Skip to content

Latest commit

 

History

History
27 lines (26 loc) · 2.31 KB

shield.md

File metadata and controls

27 lines (26 loc) · 2.31 KB

AWS Shield

  • Provides protection against DDoS attacks
  • Provides a custom designed set of protection against DDoS attacks
  • Offers protection against all known infrastructure Layer 3 and Layer 4 DDoS attacks: Network Volumetric attacks (L3), Network Protocol Attacks (L4) for example TCP SYN Floods
  • Comes in 2 forms:
    • Shield Standard:
      • It is free of charge for all AWS customers
      • Protection is at the perimeter of the network (this can be either at the region/VPC or AWS edge in case of CloudFront usage)
      • Protects against common Network (L3) and Transport (L4) layer attacks
      • We get the best protection if we use Route 53, CloudFront or Global Accelerator
      • It does not provide anything against proactive capability of any form of explicit configurable configuration
    • Shield Advanced:
      • Costs $3000 per month per organization, 1 year lock-in + charge for data (OUT) / month. Cost is not per account, if we want protection for multiple accounts, we have to make sure they are in the same organization
      • Expands the range of products which can be protected: CloudFront, Global Accelerator, Route53, anything associated with am EIP (example EC2 instances), load balancers (ALB, CLB, NLB)
      • Protection offered by Shield Advanced is not automatic. We need to enable it in Shield Advanced or as part as AWS Firewall Manager Shield Advanced policy
      • Shield Advanced provides access to 24/7 advanced response team named AWS Shield Response Team (SRT)
      • Provides financial insurance for any increase of payments in case of DDoS attacks
      • Additional Shield Advanced features
        • Integration with WAF:
          • Shield Advanced integrates with WAF to protect against Application Layer (L7) attacks
          • Includes basic AWS WAF fees for web ACLs, rules and web requests
        • Real time visibility of DDOS events and attacks
        • Health-based detection: application specific health checks used by proactive engagement team to provide faster detection and mitigation of any issues
        • Protection groups:
          • We can create grouping of resources that Shield Advanced protects
          • We can define the criteria of membership for groups, any new resource will automatically be added