTP slow reads and volumetric attacks.

  • Free
  • Defends against most common network and transport layer DDoS attacks
  • Use with CloudFront and Route 53 to have comprehensive availability protection against all known infrastructure attacks (Layer 3 and 4)

Shield Advanced

  • For higher level protections against EC2, ELB, CloudFront, and Route 53
  • Network and transport layer protections (Standard)
  • Automated application traffic monitoring (Layer 7)
  • Detection and mitigation against sophisticated and large DDoS attacks, near real-time visibility into them, and integration with WAF
  • 24×7 access to AWS DDoS Response Team (DRT)
  • Financial protection against DDoS related spikes in charges to EC2, ELB, CloudFront, and Route 53

Currently, you can enable the Advanced support directly on Elastic IP or ELB in Northern Virginia, Oregon, Ireland, Tokyo, and Northern California.

You can enable this tier by going to “AWS WAF and AWS Shield” Management console and applying the protection to desired services.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.