AWS Shield

Learn how to mitigate Distributed Denial of Service (DDoS) attacks using AWS Shield and AWS Shield Advanced.

We'll cover the following

AWS Shield
AWS Shield Advanced
- When to use AWS Shield Advanced
Types of DDoS attacks prevented
Event detection in AWS Shield

A Distributed Denial of Service (DDoS) attack decreases the availability of an application or service by disrupting its normal traffic flow by flooding it with traffic from multiple compromised systems. Due to this, legitimate users of the service cannot access it. Applications that are publicly accessible are particularly vulnerable to DDoS attacks.

AWS Shield

AWS Shield protects applications hosted in the AWS cloud from DDoS attacks. AWS Shield protects our application's perimeter, which is our first entry point. For example, the first entry point for region-specific applications is the VPC, where the application is hosted. AWS provides us with AWS Shield (standard) and AWS Shield Advanced.

AWS Shield or AWS Shield standard is automatically enabled for all AWS users without additional charges and protects our services and applications from commonly occurring network and transport layer attacks.

Press + to interact

Integration with WAF: AWS Shield Advanced uses AWS WAF web ACLs, rules, and rule groups to provide protection in the application layer.
DDoS mitigation: In case of a DDoS attack, AWS Shield Advanced can be configured to mitigate attacks on the application layer.
Health checks: AWS Shield Advanced can be integrated with Amazon Route 53 health checks to monitor our applications. This allows it to reduce the number of false positives generated.
Real-time metrics: AWS Shield Advanced provides us with real-time metrics and reports that allow us to look into the details of the attacks on our AWS resources.

When to use AWS Shield Advanced

AWS Shield Advanced provides expanded protection against DDoS attacks on our applications and resources. In the case of web applications hosted on the AWS cloud, we should consider using AWS Shield Advanced if the following is our applications’ requirement:

If we want to guarantee availability for our application users at all times.
If we require access to DDoS mitigation experts in case our application is compromised by a DDoS attack.
If the cost for the cloud resources used by our application is predictable, and we’ll face drastic effects in case of a DDoS attack.

Following are some of the scenarios where we should opt for AWS Shield Advanced to protect our AWS resources:

In case external users are accessing our AWS resource over the internet.
The AWS resource is being protected using an AWS WAF web ACL.
The resource can be accessed through the internet and is a major component of our application.

Types of DDoS attacks prevented

Following are the main types of attacks AWS Shield and AWS Shield Advanced can detect:

Network volumetric attacks: These are the attacks that deny legitimate users access to a service by flooding it with traffic and saturating the resource’s capacity. This corresponds to a layer 3 attack.
Network protocol attacks: In these attacks, a specific protocol to access the service is compromised to deny service to the resource. This corresponds to a layer 4 attack.
Application layer attacks (AWS Shield Advanced only): This is a layer 7 attack that floods an application with valid queries to deny access to legitimate users.

Press + to interact

Event detection in AWS Shield

In the case of web applications, AWS Shield detects attacks by inspecting every traffic packet that tries to access our application. However, to protect our AWS resources from various attacks, AWS Shield monitors the traffic for these resources every minute, and if it detects an increase in the normal traffic for the resource, it performs additional checks to ensure the AWS resource is not facing a DDoS attack.

AWS Shield Advanced provides additional protection on the application layer by integrating with AWS WAF and using its web ACLs. Here, AWS Shield monitors the incoming traffic with the traffic received in the past to detect any unusual traffic.

Get hands-on with 1300+ tech skills courses.

Introduction

AWS Fundamentals

Understanding Cloud Computing Essentials— From Zero to Hero

Identity and Access Management

Securing AWS Resources: Managing Access with IAM

AWS IAM Permission Boundaries

Using AWS IAM Access Analyzer

Compute Services

Understanding AWS Compute Services — From Zero to Hero

Amazon EC2: Elastic Compute Cloud

Working with Instances: An Amazon EC2 Walkthrough

Managing Instance Volumes Using EBS

Networking

Understanding Networking Services in AWS—From Zero to Hero

Controlling VPC Traffic Using Network ACLs

Managing Peer Connections between Amazon Virtual Private Clouds

Accessing AWS Services over AWS PrivateLink Using VPC Endpoints

Monitoring IP Traffic Using VPC Flow Logs

Route 53

Serverless Computing

Getting to Know AWS Lambda

Building and Deploying Serverless Applications with AWS SAM

Developing RESTful Microservices with API Gateway and DynamoDB

Building a WebSocket-Based Chat Application Using API Gateway

Mastering AWS AppSync Lambda Resolvers

Application Integration

Getting Started with Amazon Simple Queue Service (SQS)

Handling Amazon SNS Notifications with AWS Lambda

Build a Fanout Serverless Architecture using SNS, SQS, and Lambda

Decoupling Serverless Applications with Amazon EventBridge

Getting Started with AWS Step Functions

Containers

Getting Started with Amazon ECS

Create an EKS Cluster and Deploy an Application

High Availability and Scalability

Managing Application Traffic Using Elastic Load Balancers

Understanding Auto Scaling Group (ASG) in AWS

Mastering Amazon EC2 Dynamic Scaling Policies

Storage

Understanding AWS Storage Options—From Zero to Hero

Simple Storage Service (S3)

Working with AWS S3 Cross-Region Replication

Resizing Images with S3 Batch Operations and AWS Lambda

Managing Data Access with Amazon S3 Access Points

File Storage and Transfer

Getting Started with Amazon FSx for Windows File Server

Databases

Working with Relational Databases: A Beginner's Guide to AWS RDS

Getting Started with Amazon Aurora Database Engine

Working with NoSQL Databases: A Beginner's Guide to AWS DynamoDB

Exploring Graphs with Amazon Neptune

Getting Started with Amazon Keyspaces

Achieving Ultra-Fast Performance Using Amazon MemoryDB for Redis

Improving Database Performance with Amazon ElastiCache for Redis

Migration and Transfer

Use of AWS Database Migration Service from Aurora MySQL to S3

Security and Compliance

Getting Started with AWS Key Management Service (KMS)

Encrypting S3 Buckets and EBS Volumes Using KMS

Protecting Web Applications Using AWS WAF

Managing Aurora DB Credentials and API Keys Using Secrets Manager

Finding Vulnerabilities on EC2 Instances Using AWS Inspector

Deployment Services

Mastering AWS Deployment Services—From Zero to Hero

CloudFormation

Getting to Know AWS CloudFormation

AWS CloudFormation Updates: Change Sets and Stack Policies

Mastering AWS CloudFormation Helper Scripts

Machine Learning

Understanding Machine Learning Services on AWS—From Zero to Hero

Deploying a Machine Learning Model with Amazon SageMaker

Getting Started with Amazon Fraud Detector

Build an Educative Chatbot with Conversational AI Using AWS Lex

Content Delivery and Optimization

Analytics

Analyzing S3 Data and CloudTrail Logs Using Amazon Athena

Getting Started with Amazon EMR

Getting Started with Amazon Redshift

Building ETL Pipelines on AWS

Create a Data Lake with Lake Formation and Analyze It with Athena