Written by Adithya Bodi, Demand Generation Manager

In a continually evolving arena of cybersecurity, Distributed Denial of Service (DDoS) attacks present an enduring and potent menace. These malicious onslaughts involve overwhelming a target system or network with a deluge of traffic, leading to service disruptions that can have severe consequences. Businesses of all sizes and industries face the risks of revenue loss, reputational damage, and customer dissatisfaction in the wake of such attacks. In response to these threats, Amazon Web Services (AWS) has developed AWS Shield to ensure the protection of AWS resources and applications against DDoS assaults.

The subsequent sections below explore the key features offered by the two tiers of AWS Shield (Standard and Advanced) and aim to assist readers in making an informed decision.

AWS Shield Standard: A Foundational Security Layer

Automatic Protection for All AWS Customers

AWS Shield Standard is a foundational security offering provided by AWS that delivers automatic protection to all AWS customers without any additional charges. The service is specifically engineered to defend against the most common and frequently encountered Distributed Denial of Service (DDoS) attacks that target websites and applications. It is an essential component of the AWS security ecosystem, ensuring that even the most casual AWS users receive robust protection against prevalent network and transport layer threats.

Comprehensive Defense with CloudFront and Route 53

When AWS Shield Standard is combined with Amazon CloudFront, Amazon Route 53, Elastic Load Balancer (ELB), and Application Load Balancer (ALB), customers receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. This integrated approach enhances the security posture of AWS users by safeguarding their digital assets from a wide range of threats, thereby ensuring the uninterrupted availability of their services.

Static Threshold DDoS Protection

AWS Shield Standard continuously monitors network traffic, thoroughly examining incoming traffic to AWS services. It employs a blend of traffic signatures, anomaly detection algorithms, and advanced analysis techniques to detect malicious traffic in real time. However, it is essential to note that while it sets static thresholds for various AWS resource types, it does not offer customized protection tailored to specific applications.

Inline Attack Mitigation: Real-Time Defense

AWS Shield Standard incorporates automated mitigation techniques that are seamlessly integrated into AWS services, providing proactive protection against common infrastructure attacks. These mitigations are applied in real time and do not introduce any latency to the services. The service employs sophisticated methods such as deterministic packet filtering and priority-based traffic shaping to automatically counter basic network layer attacks. This ensures that AWS services remain resilient and available, even in the face of malicious threats.

AWS Shield Advanced: Enhanced Protection

Expanded Defense Coverage & Cost Protection

For organizations seeking heightened security against DDoS attacks targeting their AWS-hosted applications, AWS offers Shield Advanced. This premium offering goes beyond basic protections, deploying advanced automatic mitigations against attacks targeting EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. Shield Advanced not only safeguards against potential revenue loss due to service downtime but also provides clients with cost protection for scaling during a DDoS attack, mitigating the financial impact of increased traffic resulting from such attacks.

Tailored Detection Based on Traffic Patterns

Shield Advanced offers customized detection capabilities based on the unique traffic patterns of protected resources, such as Elastic IP addresses, ELB, CloudFront, Global Accelerator, and Route 53. This customization enables the identification of smaller-scale DDoS attacks and application layer threats such as HTTP floods or DNS query floods, in real time.

Access to the AWS Shield Response Team (SRT)

Customers on Business or Enterprise support plans gain 24/7 access to the Shield Response Team (SRT), benefiting from their expertise in incident triage, root cause identification, and mitigation application. This specialized team is available to provide immediate support and guidance during DDoS incidents. Leveraging the SRT helps ensure efficient and effective handling of attacks, reducing the impact on the applications and facilitating faster recovery.

Application Layer DDoS Mitigation & Integration with AWS WAF 

Shield Advanced offers automated protection against application layer (L7) DDoS events, eliminating the need for manual intervention. The premium offering also provides integration with AWS WAF (Web Application Firewall). This enhances protection by adding an extra layer of security to applications, complementing DDoS mitigation efforts. Shield Advanced can generate WAF rules within WebACLs to automatically mitigate attacks, ensuring quick responses and preventing downtime.

Historic and Real-Time Attack Log Availability for Incident Analysis

Access to both historic and real-time attack logs ensures comprehensive incident analysis. Logs offer valuable data on past attacks, enabling the identification of attack trends and patterns over time. Real-time attack logs assist in monitoring ongoing attacks, providing the necessary information to fine-tune security measures and develop a proactive defense against DDoS threats.

Centralized Protection Management

AWS Shield Advanced customers can utilize AWS Firewall Manager to implement Shield Advanced and AWS WAF protections organization-wide. This service, included in the Shield Advanced subscription, guarantees consistent protection of applications, simplifies account audits, and supports the confident deployment of new applications with assured security measures in place.

Conclusion – Making the Right Choice

The choice between AWS Shield Standard and Shield Advanced depends on the specific security needs and risk profiles of an organization’s AWS-hosted applications. AWS Shield Standard is a potent and cost-effective choice for most businesses, offering essential protection against common and frequently occurring DDoS attacks at no additional cost. It suits applications where basic network and transport layer protections are sufficient and customized security measures are not a critical priority.

On the other hand, AWS Shield Advanced is the superior choice when organizations require advanced, tailored, and real-time DDoS protection. It is well-suited for businesses hosting critical applications with a higher risk of large-scale or sophisticated DDoS attacks. Shield Advanced provides features such as tailored attack detection, health-based monitoring, advanced attack mitigation, automated application layer DDoS protection, and specialized support from the AWS Shield Response Team (DRT). While it comes with an additional cost, the investment is justified for organizations that cannot compromise on the availability, performance, and security of their applications.

Next Steps

For companies considering the implementation of AWS Shield Advanced, it is advisable to seek the assistance of an AWS partner like TrackIt with demonstrated expertise in Shield Advanced implementations. Leveraging the knowledge and expertise of a partner ensures the establishment of a robust security framework and facilitates the comprehensive customization of AWS Shield to suit organizational requirements.

About TrackIt

TrackIt is an international AWS cloud consulting, systems integration, and software development firm headquartered in Marina del Rey, CA.

We have built our reputation on helping media companies architect and implement cost-effective, reliable, and scalable Media & Entertainment workflows in the cloud. These include streaming and on-demand video solutions, media asset management, and archiving, incorporating the latest AI technology to build bespoke media solutions tailored to customer requirements.

Cloud-native software development is at the foundation of what we do. We specialize in Application Modernization, Containerization, Infrastructure as Code and event-driven serverless architectures by leveraging the latest AWS services. Along with our Managed Services offerings which provide 24/7 cloud infrastructure maintenance and support, we are able to provide complete solutions for the media industry.

About Adithya Bodi

Adithya Photo 1

Having spent over 6 years as a consultant working with companies spanning a broad variety of tech niches, Adithya has gained deep expertise in planning and executing content marketing and lead generation strategies. Adithya has been working with TrackIt since 2018 and has taken on a full-time position to assist the company in its growth while deepening his knowledge and expertise in AWS.

Adithya has a bachelor’s degree in Applied Physics and is an AWS Certified Solutions Architect Associate. He is also an avid calisthenics practitioner, a stock market enthusiast, and a recreational painter.