AWS Shield (Protection Against Distributed Denial of Service (DDoS attacks)) | Overview.

An Overview of AWS Shield.

•       The Concept: AWS Shield,
•       How Shield Works (Layer by Layer),
•       Architecture and Data Flow,
•       AWS Shield Components and Integrations,
•       AWS Shield Advanced,
•       Sample of AWS Shield + WAF + Global Accelerator Architecture,
•       Detection and Mitigation Pipeline,
•       Best Practices,
•       Visualization (Concept Diagram),
•       Comparison table for Shield Standard vs. Advanced.

1. The Concept: AWS Shield

• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service.
• AWS Shield safeguards AWS applications against volumetric, protocol, and application layer attacks.

AWS offers it in two tiers:

Tier	Key Features		Pricing
Shield Standard		Always-on protection against common network & transport layer DDoS attacks (e.g., SYN floods, UDP reflection, DNS query floods). Automatically included with all AWS resources.	Free
Shield Advanced		Enhanced, always-on detection and mitigation, visibility, cost protection, and 24x7 DDoS Response Team (DRT) support.	Paid (~$3,000/month per account + data transfer charges)

2. How Shield Works (Layer by Layer)

 Layer 3/4 (Network and Transport Layers)

•         Protects against:
•    Synchronize (SYN) /Acknowledgment (ACK) floods
•    User Datagram Protocol (UDP) reflection attacks
•    Internet Control Message Protocol (ICMP) floods
•    Connection exhaustion attacks
•         Shield automatically detects traffic anomalies by comparing live traffic against AWS baselines using flow sampling and anomaly detection algorithms.

 Layer 7 (Application Layer)

•         Shield integrates with AWS WAF to detect and mitigate attacks like:
•    Hyper Text Transfer Protocol (HTTP) floods
•    Slow POST/GET attacks
•    Excessive Application Programming Interface (API) calls
•         Attack patterns are analyzed using machine learning and rate-based rules.

3. Architecture and Data Flow

Here’s a typical setup (Shield in context):

Data Flow Summary:

1.     Traffic enters AWS Edge locations (CloudFront, Route 53, or Global Accelerator).
2.     Shield detects & mitigates DDoS traffic (volumetric filtering, SYN proxying, etc.).
3.     WAF applies rules (e.g., SQLi/XSS filters, rate limiting, IP blocks).
4.     Clean traffic is forwarded to your application endpoints.

4. AWS Shield Components and Integrations

Component	Description	Integration
Shield Standard	Always-on for all AWS services	Automatic
Shield Advanced	Enhanced protection with 24/7 DRT access	Manual enablement per resource
AWS WAF	Layer 7 filtering (custom rules)	Tight integration with Shield Advanced
AWS Firewall Manager	Central management for Shield + WAF	Enterprise use
Amazon CloudWatch	Real-time attack metrics, alarms	Integrated dashboards
Global Accelerator	Helps get a fixed IP + DDoS-resilient entry point	Works with Shield Advanced

5. AWS Shield Advanced

 A. Detection & Mitigation

•         Uses traffic baselines to detect anomalies.
•         Employs automated mitigation systems for each AWS edge location.
•         Mitigation time: usually sub-seconds to a few minutes.

 B. Visibility

•         Attack diagnostics in CloudWatch metrics and Shield Console:
•    Attack vector type
•    Volume (pps, bps)
•    Duration
•    Target resource
•         Real-time notifications via Amazon SNS.

 C. DDoS Response Team (DRT)

•         Available 24x7 for incident response and post-attack analysis.
•         Helps create tailored WAF rules or reroute traffic during attack.

D. Cost Protection

•         Protects against scaling or bandwidth overage costs due to a DDoS.
•         AWS refunds the cost spikes caused by verified DDoS incidents.

 E. Resource Coverage

twtech can attach Shield Advanced protection to:

•         Elastic Load Balancers (ALB/NLB)
•         Amazon CloudFront distributions
•         Global Accelerator accelerators
•         Route 53 hosted zones
•         EC2 instances (via Elastic IPs)

6. Sample of AWS Shield + WAF + Global Accelerator

Architecture Overview:

Data Flow:

1.     Traffic hits Global Accelerator’s Anycast IPs (protected by Shield Advanced).

2.     Shield blocks volumetric DDoS traffic at the edge.

3.     WAF filters malicious Layer 7 patterns.

4.     ALB routes legitimate requests to backend.

Benefits:

•         Fixed entry IPs (no exposure of ALB IPs).
•         Multi-layer protection (L3–L7).
•         Low latency via AWS edge routing.
•         Centralized logging and metrics.

7. Detection and Mitigation Pipeline

Step	Description	Tool
1	Traffic baselined & monitored	Shield sensors
2	Anomalous spikes trigger detection	CloudWatch alarms
3	Automated mitigation applied	AWS edge routers
4	Optional manual DRT involvement	Shield Advanced
5	Metrics & reports generated	CloudWatch + Shield Console

8. Best Practices

•        Use Shield Advanced for public-facing, business-critical applications.
•        Always pair Shield with AWS WAF for complete L3–L7 coverage.
•        Deploy Global Accelerator or CloudFront to terminate attacks at the edge.
•         Monitor Shield metrics in CloudWatch for baselines.
•        Configure automatic incident notifications (SNS + Lambda).
•        Enable AWS Firewall Manager for centralized policy enforcement.

9. Visualization (Concept Diagram)

AWS Shield Protection Layers:

10. Comparison table for Shield Standard vs. Shield Advanced

Feature	Shield Standard	Shield Advanced
Network-level protection	✅	✅
Application-layer integration	🚫	✅ (with WAF)
DDoS cost protection	🚫	✅
CloudWatch metrics	Limited	Detailed
24/7 DRT access	🚫	✅
Attack diagnostics	Basic	Full
Resource coverage	Automatic	Manual per-resource