Skip to main content

Why AWS Shield?

AWS Shield protects networks and applications by identifying network security configuration issues and defending applications against active web exploitation and distributed denial of service (DDoS) events. AWS Shield network security director (in preview) performs an analysis of your resources to help you visualize your network topology, identify configuration issues, and receive actionable remediation recommendations.

For managed DDoS protection, the AWS Shield Advanced tier offers continuous automatic mitigation of sophisticated DDoS events to minimize application downtime and latency. You can customize your DDoS protection strategy using application-specific security controls and expert guidance from the Shield Response Team during active DDoS incidents.

Page topics

AWS Shield network security director (preview)

Open all

Get a comprehensive view of your AWS environment through a network topology that shows resource connections, security configurations, and potential security issues at a glance. This view groups resources by tags and connectivity patterns, helping you understand relationships between resources and their internet exposure. This allows you to quickly identify critical security issues, from overly permissive access to protecting applications against threats like SQL injection.

Resources are given a severity level based on their most severe network security findings to help you understand which resources in your environment are configured correctly according to their network context and AWS best practices and threat intelligence. Findings are prioritized by severity level in a dashboard to help you easily determine which configuration issues require your immediate attention.

Quickly remediate network security misconfigurations using recommended services and rule sets to mitigate each finding. Recommendations are provided as step-by-step instructions.

Analyze your network security issues in natural language with AWS Shield network security director from within Amazon Q Developer. With Amazon Q, you can ask about network security findings, explore issues, and receive remediation recommendations from the AWS Management Console and chat applications.

AWS Shield Standard

Open all

All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS events that target your website or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) events.

AWS Shield Standard provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time. Shield Standard sets static thresholds for each AWS resource type but doesn’t provide custom protections to your applications.

Automated mitigation techniques are built into AWS Shield Standard, giving underlying AWS services protection against common, frequently occurring infrastructure attacks. Automatic mitigations are applied inline to protect AWS services, so there is no latency impact. Shield Standard uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.

AWS Shield Advanced

Open all

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. Shield Advanced also gives you 24/7 access to the AWS Shield Response Team (SRT) and protection against DDoS-related spikes in your EC2, ELB, CloudFront, Global Accelerator, and Route 53 charges.

AWS Shield Advanced provides customized detection based on traffic patterns to your protected Elastic IP address, ELB, CloudFront, Global Accelerator, and Route 53 resources. Using additional region- and resource-specific monitoring techniques, Shield Advanced detects and alerts you of smaller DDoS attacks. Shield Advanced also detects application layer attacks such as HTTP floods or DNS query floods by baselining traffic on your application and identifying anomalies.

AWS Shield Advanced uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation. You can define a health check in Route 53 and associate it with a resource that is protected by Shield Advanced through the console or API. This allows Shield Advanced to detect attacks impacting the health of your application more quickly and at lower traffic thresholds, improving the DDoS resiliency of your application and preventing false positive notifications. Resource health status is also available to the SRT so they can appropriately prioritize response to unhealthy applications. You can apply health-based detection to all resource types that Shield Advanced supports: Elastic IP, ELB, CloudFront, Global Accelerator, and Route 53.

 

AWS Shield Advanced provides more sophisticated automatic mitigations for events targeting your applications running on protected EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. Using advanced routing techniques, Shield Advanced automatically deploys additional mitigation capacity to protect your application against DDoS events. For customers with Business or Enterprise support, the SRT also applies manual mitigations for more complex and sophisticated DDoS events that might be unique to your application. For application layer events, you can use the AWS WAF application layer (L7) DDoS protection AWS Managed Rule group included in the AWS Shield Advanced subscription. This rule group is designed to automatically detect and mitigate application layer DDoS events within seconds. As part of your subscription, you will get up to 50 billion AWS WAF requests in a calendar month per subscribed payer account to resources protected by WAF. Traffic detected by this AMR as DDoS do not count towards the 50 billion as long as they are not in count mode. Requests beyond 50 billion will be billed as per the AWS Shield Advanced pricing page. You can also engage directly with the SRT to place custom AWS WAF rules on your behalf in response to an application layer DDoS attack. The SRT will diagnose the event and, with your permission, apply mitigations on your behalf, reducing the amount of time your applications might be impacted by an ongoing DDoS events.

