AWS Shield

AWS Shield is designed to protect applications against Distributed Denial of Service (DDoS) attacks, which can overwhelm and disable internet-facing resources. The service automatically detects and mitigates sophisticated network-level DDoS events, targeting layers 3, 4, 6, and 7 of the OSI model.

Technically, AWS Shield integrates deeply with AWS infrastructure, allowing it to scrub bad traffic at specific layers, such as mitigating SYN floods, UDP floods, and other reflection attacks through deterministic packet filtering and priority-based traffic shaping. This integration enables real-time monitoring and mitigation, with the capability to protect up to 1,000 resource types per AWS account, including Amazon EC2 instances, Elastic Load Balancers, Amazon CloudFront distributions, and Amazon Route 53 hosted zones.

Operationally, Shield Advanced, the enhanced version of AWS Shield, offers additional capabilities such as health-based detection using Amazon Route 53 health checks, protection groups for logical resource grouping, and enhanced visibility into DDoS events through real-time metrics and reports accessible via the Shield Advanced API, console, and Amazon CloudWatch metrics. However, this advanced protection comes with specific limitations, such as the need for explicit resource specification and potential additional costs for non-standard AWS WAF usage beyond the covered capacities (e.g., more than 1,500 web ACL capacity units or larger request body sizes).

The service also leverages the AWS Shield Response Team (SRT) for expert assistance during DDoS events, but this requires a subscription to the Business Support or Enterprise Support plan. Centralized management through AWS Firewall Manager simplifies the application of Shield Advanced protections across multiple accounts and resources, further streamlining DDoS defense strategies.