AWS Shield Features
Why AWS Shield?
AWS Shield protects networks and applications by identifying network security configuration issues and defending applications against active web exploitation and distributed denial of service (DDoS) events. AWS Shield does this by offering two key capabilities:
AWS Shield network security director (in preview) performs an analysis of your resources to help you visualize your network topology, identify configuration issues, and receive actionable remediation recommendations.
AWS Shield Advanced offers managed DDoS protection for continuous automatic mitigation of sophisticated DDoS events to minimize application downtime and latency. You can customize your DDoS protection strategy using application-specific security controls and expert guidance from the Shield Response Team during active DDoS incidents. 
AWS Shield network security director (preview)
Open allNetwork topology of resources and configuration issues (preview)
Get a comprehensive view of your AWS environment through a network topology that shows resource connections, security configurations, and potential security issues at a glance. This view groups resources by tags and connectivity patterns, helping you understand relationships between resources and their internet exposure. This allows you to quickly identify critical security issues, from overly permissive access to protecting applications against threats like SQL injection.
Prioritized findings dashboard (preview)
Resources are given a severity level based on their most severe network security findings to help you understand which resources in your environment are configured correctly according to their network context and AWS best practices and threat intelligence. Findings are prioritized by severity level in a dashboard to help you easily determine which configuration issues require your immediate attention.
Network security recommendations (preview)
Quickly remediate network security misconfigurations using recommended services and rule sets to mitigate each finding. Recommendations are provided as step-by-step instructions.
Simplify network security with Amazon Q Developer (preview)
Analyze your network security issues in natural language with AWS Shield network security director from within Amazon Q Developer. With Amazon Q, you can ask about network security findings, explore issues, and receive remediation recommendations from the AWS Management Console and chat applications.
AWS Shield Standard
Open allOverview
All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS events that target your website or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) events.
Static threshold DDoS protection for underlying AWS services
AWS Shield Standard provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time. Shield Standard sets static thresholds for each AWS resource type but doesn’t provide custom protections to your applications.
Inline attack mitigation
Automated mitigation techniques are built into AWS Shield Standard, giving underlying AWS services protection against common, frequently occurring infrastructure attacks. Automatic mitigations are applied inline to protect AWS services, so there is no latency impact. Shield Standard uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.
AWS Shield Advanced
Open allOverview
For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced. In addition to the network and transport layer protections that come with Standard, Shield Advanced provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall. Shield Advanced also gives you 24/7 access to the AWS Shield Response Team (SRT) and protection against DDoS-related spikes in your EC2, ELB, CloudFront, Global Accelerator, and Route 53 charges.
Tailored detection based on application traffic patterns
AWS Shield Advanced provides customized detection based on traffic patterns to your protected Elastic IP address, ELB, CloudFront, Global Accelerator, and Route 53 resources. Using additional region- and resource-specific monitoring techniques, Shield Advanced detects and alerts you of smaller DDoS attacks. Shield Advanced also detects application layer attacks such as HTTP floods or DNS query floods by baselining traffic on your application and identifying anomalies.
Health-based detection
AWS Shield Advanced uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation. You can define a health check in Route 53 and associate it with a resource that is protected by Shield Advanced through the console or API. This allows Shield Advanced to detect attacks impacting the health of your application more quickly and at lower traffic thresholds, improving the DDoS resiliency of your application and preventing false positive notifications. Resource health status is also available to the SRT so they can appropriately prioritize response to unhealthy applications. You can apply health-based detection to all resource types that Shield Advanced supports: Elastic IP, ELB, CloudFront, Global Accelerator, and Route 53.
Advanced attack mitigation
AWS Shield Advanced provides more sophisticated automatic mitigations for events targeting your applications running on protected EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. Using advanced routing techniques, Shield Advanced automatically deploys additional mitigation capacity to protect your application against DDoS events. For customers with Business or Enterprise support, the SRT also applies manual mitigations for more complex and sophisticated DDoS events that might be unique to your application. For application layer events, you can use the AWS WAF application layer (L7) DDoS protection AWS Managed Rule group included in the AWS Shield Advanced subscription. This rule group is designed to automatically detect and mitigate application layer DDoS events within seconds. As part of your subscription, you will get up to 50 billion AWS WAF requests in a calendar month per subscribed payer account to resources protected by WAF. Traffic detected by this AMR as DDoS do not count towards the 50 billion as long as they are not in count mode. Requests beyond 50 billion will be billed as per the AWS Shield Advanced pricing page. You can also engage directly with the SRT to place custom AWS WAF rules on your behalf in response to an application layer DDoS attack. The SRT will diagnose the event and, with your permission, apply mitigations on your behalf, reducing the amount of time your applications might be impacted by an ongoing DDoS events.
