A Five Minute Overview of AWS Shield

(If you would prefer to listen to this article, click this link to hear it using Amazon Polly. It will also be available in iTunes: search for LabR Learning Resources.)

If you are already an AWS customer, you are being protected by AWS Shield whether you know it or not. AWS Shield is an AWS managed Distributed Denial of Service (DDoS) service which actively protects the “Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources” [1] you have deployed.

DDoS attacks are a favorite amongst malicious actors to bring down a website or service by using many different machines to launch an attack or make use of specific security deficiencies in available protocols and services. With AWS Shield Standard, you are automatically protected against the most common and frequently occurring network and transport layer attacks. And the best part is that you don’t need to so anything to turn it on or monitor it.

If you want additional protection, you can sign up for AWS Shield Advanced, which provides additional protection against other forms of DDoS attacks, near real time visibility into attacks, integration with the AWS Web Application Firewall (WAF) service, 24x7 access to the AWS DDoS Response Team (DRT) and service credits if you experience a usage spike associated with a DDoS attack.

Setting up AWS Shield

If you don’t have a requirement for the advanced services in AWS Shield Advanced, then no action is needed on your part. AWS Shield Standard is included.

If you want the additional services, login to the console and navigate to the AWS Shield and WAF service. Clicking on the “Go to AWS Shield” button takes you to a page with a comparison of the AWS Shield Standard and AWS Shield Advanced services.

If you want to activate the AWS Shield Advanced service, click on the “Activate AWS Shield Dashboard” button. You will be charged $3,000 for the each month of service, and the AWS Web Application Firewall is included at no additional charge.

If you don’t need AWS Shield Advanced, but still want to have an AWS WAF [2] in your infrastructure, then select that option. The cost of an AWS Web Application Firewall is considerably less than AWS Shield Advanced per month, depending upon the configuration of your WAF.

What does AWS Shield cost?

As previously mentioned, AWS Shield Standard is included. AWS Shield Advanced includes the Web Application Firewall and other features for $3,000 a month. If you don’t need AWS Shield Advanced and still want to use AWS WAF, the pricing and some examples are available from the [AWS WAF Service Overview](https://aws.amazon.com/waf/pricing/).

Conclusion

AWS Shield provides some peace of mind for the organization’s security team. The infrastructure you deploy using Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator and Amazon Route 53 resources are all protected by default, and AWS provides specific guidance how you can provide additional protection from Denial of Service attacks using features like EC2 Autoscaling to deal with traffic spikes.

However, larger enterprises may want the additional control and support afforded by AWS Shield Advanced as part of their information security program. Having access to the AWS DDoS Response Team and service credits may be worth the additional expense and support.

References

[1] https://aws.amazon.com/shield/

[2] https://aws.amazon.com/waf/

AWS Shield Overview

Copyright 2019, Chris Hare

Written by

Chris is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store