AWS Shield Standard and Advanced
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
AWS Shield: Protecting the Edge of Your Infrastructure
In the modern digital landscape, your infrastructure is only as strong as its perimeter. As soon as you expose an application to the public internet, you become a target for Distributed Denial of Service (DDoS) attacks. These attacks are designed to overwhelm your resources, making your services unavailable to legitimate users, which can lead to significant financial loss and reputational damage. AWS Shield is the managed service provided by Amazon Web Services to help mitigate these threats at the network and application layers. Understanding how to use Shield effectively is a foundational skill for any cloud engineer or security architect.
Understanding the DDoS Threat Landscape
Before diving into the mechanics of AWS Shield, we must define what we are actually fighting. A DDoS attack attempts to exhaust the resources of your application, network, or server. These attacks can originate from a single source or, more commonly, from a coordinated botnet of compromised devices across the globe.
The most common types of attacks include:
- Volumetric Attacks: These attacks aim to saturate the bandwidth of your site, often using techniques like UDP reflection or amplification to send massive amounts of traffic that consume your network capacity.
- Protocol Attacks: These focus on consuming server resources or intermediate infrastructure (like firewalls or load balancers) by exploiting weaknesses in protocols such as TCP or SSL/TLS handshakes.
- Application Layer Attacks: These are more sophisticated, targeting specific aspects of your application, such as expensive database queries or login endpoints, to exhaust server-side resources like CPU or memory.
AWS Shield is designed to handle these threats by integrating directly into the AWS global network, allowing it to inspect traffic before it even touches your specific resource instances.
AWS Shield Standard: The Baseline Defense
AWS Shield Standard is included automatically with every AWS account at no additional cost. It provides a baseline level of protection for all customers against the most common, frequently occurring network and transport layer DDoS attacks.
When you launch an Elastic Load Balancer (ELB), a CloudFront distribution, or a Route 53 hosted zone, Shield Standard is already working in the background. It monitors traffic patterns to identify malicious activity and automatically applies mitigations to keep your services available.
How Standard Operates
The "Standard" version is an always-on service. You do not need to configure anything to enable it. It uses traffic analysis, anomaly detection, and signature-based filtering to block traffic that matches known attack patterns. Because it operates at the AWS edge, it can discard malicious packets before they reach your Virtual Private Cloud (VPC) or your application logic.
Callout: Shield Standard vs. Shield Advanced Many engineers confuse the two. Shield Standard is a passive, automated, baseline protection included for free. Shield Advanced is an optional, paid, premium service that offers deeper visibility, cost protection, and human support. Think of Standard as a high-quality deadbolt on your front door, while Advanced is a full-time security team monitoring your entire property.
AWS Shield Advanced: Deep Visibility and Customization
For organizations that handle sensitive data, mission-critical applications, or those that are frequent targets of sophisticated attacks, AWS Shield Advanced is the standard recommendation. It goes far beyond the automated protections of the Standard tier by offering detailed diagnostics, custom mitigation rules, and financial protection.
Key Features of Shield Advanced
- Enhanced Detection: Advanced uses machine learning models that are specifically trained on your application’s unique traffic patterns. This leads to fewer false positives and faster detection of application-layer attacks.
- AWS WAF Integration: Shield Advanced includes AWS WAF (Web Application Firewall) at no extra cost for protected resources. This allows you to create complex rules to block specific IP addresses, geographical locations, or request patterns.
- Cost Protection: This is perhaps the most unique feature. If you experience a DDoS attack that causes your AWS bill to spike due to auto-scaling events, Shield Advanced provides cost protection to cover those specific scaling charges.
- DDoS Response Team (DRT): When you subscribe to Advanced, you gain 24/7 access to the AWS DDoS Response Team. These experts can help you write custom WAF rules during an ongoing attack to mitigate threats that automated systems might miss.
Configuring Shield Advanced: A Step-by-Step Guide
To start using Shield Advanced, you must first enable it for your AWS account. Once enabled, you must explicitly "protect" the specific resources you wish to monitor.
Step 1: Subscribing to Shield Advanced
- Navigate to the AWS Shield console.
- Select "Subscription" from the navigation pane.
- Click "Subscribe to Shield Advanced."
- Review the pricing and terms, then confirm. Note that this is a subscription service that typically requires a 1-year commitment.
Step 2: Protecting Resources
Once subscribed, you need to add your resources to the protection list.
- In the Shield console, go to "Protected resources."
- Click "Add protected resource."
- Choose the resource type (e.g., CloudFront distribution, Elastic Load Balancer, or Route 53 zone).
- Select the specific resource from the list and click "Protect."
Step 3: Setting Up Health Checks
To get the most out of the detection capabilities, you should associate a Route 53 health check with your protected resource. This allows Shield to distinguish between a genuine attack and a simple service failure.
- Go to the Route 53 console and create a health check for your application endpoint.
- In the Shield console, edit the protected resource.
- Associate the health check you just created.
