AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. It detects and automatically mitigates attacks that could potentially result in downtime for your application and might also increase latency for your applications running on EC2 instances.
A DDoS attack results in increased traffic for your EC2 instances, Elastic Load Balancer, Route 53, or CloudFront. As a result, these services would need to scale up resources to cope with the increased traffic. A DDoS attack usually happens when multiple systems are compromised or infected with a Trojan flooding a target system with an intention to deny a service to intended users by generating traffic and shutting down a resource so it cannot serve more requests.
AWS Shield has two tiers: Standard and Advanced. All protection under the AWS Shield Standard option is available to all AWS customers by default, without any additional charge. The AWS Shield Advanced option is available to customers with business and enterprise support at an additional charge. The advanced option provides protection against more sophisticated attacks on your AWS resources, such as an EC2 instance, ELB, and so on. The following figure shows AWS Shield tiers:
Figure 12: AWS shield tiers
AWS Shield is covered under the AWS suite of services that are eligible for Health Insurance Portability and Accounting Act (HIPAA) compliance. It can be used to protect websites hosted outside of AWS, as it is integrated with AWS CloudFront. Let's look at other benefits of AWS Shield:
- Seamless integration and deployment: AWS Shield Standard automatically secures your AWS resources with the most common and regular DDoS attacks in network and transport layers. If you require enhanced security for more sophisticated attacks, you can opt for the AWS Shield Advanced option for your AWS resources, such as EC2 Instances, Route 53 AWS CloudFront, and so on, by enabling the AWS Shield Advanced option from the AWS Management Console or through APIs.
- Customizable protection: You can script your own customized rules to address sophisticated attacks on your AWS resources using the AWS Shield Advanced tier. You can deploy these rules immediately to avoid any imminent threat, such as by blocking bad traffic or for automating response to security incidents. You could also take the help of the AWS DDoS Response Team (DRT) to write the rules for you. This team is available for your support 24/7.
- Cost efficient: AWS provides free protection against network layer attacks for all its customers through AWS Shield Standard. With AWS Shield Advanced, you get protection against DDoS Cost Escalation, which prevents your cost going up in case of DDoS attacks. However, if you are billed for any of your AWS resource usage due to a DDoS attack, you can request credits from AWS through the AWS support channel.
The AWS Shield Advanced billing plan starts at USD $3000 per month. Charges for data transfer are calculated separately for all AWS resources selected for the AWS Shield advanced protection.
Let's look at AWS Shield features for Standard and Advanced tiers:
- AWS Shield Standard:
- Quick detection: AWS Shield Standard automatically inspects all traffic for your AWS resources through its continuous network flow monitoring feature. It detects any malicious traffic through a combination of advanced algorithms, specific analysis, traffic signatures, and so on in real time, to prevent you from the most common and frequent attacks.
- Inline attack mitigation: AWS Shield Standard gives you protection against Layer 3 and Layer 4 attacks that occur at the infrastructure layer through its automated mitigation processes. These processes do not have any impact on performance, such as the latency of your AWS resources, as they are applied inline for your applications. Inline mitigation helps you avoid the downtime for your AWS resources and your applications running on these AWS resources.
- AWS Shield Advanced:
- Enhanced detection: This feature helps with detecting DDoS attacks on the application layer, such as HTTP floods, as well as with monitoring and verifying network traffic flow.
- Advanced attack mitigation: For protection against large DDoS attacks, AWS Shield advanced provides protection automatically by applying advanced routing processes. You also have access to the AWS DDoS Response Team (DRT), which can help you mitigate more sophisticated and advanced DDoS attacks manually. DRT can work with you to diagnose and manually mitigate attacks on your behalf.
You can also enable AWS Shield advanced on your multiple AWS accounts as long as all of these accounts are under one single billing account and are owned by you, and all AWS resources in these accounts are owned by you.
With AWS Shield advanced, you get a history of all incidents in your AWS account for the past 13 months. As it is integrated with AWS CloudWatch, you get a notification through AWS CloudWatch metrics as soon as an attack happens. This notification will be sent in a matter of a few minutes.