Provides a custom designed set of protection against DDoS attacks
Offers protection against all known infrastructure Layer 3 and Layer 4 DDoS attacks: Network Volumetric attacks (L3), Network Protocol Attacks (L4) for example TCP SYN Floods
Comes in 2 forms:
Shield Standard:
It is free of charge for all AWS customers
Protection is at the perimeter of the network (this can be either at the region/VPC or AWS edge in case of CloudFront usage)
Protects against common Network (L3) and Transport (L4) layer attacks
We get the best protection if we use Route 53, CloudFront or Global Accelerator
It does not provide anything against proactive capability of any form of explicit configurable configuration
Shield Advanced:
Costs $3000 per month per organization, 1 year lock-in + charge for data (OUT) / month. Cost is not per account, if we want protection for multiple accounts, we have to make sure they are in the same organization
Expands the range of products which can be protected: CloudFront, Global Accelerator, Route53, anything associated with am EIP (example EC2 instances), load balancers (ALB, CLB, NLB)
Protection offered by Shield Advanced is not automatic. We need to enable it in Shield Advanced or as part as AWS Firewall Manager Shield Advanced policy
Shield Advanced provides access to 24/7 advanced response team named AWS Shield Response Team (SRT)
Provides financial insurance for any increase of payments in case of DDoS attacks
Additional Shield Advanced features
Integration with WAF:
Shield Advanced integrates with WAF to protect against Application Layer (L7) attacks
Includes basic AWS WAF fees for web ACLs, rules and web requests
Real time visibility of DDOS events and attacks
Health-based detection: application specific health checks used by proactive engagement team to provide faster detection and mitigation of any issues
Protection groups:
We can create grouping of resources that Shield Advanced protects
We can define the criteria of membership for groups, any new resource will automatically be added