AWS Shield
A managed DDoS protection service that safeguards AWS resources from DDoS attacks
Overview
AWS Shield is a managed service that protects applications running on AWS from DDoS (Distributed Denial of Service) attacks. It offers two tiers: Shield Standard, which is automatically applied to all AWS accounts at no additional cost, and Shield Advanced, a paid tier providing more sophisticated detection and mitigation capabilities. Shield Advanced includes 24/7 support from the dedicated Shield Response Team (SRT), real-time attack visualization, and protection against cost spikes caused by DDoS attacks.
Protection Scope of Shield Standard and Shield Advanced
Shield Standard is automatically applied to all AWS accounts at no additional cost, mitigating common DDoS attacks at Layer 3 (network layer) and Layer 4 (transport layer). It detects and blocks infrastructure-layer attack patterns such as SYN floods, UDP reflection, and DNS amplification attacks on AWS's global network. Shield Advanced is offered at a fixed monthly fee of $3,000 USD plus usage-based charges for data transfer. Protected resources - CloudFront, Route 53, ELB (ALB/NLB/CLB), Elastic IP, and Global Accelerator - must be explicitly registered. Shield Advanced also addresses Layer 7 (application layer) attacks, detecting sophisticated patterns like HTTP floods and Slowloris attacks. It learns baseline traffic patterns for each protected resource and provides adaptive defense that automatically detects abnormal traffic increases. Organizations integration allows all accounts within an organization to be covered under a single Shield Advanced subscription.
Shield Response Team and Proactive Engagement
Shield Advanced subscribers can escalate directly to AWS's Shield Response Team (SRT). The SRT is a specialized team focused on DDoS attack analysis and mitigation, capable of applying custom mitigation rules to WAF and implementing network-level traffic filtering during an attack. Access to the SRT requires a Business support plan or higher. Proactive Engagement is a feature where the SRT automatically contacts you when Shield Advanced detects an attack. It is activated by associating Route 53 health checks with protected resources. When a health check detects an anomaly and Shield simultaneously detects a DDoS event, the SRT contacts the user to propose mitigation measures. This feature enables expert assistance before the operations team even becomes aware of the attack. Attack event details are available in the Shield console's event summary, recording attack vectors, peak traffic volumes, and mitigation action timelines.
Cost Protection and DDoS Cost Protection Feature
Shield Advanced's DDoS cost protection is a mechanism where AWS returns credits for resource usage spikes caused by DDoS attacks. When an attack causes abnormal increases in CloudFront data transfer or ELB request counts, costs exceeding the normal baseline are eligible for protection. Credit requests are submitted through the Shield console or support cases, and AWS verifies the causal relationship between the attack event and cost increase before issuing the refund. For cost protection to function effectively, all protected resources must be registered with Shield Advanced - attacks on unregistered resources are not covered. Shield Advanced's $3,000 USD monthly fee requires a 1-year commitment with no early termination. To justify this fixed cost, a quantitative assessment of the business impact of protected resources is needed, comparing it against the potential losses from downtime caused by DDoS attacks. WAF integration is recommended, and Shield Advanced subscribers receive complimentary WAF charges for WAF rules associated with protected resources.