What is AWS Shield?
AWS Shield is a managed DDoS protection service that protects web applications on AWS from Distributed Denial of Service attacks. The service provides automatic detection and mitigation of network and transport layer attacks targeting your AWS resources.
Shield exists in two variants: Shield Standard is free and enabled in all AWS accounts, providing basic protection against common DDoS attacks. Shield Advanced offers enhanced protection for larger and more complex attacks, access to the AWS DDoS Response Team, and cost protection during attacks.
Core Features
- Automatic detection and mitigation of DDoS attacks on Layer 3, 4, and 7
- Always-on detection without latency impact during normal operation
- Integration with CloudFront, Route 53, ALB, and Global Accelerator
- Real-time metrics and attack diagnostics in the AWS Console
- DDoS Response Team (DRT) access with Shield Advanced
Typical Use Cases
Web Application Protection: E-commerce platforms, SaaS applications, and enterprise websites benefit from automatic protection against volumetric attacks that could make websites unreachable.
API Security: APIs served through API Gateway or Application Load Balancer receive protection against overload attacks that could crash backend systems.
DNS Protection: Route 53 Hosted Zones are automatically protected by Shield Standard, ensuring availability of your DNS infrastructure even during attacks.
Benefits
- Shield Standard is free and automatically enabled
- No configuration required for basic protection
- Scales automatically with attack size
- Cost protection with Shield Advanced prevents unexpected bills
Integration with innFactory
As an AWS Reseller, innFactory supports you with AWS Shield: DDoS risk assessment, Shield Advanced configuration, integration with WAF for Layer 7 protection, and optimization of your security architecture.
Typical Use Cases
Frequently Asked Questions
What is the difference between Shield Standard and Shield Advanced?
Shield Standard is free and automatically protects against the most common DDoS attacks on Layer 3 and 4. Shield Advanced provides enhanced protection for Layer 7, 24/7 access to the DDoS Response Team, cost protection during attack scaling, and detailed attack diagnostics.
Which AWS services does Shield protect?
Shield Standard automatically protects CloudFront, Route 53, Global Accelerator, and Elastic Load Balancing. Shield Advanced extends protection to EC2, Elastic IP addresses, and additional resources with enhanced detection capabilities.
What does AWS Shield Advanced cost?
Shield Advanced costs 3,000 USD per month plus data transfer fees. The service includes cost protection: AWS refunds additional costs for CloudFront, Route 53, and Elastic Load Balancing during DDoS-related scaling.
How quickly does Shield respond to attacks?
Shield Standard detects and blocks most attacks within seconds. Shield Advanced additionally provides proactive detection, and the DDoS Response Team can manually intervene for complex attacks.