AWS Shield FAQs

What is AWS Shield?

AWS Shield is a managed service that provides protection against Distributed Denial of Service (DDoS) attacks for applications running on AWS. AWS Shield Standard is automatically enabled to all AWS customers at no additional cost. AWS Shield Advanced is an optional paid service. AWS Shield Advanced provides additional protections against more sophisticated and larger attacks for your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53.

What is AWS Shield Standard?

AWS Shield Standard provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of your applications on AWS.

What is AWS Shield Advanced?

AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of suspected DDoS incidents. AWS Shield Advanced also employs advanced attack mitigation and routing techniques for automatically mitigating attacks. Customers with Business or Enterprise support can also engage the Shield Response Team (SRT) 24x7 to manage and mitigate their application layer DDoS attacks. The DDoS cost protection for scaling protects your AWS bill against higher fees due to usage spikes from protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 during a DDoS attack.

What is DDoS cost protection for scaling?

AWS Shield Advanced includes DDoS cost protection, a safeguard from scaling charges as a result of a DDoS attack that causes usage spikes on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53. If any of the AWS Shield Advanced protected resources scale up in response to a DDoS attack, you can request credits via the regular AWS Support channel.

Can I use AWS Shield to protect web sites not hosted in AWS?

Yes, AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS.

Can I use IPv6 with all AWS Shield features?

Yes. All of AWS Shield’s detection and mitigations work with IPv6 and IPv4 without any discernable changes to performance, scalability, or availability of the service.

How can I test AWS Shield?

AWS Acceptable Use Policy describes permitted and prohibited behavior on AWS, and it includes descriptions of prohibited security violations and network abuse. However, because DDoS simulation testing, penetration testing, and other simulated events are frequently indistinguishable from these activities, we have established policies for customers to request permission to conduct DDoS tests, penetration tests and vulnerability scans. Visit our Penetration testing page and DDoS Simulation Testing policy for more details.

In which AWS regions is AWS Shield Standard available?

AWS Shield Standard is available on all AWS services in every AWS Region and AWS edge location worldwide.

Please refer to Regional Products and Services for details of AWS Shield Standard availability by region.

In which AWS regions is AWS Shield Advanced available?

AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations worldwide. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon Simple Storage Service (S3), Amazon EC2, Elastic Load Balancing, or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on Elastic Load Balancing or Amazon EC2 in the following AWS Regions - Northern Virginia, Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt, London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, Mumbai, Milan, Cape Town, Hong Kong, Bahrain, Malaysia, and UAE.

Please refer to Regional Products and Services for up-to-date details of AWS Shield Advanced availability by region.

Is AWS Shield HIPAA eligible?

Yes, AWS has expanded its HIPAA compliance program to include AWS Shield as a HIPAA eligible service. If you have an executed Business Associate Agreement (BAA) with AWS, you can use AWS Shield to safeguard your web applications running on AWS from Distributed Denial of Service (DDoS) attacks. For more information, see HIPAA Compliance.

What types of attacks can AWS Shield Standard help protect me from?

AWS Shield Standard automatically provides protection for web applications running on AWS against the most common, frequently occurring Infrastructure layer attacks like UDP floods, and State exhaustion attacks like TCP SYN floods. Customers can also use AWS WAF to protect against Application layer attacks like HTTP POST or GET floods. Find more details on how to deploy application layer protections in the AWS WAF and AWS Shield Advanced Developer Guide.

How many resources can I enable for AWS Shield Standard protection?

There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.

How many resources can I enable for AWS Shield Advanced protection?

You can enable up to 1000 AWS resources of each supported resource type (Classic / Application Load Balancers, Amazon CloudFront distributions, Amazon Route 53 hosting zones, Elastic IPs, AWS Global Accelerator accelerators) for AWS Shield Advanced protection. If you want to enable more than 1000, you can request a limit increase by creating an AWS Support case.

Can I activate AWS Shield Advanced protection via API?

Yes. AWS Shield Advanced can be activated via APIs. You can also add or remove AWS resources from AWS Shield Advanced protection via APIs.

How quickly are events mitigated?

Typically, 99% of infrastructure layer attacks detected by AWS Shield are mitigated in less than 1 second for attacks on Amazon CloudFront and Amazon Route 53, and less than 5 minutes for attacks on Elastic Load Balancing. The remaining 1% of infrastructure events are typically mitigated in under 20 minutes. Application layer attacks are mitigated by writing rules on AWS WAF, which are inspected and mitigated inline with incoming traffic.

Application layer (Layer 7) DDoS events can be mitigated within seconds with enabled AWS WAF Managed Rule group, application layer (L7) DDoS protection. Available at an additional cost.

Can I protect resources outside of AWS?

Yes, a number of our customers choose to use AWS endpoints in front of their backend instances. Most commonly, these endpoints are our globally distributed services of CloudFront and Route 53. These services are also our best practice suggestions for DDoS resiliency. Customers can then protect these CloudFront distributions and Route 53 hosted zones with Shield Advanced. Please note that you need to lock down their backend resources to only accept traffic from these AWS endpoints.