AWS Shield is an extension of AWS WAF, but is targeted to provide security around potential DDoS attacks. It is a fully managed service that provides Always-on detection and automatic mitigations that minimize application downtime and latency. AWS Shield provides two tiers of services: Standard and Advanced:
- AWS Shield Standard: Provided at no additional costs, this service is enabled on your account and AWS services by default, and is designed to protect your web applications against the most common and frequently occurring DDoS attacks.
- AWS Shield Advanced: Designed for providing a higher level of protection for your web applications, AWS Shield Advanced is intended to work with applications that are currently running on Elastic or Application Load Balancers, Amazon CloudFront, and Amazon Route 53 resources. AWS Shield Advanced also provides near real-time visibility into potential attacks, along with mitigation capabilities as well. To top it all, you also get access to a dedicated 24x7 DDoS Response Team (DRT) that looks into potential DDoS attacks occurring on your web application, and provides quick resolutions against the same.
Here's a brief comparison between the various services offered by AWS Shield Standard and Advanced tiers:
|
Features |
AWS Shield Standard |
AWS Shield Advanced |
|
Network flow monitoring |
Yes |
Yes |
|
Automated application (layer 7) traffic monitoring |
No |
Yes |
|
Helps protect from common DDoS attacks, such as SYN floods and UDP reflection attacks |
Yes |
Yes |
|
Access to additional DDoS mitigation capacity |
No |
Yes |
|
Layer 3/4 attack notification and attack forensic and history reports |
No |
Yes |
|
Incident management during high-severity events |
No |
Yes |
|
Custom mitigations during attacks |
No |
Yes |
|
Post-attack analysis |
No |
Yes |
|
Reimburse related Route 53, CloudFront, and ELB DDoS charges |
No |
Yes |
To activate AWS Shield Advanced for your environments, simply log in to your AWS WAF dashboard and select the Protected resources option present under the AWS Shield section in the navigation pane. Here, click on the Activate AWS Shield Advanced button to start your Shield Advanced protection plan. Here, you will be asked to select a particular Resource to protect against DDoS attacks. Select your CloudFront CDN or the Elastic/Application Load Balancer, based on the resource you wish to protect, and provide a suitable Name for the resources that you are specifying for protection. Finally, remember to select the Enable checkbox to associate your resources with a web ACL, if you have one created already. Once done, select the Add DDoS protection option, and voila! You are up and running with AWS Shield Advanced! Simple isn't it?