AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield – Standard and Advanced.
Seamless integration and deployment
Your AWS resources automatically have AWS Shield Standard and are protected from common, most frequently occurring network and transport layer DDoS attacks. You can achieve a higher level of defense by simply enabling AWS Shield Advanced protection for Elastic IP, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53 resources you want to protect using the management console or APIs. No routing changes are required for enabling these protections.
With AWS Shield Advanced, you have the flexibility to choose the resources to protect for infrastructure (Layer 3 and 4) protection. You can write customized rules with AWS WAF to mitigate sophisticated application layer attacks. These customizable rules can be deployed instantly, allowing you to quickly mitigate attacks. You can set up rules proactively to automatically block bad traffic, or respond to incidents as they occur. You also have 24×7 access to the AWS DDoS Response Team (DRT), who can write rules on your behalf to mitigate application layer DDoS attacks.
Managed Protection and Attack Visibility
With AWS Shield Standard you get always-on heuristics-based network flow monitoring and inline mitigation against common, most frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced provides enhanced resource specific detection and employs advanced mitigation and routing techniques for sophisticated or larger attacks. You also get 24×7 access to the AWS DDoS Response Team (DRT) for manual mitigation of edge cases affecting your availability. AWS Shield Advanced also provides visibility and insights into all your DDoS incidents through AWS CloudWatch metrics and attack diagnostics. Finally, you can also see the DDoS threat environment on AWS with the Global threat environment dashboard.