Ref: https://learn.cantrill.io/courses/1820301/lectures/42566530

• Summary:
• Contents:

AWS Shield - Overview

• 🔧 DDoS protection service
  • 2 forms: Standard (free) & Advanced (extra costs)
• Protects against 3 different types of DDoS attacks:
  • NW volumetric attacks (L3) → saturate NW capacity/BW
  • NW protocol attacks (L4) → e.g. TCP-SYN flood
    • L4 can also have a volumetric component
  • Application Layer Attacks (L7) → e.g. web request floods
    • Search functions usually vulnerable: requesting a search is very cheap and fast, but performing search is slow and computationally expensive

AWS Shield Standard

• Automatic benefit for AWS customers
  • No configuration needed (works in the background)
  • Completely free
• Protection at NW perimeter
  • Region (as data flows into VPC) or AWS edge (if using CF or Global Accelerator)
• Protection against common NW (L3) or Transport (L4) attacks
• Best protection if using R53, CF, or Global Accelerator
• 💡 No explicit configurable protection nor proactive capability, unlike Advanced

AWS Shield Advanced

• Extra cost: $3000/month per AWS organization
  • All member accounts in an AWS organization will benefit
  • 1 year lock-in commitment
  • Additional monthly charge for data coming OUT
• Protects more resources than Standard:
  • R53, CF, Global Accelerator included (like standard)
  • Additionally: anything associated with EIPs (e.g. EC2) and ELBs (ALBs, NLBs, CLBs)
• ‼️ NOT automatic!!
  • Must be enabled explicitly in Shield Advanced or AWS Firewall Manager
• Many benefits:
  • Cost protection for unmitigated attacks
    • If attack is not mitigated when it should, and you spend more $$$, AWS covers it
    • e.g. EC2 scaling caused by excessive load
  • Proactive engagement with AWS Shield Response Team (SRT)
    • Customer gets contacted fast & directly if victim of an attack (with details)
    • Also 24/7 ticket support & contact support for customers
  • WAF integration → WAF used to implement protection against DDoS L7 attacks
    • Shield Advanced includes basic WAF fees for WEBACLs, rules, and web requests
    • WAF configured automatically and frequently by Shield Advanced
  • Real-time visibility of DDoS events and attacks (real-time metrics & reports)
  • Health-based detection
    • R53 application-specific health checks
    • Reduces false positives
    • Can be used alone or with proactive engagement team
    • ‼️ Actually a requirement if using proactive engagement team!
  • Protection groups → groupings of resources for Shield Advanced to protect
    • Can define membership criteria → resources meeting criteria automatically added
    • Reduces admin overhead