In this blog post, we’ll quickly go through the concept of AWS Shield, its options, features, and more.
Here’s everything we’ll cover:
- What is AWS Shield?
- How does AWS Shield work?
- AWS Shield Features
- Benefits of AWS Shield
- Do I need AWS Shield Standard or Advanced?
- AWS Shield Pricing
- AWS Shield vs WAF: what’s the difference?
- Learn AWS Shield on Cloud Academy
What is AWS Shield?
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so you can continue to operate during attacks.
AWS Shield Standard
AWS Shield Standard is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield Standard protects against both known and emerging DDoS attacks, and provides always-on detection and automatic inline mitigations to help ensure that your applications are always available.
AWS Shield Advanced
AWS Shield Advanced is a paid subscription service that provides additional protection against DDoS attacks for your AWS resources. Advanced features include increased resources for attack mitigation, support from the AWS Professional Services team, and access to detailed attack reports.
How does AWS Shield work?
Amazon Web Services’ applications are protected by the managed Distributed Denial of Service (DDoS) security service known as AWS Shield (AWS). In the case of a DDoS attack, AWS Shield offers always-on monitoring and automatic inline mitigations to reduce application disruption and facilitate quick recovery.
AWS Shield defends against the most common, frequently occurring network and transport layer DDoS attacks, such as SYN/ACK floods, reflection attacks, and DNS and HTTP floods. AWS Shield provides comprehensive DDoS protection for AWS resources, such as Elastic Load Balancing, Amazon CloudFront, Amazon Route 53, and Amazon Elastic Compute Cloud (Amazon EC2).
Legal protection is a paid service that provides enhanced protection against more extensive and sophisticated DDoS attacks. AWS Shield offers two tiers of protection, Basic and Standard, to help you cost-effectively scale your DDoS protection as your AWS usage and traffic patterns change. Essential protection is always included with AWS Shield and is provided at no additional charge.
To start with AWS Shield, sign up for an AWS account and enable the AWS Shield service. AWS Shield is easy to set up and requires no additional hardware or software. There are no upfront costs or long-term contracts, and you pay only for the resources you use.
AWS Shield Features
Let’s have a look at the main features of both the standard and the advanced tiers.
AWS Shield Standard Features
- AWS WAF(Web Application Firewall): AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect availability, compromise security, or consume excessive resources.
- Managed Rules for AWS WAF: AWS WAF includes a set of managed rules that are maintained and updated by AWS. These rules cover many common web attack vectors and can be used to immediately start protecting your web applications.
- 24/7 Monitoring and DDoS Protection: AWS Shield Standard provides 24/7 monitoring of your Amazon CloudFront distributions, Route 53 health checks, and Elastic Load Balancing resources. It also includes automatic detection and mitigation of DDoS attacks.
AWS Shield Advanced Features
- AWS WAF: This feature allows you to create security rules that can help mitigate DDoS attacks by filtering out malicious traffic before it reaches your resources.
- DDoS Event Notifications: This feature allows you to receive real-time notifications of DDoS events so you can take appropriate action.
- DDoS Protection for Amazon CloudFront: This feature automatically applies DDoS protection rules to your Amazon CloudFront distributions, protecting your content from malicious traffic.
- DDoS Protection for Amazon Route 53: This feature automatically applies DDoS protection rules to your Amazon Route 53 resources, protecting your DNS from malicious traffic.
- Unlimited DDoS Protection: This feature provides unlimited DDoS protection for your AWS resources, without any additional charges.
Benefits of AWS Shield
Let’s have a look at the main benefits and advantages of both the standard and the advanced tiers.
Benefits of AWS Shield Standard
- It is a managed service, so you don’t have to worry about configuring and managing your own DDoS protection infrastructure.
- It integrates with other AWS services to provide protection at multiple layers (e.g. from network attacks and application-layer attacks).
- It provides always-on protection against common DDoS attacks, with no need to manually enable protection or configure rules.
- It automatically scales up to meet sudden and large increases in traffic volume, without any action required from you.
- It provides detailed visibility into attack trends and patterns, so you can better understand the types of attacks you are facing and take steps to mitigate them.
Benefits of AWS Shield Advanced
The benefits of using AWS Shield Advanced includes all of the features of AWS Shield Standard, plus additional features that can help protect your applications from more sophisticated attacks. Advanced features include:
- AWS WAF: This allows you to create custom rules to block or allow specific traffic based on conditions that you define.
- DDoS Protection by AWS CloudFront: This provides automatic DDoS protection for your Amazon CloudFront distributions.
- Real-time monitoring and reporting: This provides you with data and reports on the status of your AWS Shield protection, including information on attacks that have been blocked.
Do I need AWS Shield Standard or Advanced?
This depends on your needs. If you require protection from large-scale attacks, such as distributed denial of service (DDoS) attacks, then you will need AWS Shield Advanced. If you only require protection from more common attacks, then AWS Shield Standard will likely suffice.
There is no “one size fits all” answer to this question, as the appropriate level of protection will vary depending on the specific needs of your business. However, in general, AWS Shield Standard is recommended for most users, as it provides protection against common attacks such as DDoS attacks. AWS Shield Advanced offers additional protection against more sophisticated attacks and is recommended for businesses that require the highest level of security.
AWS Shield Pricing
Let’s distinguish the 2 tiers.
AWS Shield Standard Pricing
There is no additional charge for AWS Shield Standard. You pay only for the resources that you use.
AWS Shield Advanced Pricing
Using AWS Shield Advanced will require a 1-year minimum commitment, with a monthly fee of 3000 USD.
AWS Shield vs WAF: what’s the difference?
AWS Shield is a managed DDoS protection service that protects your web applications and resources from DDoS attacks. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Learn AWS Shield on Cloud Academy
Here are 2 courses on Cloud Academy that introduce you to AWS Shield:
I hope this blog post helped you understand AWS Shield’s aspects and features. If you have thoughts or questions, feel free to leave a comment or contact Cloud Academy.
Thanks and Happy Learning!