Use Amazon Shield Advanced to protect your AWS-powered web applications from Distributed Denial of Service (DDoS) attacks that can affect the application's availability and response time by overwhelming (flooding) them with traffic from multiple sources.
Shield works in conjunction with Elastic Load Balancing (ELB), CloudFront and AWS Route 53 to protect your applications from different types of DDoS attacks such as TCP connection attacks, volumetric attacks, fragmentation and application attacks using amplification methods like DNS Reflection and Chargen Reflection. Shield service is implemented by default on all AWS edge locations to mitigate DDoS attacks and provides two tiers of service - Standard and Advanced:
AWS Shield Standard is automatically available to all AWS customers at no extra cost. The Standard tier protects your applications from 96% of the most common DDOS attacks, including SYN/ACK floods, Reflection attacks and HTTP slow reads. This layer of protection is applied transparently to your Elastic Load Balancers, CloudFront CDN distributions and Route 53 DNS resources.
AWS Shield Advanced provides intelligent attack detection, mitigation for DDoS attacks initiated at application/network layer and additional mitigation capability for volumetric attacks. Once the Advanced tier is activated, you will get 24/7 access to Amazon DDoS Response Team (DRT) for custom mitigation during attacks, detailed visibility into DDoS events with advanced real time metrics and reports, and cost protection to guard against bill spikes in the aftermath of a Distributed Denial of Service (DDoS) attack. AWS Web Application Firewall (WAF) service is also included at no additional cost within the AWS Shield Advanced plan.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
The main benefits of using the AWS Shield Advanced plan are: enhanced DDoS attack detection
provides granular detection of Distributed Denial of Service (DDoS) attacks by monitoring the application layer traffic to your AWS ELBs, CloudFront distributions or AWS Route 53 resources, advanced Layer 3 (L3), L4 and L7 DDoS attack protection and mitigation - in addition to the protection level guaranteed by AWS Shield Standard, the AWS Shield Advanced tier provides you with more sophisticated automatic mitigations and full support from the Amazon DDoS Response Team (a support team enabled to respond to complex DDoS attacks), detailed visibility (advanced reporting and attack notification) - provides comprehensive visibility into DDoS events with Layer 3/4/7 attack forensic reports and Layer 3/4 real-time attack notifications via AWS CloudWatch, 24/7 specialized support - engage with the DDoS Response Team (DRT) that will help prioritize the ongoing incidents, identify the root causes and apply DDoS attack mitigations on your behalf, and AWS bill protection - supply AWS service credits for charges due to usage spikes when services such as ELB, Cloudfront and Route 53 scale up their resources in response to the attack.
- AWS Shield Standard tier, which provides basic DDoS protection, is automatically enabled for all AWS customers at no additional charge, however, the AWS Shield Advanced, the service that provides advanced DDoS protection, is a paid solution. To determine if AWS Shield Advanced plan is enabled within your AWS account, perform the following:
- To enable AWS Shield Advanced tier for your AWS account in order to benefit from advanced DDoS detection and mitigation protection for network layer, transport layer, and application layer attacks, you need to perform the following actions: