An Overview of AWS Shield.
- The Concept of AWS Shield,
- Table of AWS two tiers (Features & Pricing),
- How Shield Works (Layer by Layer),
- Layer 3/4 (Network & Transport Layers),
- Layer 7 (Application Layer)
- Architecture & Data Flow (typical setup Shield in context),
- Data Flow Summary,AWS Shield Components,
- Description & Integrations Table,
- AWS Shield Advanced for Detection & Mitigation,
- AWS Shield Advanced for Visibility,
- AWS Shield Advanced for DDoS Response Team (DRT),
- AWS Shield Advanced for Cost Protection,
- AWS Shield Advanced for Resource Coverage,
- Sample of AWS Shield + WAF + Global Accelerator Architecture,
- Benefits of this Architecture (AWS Shield + WAF + Global Accelerator),
- Steps in Detection & Mitigation Pipeline (Description & Tools)
- Best Practices,
- Visualization Diagram (AWS Shield Protection Layers),
- Comparison table for Shield Standard vs. Shield Advanced.
1. The Concept of AWS Shield
- AWS Shield is a managed protection service against Distributed Denial of Service (DDoS)
- AWS Shield safeguards AWS applications against:
- volumetric,
- protocol,
- application layer attacks.
Table of AWS two tiers (Features & Pricing):
|
Tier |
Key Features |
Pricing |
|
|
Shield Standard |
Always-on protection against common network & transport
layer DDoS attacks (e.g., SYN floods,
UDP reflection, DNS query floods). Automatically included with all AWS
resources. |
Free |
|
|
Shield Advanced |
Enhanced, always-on detection and mitigation, visibility,
cost protection, and 24x7 DDoS Response Team (DRT) support. |
Paid (~$3,000/month per account + data transfer charges) |
|
2. How Shield Works (Layer by Layer)
Layer 3/4 (Network
and Transport Layers)
- Protects against:
- Synchronize (SYN) /Acknowledgment (ACK) floods,
- User Datagram Protocol (UDP) reflection attacks,
- Internet Control Message Protocol (ICMP) floods
- Connection
exhaustion attacks.
- Shield automatically detects traffic anomalies by comparing live traffic against AWS baselines using flow sampling and anomaly detection algorithms.
Layer 7 (Application
Layer)
- Shield integrates with AWS WAF to detect and mitigate attacks like:
- Hyper Text Transfer
Protocol (HTTP) floods
- Slow POST/GET
attacks
- Excessive Application
Programming Interface (API)
calls
- Attack patterns are analyzed using machine learning and
rate-based rules.
3. Architecture & Data Flow (typical setup Shield in context):
Data Flow Summary:
1. Traffic enters AWS Edge locations (CloudFront, Route 53, or Global Accelerator).
2. Shield detects & mitigates DDoS traffic (volumetric filtering, SYN proxying, etc.).
3. WAF applies rules (e.g., SQLi/XSS filters, rate limiting, IP blocks).
4. Clean traffic is forwarded to your application endpoints.
4. AWS Shield Components, Description & Integrations Table
|
Component |
Description |
Integration |
|
Shield Standard |
Always-on for all AWS services |
Automatic |
|
Shield Advanced |
Enhanced protection with 24/7 DRT access |
Manual enablement per resource |
|
AWS WAF |
Layer 7 filtering (custom rules) |
Tight integration with Shield Advanced |
|
AWS Firewall Manager |
Central management for Shield + WAF |
Enterprise use |
|
Amazon CloudWatch |
Real-time attack metrics, alarms |
Integrated dashboards |
|
Global Accelerator |
Helps get a fixed IP + DDoS-resilient entry point |
Works with Shield Advanced |
5. AWS Shield Advanced
A. AWS Shield Advanced for Detection & Mitigation
- Uses traffic baselines to detect anomalies.
- Employs automated mitigation systems for each AWS edge location.
- Mitigation time: usually sub-seconds to a few minutes.
B. AWS Shield Advanced for Visibility
- Attack diagnostics in CloudWatch metrics and Shield
Console:
- Attack vector type
- Volume (pps, bps)
- Duration
- Target resource
- Real-time notifications via Amazon SNS.
C. AWS Shield Advanced for DDoS Response Team (DRT)
- Available 24x7 for incident response and post-attack analysis.
- Helps create tailored WAF rules or reroute traffic during attack.
D. AWS Shield Advanced for Cost Protection
- Protects against scaling or bandwidth overage costs due to a DDoS.
- AWS refunds the cost spikes caused by verified DDoS incidents.
E. AWS Shield Advanced for Resource Coverage
twtech can attach Shield Advanced protection to:
- Elastic Load Balancers (ALB/NLB)
- Amazon CloudFront distributions
- Global Accelerator accelerators
- Route 53 hosted zones
- EC2 instances (via Elastic IPs)
6. Sample of AWS Shield + WAF + Global Accelerator (Architecture Overview):
Data Flow:
1. Traffic hits Global Accelerator’s Anycast IPs (protected by Shield Advanced).
2. Shield blocks volumetric DDoS traffic at the edge.
3. WAF filters malicious Layer 7 patterns.
4. ALB routes legitimate requests to backend.
- Fixed entry IPs (no exposure of ALB IPs).
- Multi-layer protection (L3–L7).
- Low latency via AWS edge routing.
- Centralized logging and metrics.
7. Steps in Detection & Mitigation Pipeline (Description & Tools)
|
Step |
Description |
Tool |
|
1 |
Traffic baselined & monitored |
Shield sensors |
|
2 |
Anomalous spikes trigger detection |
CloudWatch alarms |
|
3 |
Automated mitigation applied |
AWS edge routers |
|
4 |
Optional manual DRT involvement |
Shield Advanced |
|
5 |
Metrics & reports generated |
CloudWatch + Shield Console |
8. Best Practices
- Use Shield Advanced for public-facing, business-critical applications.
- Always pair Shield with AWS WAF for complete L3–L7 coverage.
- Deploy Global Accelerator or CloudFront to terminate attacks at the edge.
- Monitor Shield metrics in CloudWatch for baselines.
- Configure automatic incident notifications (SNS + Lambda).
- Enable AWS Firewall Manager for centralized policy enforcement.
9. Visualization Diagram (AWS Shield Protection Layers):
10. Comparison table for Shield Standard vs. Shield Advanced
|
Feature |
Shield Standard |
Shield Advanced |
|
Network-level protection |
✅ |
✅ |
|
Application-layer integration |
🚫 |
✅
(with WAF) |
|
DDoS cost protection |
🚫 |
✅ |
|
CloudWatch metrics |
Limited |
Detailed |
|
24/7 DRT access |
🚫 |
✅ |
|
Attack diagnostics |
Basic |
Full |
|
Resource coverage |
Automatic |
Manual per-resource |
No comments:
Post a Comment