A Distributed Denial of Service (DDoS) attack is an attack where multiple compromised systems attempt to "flood" a target (such as a network or web application) with traffic. DDoS attacks prevent legitimate users from accessing services and can cause systems to crash due to excessive traffic. AWS provides two tiers of DDoS attack protection: AWS Shield Standard and AWS Shield Advanced.

Overview

AWS Shield Standard

All AWS customers benefit from the automatic protection of AWS Shield Standard at no additional charge. AWS Shield Standard defends against the most common, frequently occurring network and transport layer DDoS attacks targeting your websites or applications. While AWS Shield Standard helps protect all AWS customers, you can gain special advantages if you use Amazon CloudFront and Amazon Route 53. These services receive comprehensive availability protection against all known infrastructure (Layer 3 and Layer 4) attacks, as shown in the diagram below.

AWS Shield Advanced

For higher levels of attack protection, you can subscribe to AWS Shield Advanced. When you subscribe to AWS Shield Advanced and add specific resources to protect, AWS Shield Advanced provides extended DDoS attack protection for web applications running on those resources.

Which AWS Resources Can Be Protected

You can add protection for any of the following resource types:

Amazon CloudFront distributions

Amazon Route 53 hosted zones

AWS Global Accelerator accelerators

Application Load Balancers

Elastic Load Balancing (ELB) load balancers

Amazon Elastic Compute Cloud (Amazon EC2) Elastic IP addresses

Comparison Between Shield and Shield Advanced

How to Choose

You can use AWS WAF, AWS Firewall Manager, and AWS Shield together to create a comprehensive security solution.

Start with AWS WAF. You can automate and simplify AWS WAF using AWS Firewall Manager. Shield Advanced adds additional functionality on top of AWS WAF, such as support from the DDoS Response Team (DRT) and advanced reporting.

If you want fine-grained control over the protection added to your resources, using AWS WAF alone is the right choice. If you want to use AWS WAF across accounts, speed up your AWS WAF configuration, or automate protection for new resources, use Firewall Manager with AWS WAF.

Finally, if you have high-visibility websites or are prone to frequent DDoS attacks, you should consider purchasing Shield Advanced.

Pricing

AWS Shield Standard provides protection to all AWS customers against the most frequently occurring common network and transport layer DDoS attacks targeting websites or applications at no additional cost.

AWS Shield Advanced is a paid service that provides additional protection for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced is available to all customers, but only AWS Premium Support Business or Enterprise support plan customers can contact the DDoS Response Team. It requires a 1-year subscription commitment, with a monthly fee of $3,000. Data transfer pricing is shown in the table below:

For further assistance or services, please leave a message. UltraPower Cloud Business will provide automation tools and professional services.

Back to Tech Blog