Security

DDoS Protection with AWS Shield - Choosing Between Standard and Advanced

Understand the differences between Standard's free L3/L4 protection and Advanced's L7 support with SRT assistance. Learn about cost protection and proactive engagement.

約 3 分で読めます

Overview of Shield

Shield is a managed protection service that defends applications against DDoS attacks. Shield Standard is automatically enabled at no cost for all AWS accounts and automatically mitigates L3/L4 attacks such as SYN floods, UDP reflection, and DNS query floods. Shield Advanced provides L7 attack response and additional features for $3,000 per month.

Advanced Features

Shield Advanced registers CloudFront, ALB, Route 53, Global Accelerator, and Elastic IP as protected resources, detecting and mitigating L7 HTTP flood attacks. The SRT (Shield Response Team) provides 24/7 support for DDoS attack analysis and mitigation, including creating WAF rules on your behalf. Cost protection is a feature where AWS reimburses scaling costs incurred on CloudFront, ALB, Route 53, and EC2 due to DDoS-driven traffic increases, preventing unexpected cost spikes from attacks.

Operating Shield Advanced

Enabling proactive engagement in Shield Advanced causes the SRT (Shield Response Team) to automatically begin response when a DDoS attack is detected. Associating Route 53 health checks with Shield Advanced protected resources improves detection accuracy based on application health. Shield Advanced's cost protection reimburses the increased scaling costs (EC2 Auto Scaling, CloudFront data transfer) caused by DDoS attacks. The attack visualization dashboard lets you monitor attack type, scale, duration, and mitigation status in real time. You can systematically learn Shield from basics to advanced topics through books (Amazon).

Shield Pricing

Shield Standard is automatically enabled at no cost for all AWS accounts. Shield Advanced has a fixed monthly fee of $3,000 plus additional charges based on data transfer volume for protected resources. A 1-year commitment is required. When Shield Advanced is enabled through Organizations, the $3,000 monthly fee is charged only once for the entire organization, with member accounts paying only for data transfer on protected resources. The decision to adopt Shield Advanced should be based on comparing DDoS attack risk against the value of cost protection.

Summary

Shield is a service that automatically mitigates L3/L4 DDoS attacks for free with Standard, while Advanced provides L7 attack response and SRT support. Advanced's proactive engagement triggers automatic SRT response upon attack detection, and cost protection reimburses scaling cost increases caused by DDoS attacks. With Organizations, the $3,000 monthly fee is shared across the entire organization.

Related Services

AWS ShieldA managed service that protects applications from DDoS attacksAWS WAFA firewall service that protects web applications from malicious trafficAmazon CloudFrontA CDN service that delivers content at high speed from edge locations around the world

Related Articles

AWS WAF Bot Control and Fraud Prevention - Implementing Bot Mitigation and Account Takeover ProtectionDetect scrapers and automation tools with Bot Control, and prevent credential stuffing with ATP. Includes user experience design for challenges and CAPTCHA.Centralized Security Rules with AWS Firewall Manager - Deploying WAF and Security Groups Across Your OrganizationLearn how to centrally manage WAF rules, Security Groups, and Network Firewall policies across your entire organization, with automatic enforcement on new accounts to maintain a consistent security baseline.DDoS Protection - Multi-Layer Defense Design and Operations with AWS ShieldLearn about DDoS protection with AWS Shield Standard and Shield Advanced. This guide covers integration with CloudFront, Route 53, and ALB, combining with WAF, and cost protection features.

More on This Topic

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.Automating SSL/TLS Certificate Management with AWS Certificate Manager - From Issuance to RotationLearn how ACM handles free public certificate issuance, DNS validation, automatic renewal, and deployment to ALB and CloudFront.Retrieving Compliance Reports with AWS Artifact - Audit Response and Agreement ManagementLearn how to retrieve SOC, PCI DSS, and ISO audit reports on demand and apply BAA and GDPR DPA agreements across your entire AWS Organizations structure.Automating Audits - Continuously Collecting Compliance Evidence with AWS Audit ManagerLearn how to automate audit evidence collection with AWS Audit Manager. This guide covers automated assessments based on frameworks such as SOC 2, PCI DSS, and GDPR, centralized evidence management, and audit report generation.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Certificate Management and HTTPS - Automated TLS Certificate Operations with AWS Certificate ManagerLearn about TLS/SSL certificate issuance, automatic renewal, and deployment using AWS Certificate Manager (ACM). Covers integration with CloudFront, ALB, and API Gateway, DNS validation, and Private CA usage.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Articles and Services

DDoS Protection - Multi-Layer Defense Design and Operations with AWS ShieldLearn about DDoS protection with AWS Shield Standard and Shield Advanced. This guide covers integration with CloudFront, Route 53, and ALB, combining with WAF, and cost protection features.AWS ShieldA managed DDoS protection service that safeguards AWS resources from DDoS attacksAmazon CloudFrontA global CDN service that delivers content with low latency from over 450 edge locations worldwide