AWS Shield

AWS Shield is a security service that protects web applications hosted on the Amazon Web Services public cloud against distributed denial of service (DDoS) attacks.

A DDoS attack targets a particular computing resource, such as a server, and floods it with incoming traffic or connection requests, which negatively affects its performance. This causes a denial of service that prevents authorized users from accessing that resource.

According to Amazon, AWS Shield detects and protects against the three types of DDoS attacks: infrastructure-layer attacks, including User Datagram Protocol (UDP) floods; state-exhaustion attacks, including SYN floods; and application-layer attacks, including HTTP floods.

To mitigate DDoS attacks to the application layer, IT teams need to write and implement rules using the AWS Web Application Firewall service.

Amazon claims AWS Shield mitigates 99% of DDoS attacks on the cloud infrastructure layer, including attacks on Amazon CloudFront and Amazon Route 53, in less than one second; attacks on Elastic Load Balancing in less than five minutes; and the remaining 1% of infrastructure attacks in less than 20 minutes.

AWS Shield provides threat detection and mitigation for both IPv4 and IPv6 networks. The service can also support websites not hosted on AWS via its integration with Amazon CloudFront. AWS Shield is a HIPAA-eligible service for customers who have completed business associate agreements with AWS.

AWS Shield service tiers                                                     

An organization can choose between two tiers of the AWS Shield service: Standard and Advanced. AWS Shield Standard is a free service available to all users, and protects against the most common forms of DDoS attacks. An IT team can enable Shield Standard protection for all the AWS services it uses.

AWS Shield Advanced is a paid service that adds to Standard tier features, and protects against more sophisticated DDoS attacks. AWS Shield Advanced monitors network traffic and applications to notify admins about DDoS attacks via Amazon CloudWatch metrics. An admin can use Shield Advanced to either take action and mitigate an attack directly, or notify AWS' DDoS Response Team. Shield Advanced stores 13 months of DDoS attack history.

AWS Shield Advanced also comes with a cost protection feature that prevents an organization from accruing higher fees due to usage spikes on Elastic Load Balancing, Amazon CloudFront or Amazon Route 53 during an attack.

An IT team can enable up to 100 resources for Shield Advanced protection. AWS Shield Advanced is available to AWS Business Support or AWS Enterprise Support customers for one-year subscriptions. The service costs $3,000 per month per organization, plus data egress fees.

This was last updated in September 2017

Continue Reading About AWS Shield

Dig Deeper on AWS security

App Architecture
Cloud Computing
Software Quality