What is AWS Shield?
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
Tiers
1. AWS Shield Standard
- Cost: Free (included with all AWS customers).
- Protection: Protects against most common, frequently occurring network and transport layer (Layer 3 & 4) DDoS attacks.
- Automatic: Always on, no configuration needed.
2. AWS Shield Advanced
- Cost: $3,000 / month (plus data transfer fees).
- Protection: sophisticated protection against large and complex DDoS attacks.
- Support: 24/7 access to the AWS Shield Response Team (SRT).
- Cost Protection: Protects your bill against higher fees resulting from usage spikes during a DDoS attack (e.g., if an attack causes your autoscaling group to launch 50 instances, Shield Advanced covers that cost).
Exam Tips
[!IMPORTANT] DDoS = Shield: If you see "DDoS Protection" on the exam, the answer is AWS Shield.
- If "Free" or "Standard" needs -> Shield Standard.
- If "Enterprise", "24/7 Support", or "Reimbursement" -> Shield Advanced.
[!NOTE] Integration: Shield Advanced integrates with AWS WAF to protect against Layer 7 (Application) attacks as well.
[!WARNING] Shield Advanced is expensive ($3k/mo). It is typically used by large enterprises.
Common Use Cases
- Standard: Every website hosted on AWS (via CloudFront/Route53) gets this automatically.
- Advanced: Banking applications, major e-commerce sites, or critical government services that cannot afford any downtime and need expert support during an attack.