Getting started with AWS Shield

Whether you are looking for ways to implement best practice network protection or protect against common distributed denial of service (DDoS) events, AWS Shield provides built-in protection and access to tools, services, and expertise to help you protect your applications on AWS.

Getting started with AWS Shield network security director

Visit the console

Visit the AWS Management Console and navigate to the network security director console.

Initiate a network security analysis

Select Start Network Analysis. Once analysis is complete, you can use the network security director dashboard to view network security findings.

Strengthen your security posture

Get clear and actionable remediation recommendations in the form of step-by-step instructions.

Compare Tiers

AWS Shield provides two levels of DDoS protection. See how the built-in protection with AWS Shield Standard compares to the enhanced capabilities provided by AWS Shield Advanced to help you choose the right level of protection for your applications. AWS Shield Standard provides essential DDoS defense at no additional cost, while AWS Shield Advanced offers comprehensive protection with expert support.

AWS Shield Standard

For protection against most common DDoS events and access to tools and best practices to build a DDoS resilient architecture.
Automatically available on all AWS services.

To detect and automatically mitigate layer 7 DDoS events, enable the application layer (L7) DDoS protection AWS Managed Rule group.

AWS Shield Advanced

For additional protection against larger and more sophisticated events, visibility into events, and 24x7 access to DDoS experts for complex cases. See the AWS Shield Advanced Service Level Agreement.

Available on:
Amazon Route 53
Amazon CloudFront
Elastic Load Balancing
AWS Global Accelerator
Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)

To detect and automatically mitigate layer 7 DDoS events, enable the application layer (L7) DDoS protection AWS Managed Rule group.

FEATURE	AWS SHIELD STANDARD	AWS SHIELD ADVANCED*
*Active Traffic Monitoring*
Network flow monitoring	Yes	Yes
Automatic always-on detection	Yes	Yes
Application traffic monitoring	x	Yes
*Attack Mitigations*
Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks)	Yes	Yes
Automatic inline mitigation	Yes	Yes
Additional DDoS mitigation capacity for large attacks	x	Yes
Automatic application layer (L7) DDoS mitigations	x	Yes
Self-service application layer (Layer 7) mitigations	Yes, using AWS WAF	Yes, using AWS WAF
SRT-driven application layer (Layer 7) mitigations	x	Yes, with Shield Response Team
Instant rule updates	Yes, using AWS WAF	Yes, using AWS WAF
AWS WAF for app vulnerability protection	Yes, using AWS WAF	Yes, using AWS WAF
*Visibility and Reporting*
Layer 3/Layer 4 attack notification	x	Yes
Layer 7 attack notification	x	Yes
Layer 3/Layer 4/ Layer 7 attack historical report	x	Yes
*Shield Response Team and Support*
DDoS protection best practices/architecture review	Yes, self-service	Yes
Custom mitigations during attacks	x	Yes, with Enterprise or Business support
Post attack analysis	x	Yes, with Enterprise or Business support
DDoS Cost Protection (Service credits for DDoS scaling charges)
Amazon Route 53	x	Yes
Amazon CloudFront	x	Yes
Elastic Load Balancing (ELB)	x	Yes
Amazon Elastic Compute Cloud (EC2)	x	Yes
Note: AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment.
Web Application Firewall (WAF)
Self-service	Yes	Yes
API access/integration	Yes	Yes
Flexible rules engine	Yes	Yes
Fast rule propagation	Yes	Yes
Pricing	See Pricing	Included at no additional charge with AWS Shield Advanced for resources protected up to 50 billion WAF requests per calendar month per subscribed payer account.
*Cost*
Monthly	x	Yes, see Pricing (Subject to 1-year subscription)
Usage based	x	Yes, see Pricing
SLA	x	Yes