Shield Advanced: Advanced DDoS Mitigation
AWS offers a free Denial of Service Attack Protection service called AWS Shield Standard, which is enabled on all accounts (even those that only use the Free tier). The service protects you against layer 3-4 volumetric attacks such as SYN floods and UDP reflection.
Optionally, customers can choose to enable AWS Shield Advanced for greater protection of their cloud loads.
AWS Shield Standard vs AWS Shield Advanced
AWS Shield Advanced complements the standard service by adding multiple capabilities:
Benefits of using AWS Shield Advanced
- Protection against attacks in the application layer (Layer 7) such as HTTP Floods, DNS Query Floods, and in the presentation layer (Layer 6) as TLS Abuse.
- Access to an incident response team (24x7) that helps them filter malicious traffic and add appropriate protections, including manual traffic analysis. The team also provides preventive support by analyzing their architectures to assess its resilience to denial-of-service attacks and propose improvements for them.
- If your infrastructure (load balancers, instances, etc.) scale as a result of a denial of service attack, AWS Shield Advanced allows you to recover that cost.
- It provides metrics that can be analyzed with Amazon CloudWatch, and visualization of the current global status of DDoS attacks.
- Includes unlimited use of AWS WAF and AWS Firewall manager (see more details here