Implementing WAF Rules for Layer 7 Protection
While Shield handles the network layer automatically, you will often need to create custom WAF rules to handle application-layer (Layer 7) threats. For example, if you notice a spike in traffic to a specific search endpoint, you can create a rate-limiting rule.
Practical Example: Rate Limiting
Suppose you have an API endpoint /api/v1/search that is being hammered by a bot. You want to limit requests to 100 per 5-minute window per IP address.
{
"Name": "SearchRateLimit",
"Priority": 1,
"Action": { "Block": {} },
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "/api/v1/search",
"FieldToMatch": { "UriPath": {} },
"TextTransformations": [{ "Priority": 0, "Type": "NONE" }]
}
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "SearchRateLimit"
}
}
This JSON structure defines a rule that inspects the URI path. If the path matches /api/v1/search, it tracks the number of requests per IP. Once the threshold of 100 is met within the timeframe, the WAF will block further requests from that IP address.
Tip: Start in Count Mode Before you enable a "Block" action on a new WAF rule, always set the action to "Count" first. This allows you to monitor the rule's impact in CloudWatch metrics to ensure you aren't inadvertently blocking legitimate user traffic.
Best Practices for Edge Protection
Securing the edge is not a "set it and forget it" task. It requires a disciplined approach to architecture and monitoring.
1. Minimize Your Attack Surface
The most effective way to prevent a DDoS attack is to ensure that only the necessary services are exposed to the public internet. Use private subnets for your application servers and only expose your load balancers or CloudFront distributions. If you have internal-only services, ensure they are not accessible via public IP addresses.
2. Use CloudFront as a Shield
CloudFront is your first line of defense. By using CloudFront, you hide your origin server's IP address. Attackers must target the CloudFront edge locations, which are massively distributed and designed to handle enormous amounts of traffic. This prevents attackers from directly targeting your EC2 instances or your database.
3. Implement Robust Monitoring and Alarms
You cannot respond to what you cannot see. Configure CloudWatch Alarms to notify your security team when the DDoSDetected metric for a protected resource enters an "Alarm" state.
| Metric | Description | Recommended Action |
|---|---|---|
DDoSDetected |
Indicates if Shield detects an attack. | Set an alarm to alert the team. |
BlockedRequests |
Number of requests blocked by WAF rules. | Monitor for sudden spikes in blocks. |
RequestCount |
The total number of requests. | Set a baseline to detect abnormal traffic. |
4. Regularly Audit Your WAF Rules
Over time, WAF rules can become cluttered or outdated. Conduct quarterly reviews of your WAF web ACLs. Remove rules that are no longer relevant, such as those blocking IP ranges that are no longer problematic or rules for endpoints that have been deprecated.
Common Pitfalls and How to Avoid Them
Even with the best tools, misconfiguration is the leading cause of security gaps.
Pitfall 1: Relying Solely on Automated Protection
Many teams believe that enabling Shield Standard is enough. While it is excellent for volumetric attacks, it does not provide visibility into application-specific abuse. You must proactively define WAF rules to protect your specific business logic.
Pitfall 2: Neglecting Health Checks
If you do not associate health checks with your resources, Shield's automated detection may be less accurate. Without knowing the health state of your application, Shield might struggle to differentiate between a successful attack that has degraded your service and a simple outage caused by a bad code deployment.
Pitfall 3: Ignoring Regional Dependencies
Remember that Shield protections are tied to the specific resource. If you deploy a new region or a new load balancer, you must remember to add it to your protection group in the Shield console. Automating this via Infrastructure as Code (IaC) is the best way to prevent this oversight.
Warning: The "Open to the World" Trap A common mistake is allowing direct traffic to your EC2 instances on ports 80 and 443 while also having a load balancer. Ensure your Security Groups only allow traffic from the Load Balancer's security group, effectively forcing all traffic through the protective layers of your infrastructure.
Infrastructure as Code: Automating Shield Protection
Managing your security posture manually is prone to human error. You should define your WAF rules and Shield protections using tools like Terraform or AWS CloudFormation. This ensures that every time you deploy a new environment, the security protections are applied consistently.
Example: Terraform Snippet for Shield Protection
Using Terraform, you can ensure that your CloudFront distribution is automatically shielded.
resource "aws_shield_protection" "example" {
name = "my-app-protection"
resource_arn = aws_cloudfront_distribution.my_dist.arn
}
By including this resource in your Terraform configuration, you guarantee that every new distribution created in your CI/CD pipeline is protected by Shield Advanced from the moment it is deployed.
The Role of the DDoS Response Team (DRT)
One of the most valuable aspects of Shield Advanced is the ability to engage the AWS DDoS Response Team. When you are under a complex attack that your WAF rules are failing to stop, you can open a support case and request DRT involvement.
They will analyze your logs, identify the traffic patterns of the attacker, and help you draft specific WAF rules to mitigate the threat. This is a collaborative effort; your team provides the context of what "normal" traffic looks like, and the DRT provides the expertise to filter out the "abnormal" traffic.
