AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS Shield

    Managed DDoS protection service for applications

    Shield is like having a security team that protects your website from DDoS attacks: when bad actors flood your site with fake traffic to take it down. Imagine a restaurant where someone sends 10,000 fake customers to overwhelm the staff so real customers can't get in. Shield detects and blocks this fake traffic automatically. AWS Shield Standard is free and protects against common attacks. Shield Advanced (paid) provides enhanced protection, 24/7 DDoS Response Team support, and cost protection (AWS credits if you scale up due to DDoS). It's like having bodyguards who not only protect you but also reimburse you if you had to hire extra security during an attack.

    Shield Standard provides automatic protection against common Layer 3/4 DDoS attacks (SYN floods, UDP reflection) for all AWS customers at no cost. Shield Advanced provides enhanced protection for Layer 3/4/7 attacks, real-time attack visibility, DDoS Response Team (DRT) support, and cost protection. Shield Advanced integrates with CloudFront, Route 53, ALB, NLB, Elastic IP, and Global Accelerator.

    Key Capabilities

    • Shield Standard is included at no charge for all AWS customers and automatically protects against common L3/L4 DDoS attacks (SYN/UDP floods, reflection attacks) on CloudFront, Route 53, ELB, and EC2
    • Shield Advanced (paid, $3,000/month per organization) adds L7 DDoS protection and automatic WAF rule application during application-layer attacks
    • Shield Advanced includes 24/7 access to the AWS Shield Response Team (SRT) for assistance during active attacks
    • Cost protection under Shield Advanced ensures DDoS-caused usage spikes (scale-out events triggered by an attack) do not appear on your bill
    • Real-time attack visibility and detailed diagnostic reports are available under Shield Advanced; Standard provides no per-attack reporting
    • Shield Advanced subscription via AWS Organizations consolidated billing covers all enrolled resources across the organization under a single fee

    Gotchas & Constraints

    Gotcha #1: Shield Standard is automatic and free, but Shield Advanced costs $3,000/month plus data transfer fees. Gotcha #2: Shield Advanced cost protection only covers scaling charges, not baseline costs. Constraints: Shield Advanced requires a 1-year commitment, and DRT support requires WAF and CloudFront/Route 53 integration for Layer 7 protection.

    A gaming company launches a new multiplayer game and immediately faces DDoS attacks from competitors trying to take the game offline. Shield Standard provides basic protection, but attacks are sophisticated (Layer 7 application attacks). They upgrade to Shield Advanced, integrating with CloudFront (game assets), Route 53 (DNS), and ALB (game servers). During a 300Gbps DDoS attack, Shield detects and mitigates it automatically, so players experience no downtime. Shield Advanced provides real-time metrics showing attack vectors and mitigation actions. The DDoS Response Team proactively contacts them, analyzing attack patterns and recommending WAF rules to block application-layer attacks. During the attack, they scale ALB capacity 10x, and Shield Advanced cost protection provides AWS credits for the additional charges.

    The Result

    zero downtime during attacks, expert support, and financial protection from DDoS-related scaling costs.

    Official AWS Documentation