AWS Shield Cheat Sheet

• A managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Shield Tiers and Features

Standard

• All AWS customers benefit from the automatic protections of Shield Standard.

• Provides always-on network flow monitoring that inspects incoming traffic to AWS and detects malicious traffic in real time.

• Uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate attacks without impacting your applications.

• When used with CloudFront and Route 53, Shield Standard provides comprehensive availability protection against known infrastructure-layer attacks.



• You can view detected and mitigated events in your account’s AWS Shield console.

Advanced

• Provides enhanced detection by inspecting network flows and monitoring application-layer traffic to resources such as Elastic IPs, Elastic Load Balancing, CloudFront, and Route 53.

• Handles most DDoS protection and mitigation for Layer 3, Layer 4, and Layer 7 attacks.

• Includes 24×7 access to the AWS DDoS Response Team (requires Enterprise or Business Support).

• Automatically provides additional mitigation capacity to protect against large-scale or sophisticated attacks; the DRT can also apply manual mitigations.

• Offers visibility into DDoS attacks through near real-time CloudWatch notifications and detailed diagnostics in the AWS WAF & Shield console.

• Includes DDoS cost protection, which provides service credits for scaling charges caused by a DDoS attack.

• Available globally on all supported CloudFront and Route 53 edge locations.

• Provides access to historical attack data for the trailing 13 months.

Other Additional Features

• Supports integration with AWS WAF for advanced application-layer protections.

• Provides detailed event logs and diagnostics for investigation and analysis

AWS Shield Pricing

• Shield Standard

  • Included automatically at no additional charge for all AWS customers.

• Shield Advanced

  • Paid service requiring a 1-year subscription commitment.

  • Charges a monthly subscription fee per organization or per account (depending on setup).

  • Additional usage-based fees apply for Data Transfer Out from CloudFront, ELB, EC2, and AWS Global Accelerator.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Shield Cheat Sheet References:

https://aws.amazon.com/shield/features/
https://aws.amazon.com/shield/pricing/
https://aws.amazon.com/shield/faqs/