Advanced Strategies: Geographic Filtering and Reputation Lists
Sometimes, you may notice that a high volume of malicious traffic originates from a specific country where you do not conduct business. You can use WAF Geo-blocking to drop all traffic from those regions.
Similarly, you can use AWS Managed Rulesets. AWS maintains lists of known bad actors, botnets, and malicious IP addresses. By enabling these managed rule groups in your WAF, you get the benefit of AWS's global intelligence on threat actors without having to maintain your own blocklists.
Checklist for Shield Advanced Deployment
- Subscribe to Shield Advanced in the AWS Console.
- Map out all your public-facing endpoints (ELBs, CloudFront, Route 53).
- Enable Shield Protection for all identified resources.
- Deploy a base set of WAF Managed Rules (e.g., Core Rule Set, Known Bad Inputs).
- Configure CloudWatch Alarms for the
DDoSDetectedmetric. - Create a runbook for your team on what to do when an alarm fires.
- Conduct a "Game Day" exercise to simulate a controlled attack.
Why "Game Days" are Essential
A Game Day is a simulated attack exercise where your team intentionally triggers your security controls to see how they respond. You can use traffic generation tools to simulate a volumetric attack against a staging environment protected by Shield.
This exercise serves three purposes:
- Validation: It confirms that your configurations are actually working as expected.
- Training: It teaches your operations team how to read the logs and identify when an attack is happening.
- Refinement: It highlights gaps in your monitoring or alerting that you wouldn't otherwise notice until a real attack occurred.
Integrating with Logging and Analytics
To truly understand what is happening at your edge, you should enable WAF logging and stream those logs to an S3 bucket or CloudWatch Logs. This allows you to perform deep forensics after an incident.
You can use Amazon Athena to query your WAF logs in S3. This is incredibly powerful for investigating an attack. For example, you could run a query to find the top 10 IP addresses that were blocked by your WAF over the last 24 hours:
SELECT httpRequest.clientIp, count(*) as count
FROM waf_logs
WHERE action = 'BLOCK'
GROUP BY httpRequest.clientIp
ORDER BY count DESC
LIMIT 10;
This level of visibility is what separates a reactive security posture from a proactive one. By analyzing these logs, you can identify trends, such as an attacker slowly rotating through IP addresses, and adjust your rules accordingly.
Frequently Asked Questions (FAQ)
Is Shield Standard enough for most websites?
For small, static websites, Shield Standard is often sufficient. However, if your business relies on uptime for revenue (e-commerce, SaaS, API services), the visibility and support provided by Shield Advanced are worth the investment.
Does Shield protect against all types of attacks?
No. Shield is focused on DDoS attacks. It does not replace the need for other security measures like application-level authentication, SQL injection protection, or secure coding practices. You still need to ensure your application code is secure.
How quickly does Shield detect an attack?
Shield detects most volumetric attacks within seconds. Application-layer attacks can take slightly longer to detect because they require more analysis of the request patterns to distinguish them from legitimate user behavior.
Can I use Shield with non-AWS resources?
AWS Shield is designed to protect resources hosted on AWS. While you can use CloudFront to front a non-AWS origin, the protection is primarily focused on the traffic hitting the AWS infrastructure.
Final Summary and Key Takeaways
Securing your infrastructure's edge is a critical responsibility. AWS Shield provides a scalable, managed way to handle the constant threat of DDoS attacks. Whether you are using the baseline protection of Shield Standard or the premium features of Shield Advanced, the goal remains the same: ensuring that your services remain available to your users regardless of external traffic conditions.
Key Takeaways:
- Always-On Protection: AWS Shield Standard provides immediate, automated protection for all AWS customers at no extra cost, covering the most common volumetric attacks.
- The Power of Advanced: Shield Advanced offers significant value through machine learning-based detection, cost protection, and 24/7 access to the DDoS Response Team.
- WAF Integration is Key: Shield works best when paired with AWS WAF, allowing you to create custom rules that protect your specific application logic from Layer 7 attacks.
- Infrastructure as Code: Use Terraform or CloudFormation to manage your Shield protections to ensure consistency and prevent configuration drift across your environments.
- Visibility Matters: Enable WAF logging and use tools like CloudWatch and Athena to gain deep insights into traffic patterns, allowing you to respond to threats with data-driven decisions.
- Proactive Testing: Conduct regular "Game Day" exercises to validate your defenses and ensure your team is prepared to respond to an active security incident.
- Defense in Depth: Remember that Shield is one piece of a larger security puzzle. Always combine it with secure architecture, robust monitoring, and regular audits of your security configurations.
By following these principles, you can build a resilient infrastructure that stands firm against the evolving threat of DDoS attacks, giving your users a reliable experience and protecting your business from unnecessary downtime. The edge of your network is the first line of defense; make sure it is configured with care and monitored with precision.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons