AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield – Standard and Advanced.
All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, AWS Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24×7 access to the AWS DDoS Response Team (DRT) and protection against DDoS related spikes in your Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 charges.
AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on an Elastic IP or Elastic Load Balancing (ELB) in the following AWS Regions – Northern Virginia, Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt, London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, and Mumbai.
Difference between Standard & Advanced in AWS Shield:
There are two types of AWS Shield: Standard and Advanced. Standard is automatically free for all AWS users, but if you want to use Advanced, you’ll have to pay extra. Check out the rates mentioned below.
・Automatically available to all AWS users at no additional cost.
・Protects against DDoS attacks targeting the infrastructure (L3 and L4 layer)
・Monitor incoming traffic to AWS and detects any malicious activity.
・Automatically mitigate attacks
Although the Standard version is free for all AWS users, it doesn’t allow you to see your DDoS attack history, make reports, or send notifications. However, if you use it with AWS WAF, it is possible to detect and notify DDoS at the L7 layer.
■ Advanced (paid)
・DDoS attacks at the application layer (L7 layer) are also detected.
・Additional mitigation against larger DDoS attacks using advanced routing technology.
・Provides more visibility into the state and notifications of attacks by linking with other AWS services
・Refund in the event of a significant increase in the amount billed due to a DDoS attack
・24/7 Professional support
Benefits of deploying AWS Shield:
The benefits of deploying AWS Shield are as follows:
・If you use AWS, you can use the standard type for free without any special settings.
・Anyone using the Standard type will be able to protect against L3 and L4 level attacks.
・Upgrading to Advanced type gives you L7 level attack protection.
・Upgrading to Advanced will allow for 24/7 support and dealing with abnormal billing due to DDoS.
How to use AWS Shield?
If it is the Standard type, there is no need for any setup.
To use the Advanced type, the following steps are required.
(i) Activating AWS Shield Advanced
After signing into AWS, if you’re signing into AWS WAF console for the first time,
select Go to Shield > Activate AWS Shield Advanced.
Otherwise, select AWS Shield > Protected resources.
Next, select ‘Activate service’.
(ii) Specify the resources to be protected
Next, select the resources that you want to protect and click “Protect selected resources”.
(iii) Add a rate-based rule
By adding a rate-based rule, you will be notified of alerts to sudden increases in traffic that may be DDoS events. To create a rule, create a web ACL for the resource and then create a rate-based rule for that resource.
(iv) Granting permission to DDoS Response Team
If you want to enable support from the DDoS Response Team (DRT), you can pre-authorize the DRT to take care of the actual attack on your behalf by granting them the necessary permissions.
(v) Configuring an Amazon CloudWatch alarm
Using it together with Amazon CloudWatch, you can configure it to send notifications about resources that are protected from possible DDoS attacks. To create an alarm, configure the Amazon CloudWatch notification settings in the resource.
(vi) Deploying AWS WAF rules
It’s also important to take advantage of security automation templates and set up rules in your AWS WAF. Using it together with AWS WAF, it will be able to take care of not only DDoS attacks, but also other attacks such as SQL injection, etc. against the L7 layer.
(vii) Monitoring the global threat environment dashboard
For AWS Shield, monitoring is also important. The Global Threat Environment Dashboard provides a near real-time overview of the threat landscape, including the largest attacks, the top attack vectors, and the relative number of critical attacks.
Happy Learning !!