AWS Security & Identity
Shield
Managed DDoS protection with always-on detection and automatic mitigations
AWS Shield provides managed DDoS protection for AWS applications. Shield Standard is automatically included at no extra cost for all AWS accounts, protecting against the most common infrastructure attacks. Shield Advanced provides enhanced detection, 24/7 DDoS Response Team access, and cost protection against scaling charges caused by attack traffic.
Shield Standard vs Shield Advanced
| Feature | Shield Standard | Shield Advanced |
|---|---|---|
| Cost | Free, automatically enabled | $3,000/month (consolidated billing per org) + data transfer fees |
| Coverage | L3/L4 attacks against all AWS resources | L3/L4/L7 attacks; enhanced for CloudFront, ALB, Route 53, EC2, Global Accelerator |
| Detection | Automatic, signature-based | ML-based anomaly detection, per-resource baselines |
| Visibility | No dashboard | Real-time attack metrics and CloudWatch alarms |
| DRT access | None | 24/7 AWS Shield Response Team for attack assistance |
| Cost protection | None | AWS credits for scaling charges caused by DDoS attacks |
| WAF integration | None | Free AWS WAF usage on protected resources |
| Proactive engagement | None | DRT contacts you when attack is detected |
Shield Advanced's $3,000/month fee covers the entire AWS Organization when subscribed through the management account. If you have large-scale public applications, the WAF included free with Advanced often justifies the cost on its own.
DDoS Attack Types Shield Protects Against
| Layer | Attack type | Shield mitigation |
|---|---|---|
| L3 - Network | UDP reflection (DNS, NTP, SSDP amplification) | Scrubbing at AWS edge, rate limiting at ingress |
| L3 - Network | ICMP floods, Smurf attacks | Traffic filtering at edge |
| L4 - Transport | SYN floods, ACK floods | SYN proxy at edge, TCP state exhaustion mitigation |
| L4 - Transport | UDP floods | Rate limiting, anomaly detection |
| L7 - Application | HTTP floods, slowloris, cache-busting attacks | Shield Advanced + WAF rate-based rules required for L7 |
Shield Standard does not protect against Layer 7 (application layer) attacks. HTTP floods that target your CloudFront distribution or ALB require Shield Advanced combined with AWS WAF rate-based rules to mitigate effectively.
DDoS-Resilient Architecture Patterns
Shield works best when your architecture absorbs or filters attack traffic before it reaches your application servers.
| Layer | Service | DDoS benefit |
|---|---|---|
| Edge | CloudFront | Absorbs volumetric attacks at AWS edge PoPs, caches reduce origin load |
| DNS | Route 53 | Anycast routing, shuffle sharding isolates traffic, resilient to DNS floods |
| Load balancing | ALB/NLB | Scales independently of backend, Shield Advanced protects the ALB directly |
| Firewall | AWS WAF | Rate-based rules, geo-blocking, IP reputation lists block L7 attack traffic |
| Network | Security Groups / NACLs | Block attack source IPs at VPC level |
The single most impactful DDoS mitigation for web applications is putting CloudFront in front of your origin and blocking all direct traffic to your origin (restrict origin access to CloudFront's IP ranges or use an Origin Access Control header secret). This ensures all traffic passes through CloudFront where Shield and WAF can inspect it.
Shield Response Team (DRT) Engagement
With Shield Advanced, the DRT can access your AWS WAF rules and flow logs (with your permission) to write mitigation rules during an active attack. You must pre-authorize DRT access before an attack occurs.
# Pre-authorize the DRT to access WAF and logs
aws shield associate-drt-role \
--role-arn arn:aws:iam::123456789012:role/AWSShieldDRTAccessRole
# Add a protected resource (must do this before an attack)
aws shield create-protection \
--name "My CloudFront Distribution" \
--resource-arn arn:aws:cloudfront::123456789012:distribution/EDFDVBD6EXAMPLE
# Enable proactive engagement (DRT contacts you)
aws shield update-proactive-engagement --proactive-engagement-status ENABLED
# List active attacks
aws shield list-attacks \
--start-time 2024-01-01T00:00:00Z \
--end-time 2024-01-02T00:00:00ZShield Advanced protections must be explicitly created for each resource you want enhanced protection on. Simply subscribing to Shield Advanced does not automatically protect your existing resources - you must add each ALB, CloudFront distribution, and Elastic IP individually.
Interview Focus Points
- 1What is the difference between Shield Standard and Shield Advanced? When does the cost of Advanced make sense?
- 2What types of DDoS attacks does Shield Standard NOT protect against and what do you add to fill that gap?
- 3Walk me through a DDoS-resilient architecture for a high-traffic public API.
- 4What must you do before an attack to enable DRT engagement during a live attack?
- 5How does putting CloudFront in front of your origin improve DDoS resilience?
- 6What is Shield Advanced cost protection and what does it actually cover?
- 7How do you add a resource to Shield Advanced protection?