Automatic application layer DDoS mitigation
AWS Shield Advanced can automatically protect web applications by mitigating application layer (L7) DDoS events with no manual intervention needed by you or the AWS SRT. AWS WAF rules are created in your WebACLs to automatically mitigate events, or you can activate them in count-only mode. This lets you quickly respond to DDoS events to prevent application downtime due to an application layer DDoS events.
Proactive event response
AWS Shield Advanced offers proactive engagement from the SRT when a DDoS event is detected. When you activate proactive engagement, the SRT will directly contact you if a Route 53 health check associated with your protected resource becomes unhealthy during a DDoS event. This allows you to engage with experts more quickly when the availability of your application is affected by a suspected attack. You can receive proactive engagement for network layer and transport layer events on Elastic IP addresses and Global Accelerator accelerators, and for application layer attacks on CloudFront distributions and Application Load Balancers.
Protection groups
AWS Shield Advanced allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit. Resource grouping improves the accuracy of detection, reduces false positives, eases automatic protection of newly created resources, and accelerates the time to mitigate attacks against multiple resources. For example, if an application consists of four CloudFront distributions, you can add them to one protection group to receive detection and protection for the collection of resources as a whole. Reporting can also be consumed at the protection group level, giving a more holistic view of overall application health.
Visibility and attack notification
AWS Shield Advanced gives you complete visibility into DDoS events with near real-time notification through Amazon CloudWatch and detailed diagnostics on the AWS WAF and AWS Shield console or APIs. You can also view a summary of prior events from the console. When you use application layer (L7) DDoS protection Managed Rule for AWS WAF, you get visibility in the AWS WAF console to the DDoS events protected by this rule group.
DDoS cost protection
AWS Shield Advanced comes with DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. If any of these protected resources scale up in response to a DDoS attack, you can request Shield Advanced service credits through your regular AWS Support channel.
Specialized support
For customers on Business or Enterprise support plans, AWS Shield Advanced gives you 24/7 access to the SRT, which can be engaged before, during, or after a DDoS attack. The SRT will help triage the incidents, identify root causes, and apply mitigations on your behalf. The SRT has deep expertise in rapidly responding to and mitigating DDoS attacks across AWS customers.
Global availability
AWS Shield Advanced is available globally on all CloudFront, Global Accelerator, and Route 53 edge locations. You can protect your web applications hosted anywhere in the world by deploying CloudFront in front of your application. Your origin servers can be Amazon Simple Storage Service (S3), EC2, ELB, or a custom server outside of AWS. You can also activate protections directly on Elastic IP or ELB instances in all AWS Regions where Shield Advanced is available.
Centralized protection management
AWS Shield Advanced customers can use AWS Firewall Manager to apply Shield Advanced and AWS WAF protections across their entire organization. The cost of Firewall Manager is included in the Shield Advanced subscription fee. Using Firewall Manager, you can automatically configure policies covering multiple accounts and resources. Firewall Manager automatically audits accounts to find new or unprotected resources, and it ensures that Shield Advanced and AWS WAF protections are universally applied. This lets developers move quickly and deploy new applications with the confidence that the appropriate protections will be automatically applied. To learn more about this security management service, see AWS Firewall Manager.
Application layer (L7) DDoS protection
Open allOverview
Application layer (L7) DDoS protection is an AWS Managed Rule group that is designed to automatically defend applications against distributed denial of service (DDoS) events within seconds. This feature monitors traffic data to establish a baseline within minutes of activation, then leverages machine learning models to detect anomalies from normal traffic patterns. When traffic exceeds or deviates from the established baseline, the system automatically applies rules designed to help block malicious requests. This feature is designed to ensure your applications on Amazon CloudFront, Application Load Balancer, and API Gateway remain available against emerging DDoS events.
 
 Application layer (L7) DDoS protection allows you to protect your applications without the complexity of manually configuring and managing rules. This feature has customizable options to fit the needs of your applications such as configuring rule sensitivity settings and inspection of specific application URI paths.
Gain rapid DDoS event response
Designed to mitigate emerging application layer DDoS events within seconds
Save time with AWS Managed Rules
AWS Managed Rules for AWS WAF are already configured to save you time
Customize protection for your applications
Tailor your layer 7 DDoS defense to suit your application with sensitivity controls