AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS Shield

    Managed DDoS protection service for applications

    Shield is like having a security team that protects your website from DDoS attacks: when bad actors flood your site with fake traffic to take it down. Imagine a restaurant where someone sends 10,000 fake customers to overwhelm the staff so real customers can't get in. Shield detects and blocks this fake traffic automatically. AWS Shield Standard is free and protects against common attacks. Shield Advanced (paid) provides enhanced protection, 24/7 DDoS Response Team support, and cost protection (AWS credits if you scale up due to DDoS). It's like having bodyguards who not only protect you but also reimburse you if you had to hire extra security during an attack.

    Shield Standard provides automatic protection against common Layer 3/4 DDoS attacks (SYN floods, UDP reflection) for all AWS customers at no cost. Shield Advanced provides enhanced protection for Layer 3/4/7 attacks, real-time attack visibility, DDoS Response Team (DRT) support, and cost protection. Shield Advanced integrates with CloudFront, Route 53, ALB, NLB, Elastic IP, and Global Accelerator.

    Key Capabilities

    Key features: attack diagnostics (detailed metrics and reports), health-based detection (detect attacks based on application health), and proactive engagement (DRT can proactively contact you during attacks).

    Gotchas & Constraints

    Gotcha #1: Shield Standard is automatic and free, but Shield Advanced costs $3,000/month plus data transfer fees. Gotcha #2: Shield Advanced cost protection only covers scaling charges, not baseline costs. Constraints: Shield Advanced requires a 1-year commitment, and DRT support requires WAF and CloudFront/Route 53 integration for Layer 7 protection.

    A gaming company launches a new multiplayer game and immediately faces DDoS attacks from competitors trying to take the game offline. Shield Standard provides basic protection, but attacks are sophisticated (Layer 7 application attacks). They upgrade to Shield Advanced, integrating with CloudFront (game assets), Route 53 (DNS), and ALB (game servers). During a 300Gbps DDoS attack, Shield detects and mitigates it automatically, so players experience no downtime. Shield Advanced provides real-time metrics showing attack vectors and mitigation actions. The DDoS Response Team proactively contacts them, analyzing attack patterns and recommending WAF rules to block application-layer attacks. During the attack, they scale ALB capacity 10x, and Shield Advanced cost protection provides AWS credits for the additional charges.

    The Result

    zero downtime during attacks, expert support, and financial protection from DDoS-related scaling costs.

    Official AWS Documentation