In a continually evolving arena of cybersecurity, Distributed Denial of Service (DDoS) attacks present an enduring and potent menace. These malicious onslaughts involve overwhelming a target system or network with a deluge of traffic, leading to service disruptions that can have severe consequences. Businesses of all sizes and industries face the risks of revenue loss, reputational damage, and customer dissatisfaction in the wake of such attacks. In response to these threats, Amazon Web Services (AWS) has developed AWS Shield to ensure the protection of AWS resources and applications against DDoS assaults.
The subsequent sections below explore the key features offered by the two tiers of AWS Shield (Standard and Advanced) and aim to assist readers in making an informed decision.
Contents
AWS Shield Standard: A Foundational Security Layer
Automatic Protection for All AWS Customers
AWS Shield Standard is a foundational security offering provided by AWS that delivers automatic protection to all AWS customers without any additional charges. The service is specifically engineered to defend against the most common and frequently encountered Distributed Denial of Service (DDoS) attacks that target websites and applications. It is an essential component of the AWS security ecosystem, ensuring that even the most casual AWS users receive robust protection against prevalent network and transport layer threats.
Comprehensive Defense with CloudFront and Route 53
When AWS Shield Standard is combined with Amazon CloudFront, Amazon Route 53, Elastic Load Balancer (ELB), and Application Load Balancer (ALB), customers receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. This integrated approach enhances the security posture of AWS users by safeguarding their digital assets from a wide range of threats, thereby ensuring the uninterrupted availability of their services.
Static Threshold DDoS Protection
AWS Shield Standard continuously monitors network traffic, thoroughly examining incoming traffic to AWS services. It employs a blend of traffic signatures, anomaly detection algorithms, and advanced analysis techniques to detect malicious traffic in real time. However, it is essential to note that while it sets static thresholds for various AWS resource types, it does not offer customized protection tailored to specific applications.
Inline Attack Mitigation: Real-Time Defense
AWS Shield Standard incorporates automated mitigation techniques that are seamlessly integrated into AWS services, providing proactive protection against common infrastructure attacks. These mitigations are applied in real time and do not introduce any latency to the services. The service employs sophisticated methods such as deterministic packet filtering and priority-based traffic shaping to automatically counter basic network layer attacks. This ensures that AWS services remain resilient and available, even in the face of malicious threats.
AWS Shield Advanced: Enhanced Protection
Expanded Defense Coverage & Cost Protection
For organizations seeking heightened security against DDoS attacks targeting their AWS-hosted applications, AWS offers Shield Advanced. This premium offering goes beyond basic protections, deploying advanced automatic mitigations against attacks targeting EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources. Shield Advanced not only safeguards against potential revenue loss due to service downtime but also provides clients with cost protection for scaling during a DDoS attack, mitigating the financial impact of increased traffic resulting from such attacks.
Tailored Detection Based on Traffic Patterns
Shield Advanced offers customized detection capabilities based on the unique traffic patterns of protected resources, such as Elastic IP addresses, ELB, CloudFront, Global Accelerator, and Route 53. This customization enables the identification of smaller-scale DDoS attacks and application layer threats such as HTTP floods or DNS query floods, in real time.
Access to the AWS Shield Response Team (SRT)
Customers on Business or Enterprise support plans gain 24/7 access to the Shield Response Team (SRT), benefiting from their expertise in incident triage, root cause identification, and mitigation application. This specialized team is available to provide immediate support and guidance during DDoS incidents. Leveraging the SRT helps ensure efficient and effective handling of attacks, reducing the impact on the applications and facilitating faster recovery.
Application Layer DDoS Mitigation & Integration with AWS WAF
Shield Advanced offers automated protection against application layer (L7) DDoS events, eliminating the need for manual intervention. The premium offering also provides integration with AWS WAF (Web Application Firewall). This enhances protection by adding an extra layer of security to applications, complementing DDoS mitigation efforts. Shield Advanced can generate WAF rules within WebACLs to automatically mitigate attacks, ensuring quick responses and preventing downtime.
Historic and Real-Time Attack Log Availability for Incident Analysis
Access to both historic and real-time attack logs ensures comprehensive incident analysis. Logs offer valuable data on past attacks, enabling the identification of attack trends and patterns over time. Real-time attack logs assist in monitoring ongoing attacks, providing the necessary information to fine-tune security measures and develop a proactive defense against DDoS threats.
Centralized Protection Management
AWS Shield Advanced customers can utilize AWS Firewall Manager to implement Shield Advanced and AWS WAF protections organization-wide. This service, included in the Shield Advanced subscription, guarantees consistent protection of applications, simplifies account audits, and supports the confident deployment of new applications with assured security measures in place.
Conclusion – Making the Right Choice
The choice between AWS Shield Standard and Shield Advanced depends on the specific security needs and risk profiles of an organization’s AWS-hosted applications. AWS Shield Standard is a potent and cost-effective choice for most businesses, offering essential protection against common and frequently occurring DDoS attacks at no additional cost. It suits applications where basic network and transport layer protections are sufficient and customized security measures are not a critical priority.
On the other hand, AWS Shield Advanced is the superior choice when organizations require advanced, tailored, and real-time DDoS protection. It is well-suited for businesses hosting critical applications with a higher risk of large-scale or sophisticated DDoS attacks. Shield Advanced provides features such as tailored attack detection, health-based monitoring, advanced attack mitigation, automated application layer DDoS protection, and specialized support from the AWS Shield Response Team (DRT). While it comes with an additional cost, the investment is justified for organizations that cannot compromise on the availability, performance, and security of their applications.
Next Steps
For companies considering the implementation of AWS Shield Advanced, it is advisable to seek the assistance of an AWS partner like TrackIt with demonstrated expertise in Shield Advanced implementations. Leveraging the knowledge and expertise of a partner ensures the establishment of a robust security framework and facilitates the comprehensive customization of AWS Shield to suit organizational requirements.
About TrackIt
TrackIt is an Amazon Web Services Advanced Tier Services Partner specializing in cloud management, consulting, and software development solutions based in Marina del Rey, CA.
TrackIt specializes in Modern Software Development, DevOps, Infrastructure-As-Code, Serverless, CI/CD, and Containerization with specialized expertise in Media & Entertainment workflows, High-Performance Computing environments, and data storage.
In addition to providing cloud management, consulting, and modern software development services, TrackIt also provides an open-source AWS cost management tool that allows users to optimize their costs and resources on AWS.