 

 

AWS Shield Advanced can automatically protect web applications by mitigating application layer (L7) DDoS events with no manual intervention needed by you or the AWS SRT. AWS WAF rules are created in your WebACLs to automatically mitigate events, or you can activate them in count-only mode. This lets you quickly respond to DDoS events to prevent application downtime due to an application layer DDoS events.

 

AWS Shield Advanced offers proactive engagement from the SRT when a DDoS event is detected. When you activate proactive engagement, the SRT will directly contact you if a Route 53 health check associated with your protected resource becomes unhealthy during a DDoS event. This allows you to engage with experts more quickly when the availability of your application is affected by a suspected attack. You can receive proactive engagement for network layer and transport layer events on Elastic IP addresses and Global Accelerator accelerators, and for application layer attacks on CloudFront distributions and Application Load Balancers.

AWS Shield Advanced allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit. Resource grouping improves the accuracy of detection, reduces false positives, eases automatic protection of newly created resources, and accelerates the time to mitigate attacks against multiple resources. For example, if an application consists of four CloudFront distributions, you can add them to one protection group to receive detection and protection for the collection of resources as a whole. Reporting can also be consumed at the protection group level, giving a more holistic view of overall application health.

AWS Shield Advanced gives you complete visibility into DDoS attacks with near real-time notification through Amazon CloudWatch and detailed diagnostics on the AWS WAF and AWS Shield console or APIs. You can also view a summary of prior attacks from the console.

AWS Shield Advanced comes with DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. If any of these protected resources scale up in response to a DDoS attack, you can request Shield Advanced service credits through your regular AWS Support channel.

For customers on Business or Enterprise support plans, AWS Shield Advanced gives you 24/7 access to the SRT, which can be engaged before, during, or after a DDoS attack. The SRT will help triage the incidents, identify root causes, and apply mitigations on your behalf. The SRT has deep expertise in rapidly responding to and mitigating DDoS attacks across AWS customers.

AWS Shield Advanced is available globally on all CloudFront, Global Accelerator, and Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying CloudFront in front of your application. Your origin servers can be Amazon Simple Storage Service (S3), EC2, ELB, or a custom server outside of AWS. You can also activate protections directly on Elastic IP or ELB instances in all AWS Regions where Shield Advanced is available.

AWS Shield Advanced customers can use AWS Firewall Manager to apply Shield Advanced and AWS WAF protections across their entire organization. The cost of Firewall Manager is included in the Shield Advanced subscription fee. Using Firewall Manager, you can automatically configure policies covering multiple accounts and resources. Firewall Manager automatically audits accounts to find new or unprotected resources, and it ensures that Shield Advanced and AWS WAF protections are universally applied. This lets developers move quickly and deploy new applications with the confidence that the appropriate protections will be automatically applied. To learn more about this security management service, see AWS Firewall Manager.

Application layer (L7) DDoS protection

Open all

Application layer (L7) DDoS protection is an AWS Managed Rule group that is designed to automatically defend applications against distributed denial of service (DDoS) events within seconds. This feature monitors traffic data to establish a baseline within minutes of activation, then leverages machine learning models to detect anomalies from normal traffic patterns. When traffic exceeds or deviates from the established baseline, the system automatically applies rules designed to help block malicious requests. This feature is designed to ensure your applications on Amazon CloudFront, Application Load Balancer, and API Gateway remain available against emerging DDoS events.

Application layer (L7) DDoS protection allows you to protect your applications without the complexity of manually configuring and managing rules. This feature has customizable options to fit the needs of your applications such as configuring rule sensitivity settings and inspection of specific application URI paths.

Learn more about application layer (L7) DDoS protection.

Designed to mitigate emerging application layer DDoS events within seconds

AWS Managed Rules for AWS WAF are already configured to save you time

Tailor your layer 7 DDoS defense to suit your application with sensitivity controls