AWS Shield

What Is This Service?

Managed AWS DDoS protection service.

Mental model:

• Shield Standard → automatic infrastructure DDoS protection
• Shield Advanced → managed DDoS defense + intelligence + response + recovery economics

Primary purpose:

Maintain Availability under attack.

AWS Shield is not an application firewall and not a threat detection platform.

---

Why It Matters for Security

DDoS attacks target:

• Availability
• Business continuity
• User experience
• Cost exhaustion
• Operational disruption

Shield exists to:

• absorb volumetric attacks at AWS edge
• minimize blast radius
• maintain application uptime
• automate mitigation
• reduce operational response burden
• protect against cost amplification

Security outcomes:

• preserve availability
• improve resilience
• centralize protection
• reduce manual intervention

MOST TESTED:

Shield protects availability, not confidentiality or integrity.

---

Architecture Example

Standard Internet-Facing Protection Pattern

flowchart LR

Users --> Edge

subgraph AWS Edge
CF[CloudFront]
GA[Global Accelerator]
Shield[Shield]
WAF[AWS WAF]
end

Edge --> CF
Edge --> GA

Shield --> CF
Shield --> GA

WAF --> CF

CF --> ALB
GA --> ALB

ALB --> EC2
ALB --> EKS

Shield --> CloudWatch
Shield --> SecurityHub
Shield --> EventBridge

Architecture goals:

• absorb attacks at edge
• reduce regional exhaustion
• apply application filtering
• automate security response

---

Workflow(s)

Infrastructure DDoS Mitigation

sequenceDiagram

participant Client
participant Edge
participant Shield
participant Resource

Client->>Edge: Traffic

Edge->>Shield: Continuous inspection

alt Normal
Shield->>Resource: Forward traffic
end

alt DDoS Detected
Shield->>Shield: Infrastructure mitigation
Shield->>Resource: Deliver cleaned traffic
end

---

Application Layer DDoS Protection

sequenceDiagram

participant Client
participant Shield
participant WAF
participant CloudFront
participant Origin

Client->>CloudFront: HTTP Flood

CloudFront->>Shield: Analyze traffic

Shield->>WAF: Mitigation signal

WAF->>CloudFront: Apply rules

CloudFront->>Origin: Legitimate requests only

---

Proactive Engagement Flow

sequenceDiagram

participant Shield
participant Health as Route53 Health Check
participant SRT
participant Customer

Shield->>Health: Validate application health

alt Attack + Health degradation
Shield->>SRT: Escalate
SRT->>Customer: Proactive outreach
end

alt Attack but app healthy
Shield->>Shield: Continue automated mitigation
end

---

Core Concepts

Shield Standard

Default DDoS protection.

Included automatically.

Protected services:

• CloudFront
• Route 53
• Global Accelerator
• ELB
• Elastic IP

Protection scope:

• Layer 3
• Layer 4

Examples:

• SYN flood
• UDP flood
• reflection attacks
• volumetric attacks

Characteristics:

• automatic
• always enabled
• infrastructure mitigation
• no configuration

Limitations:

• no DRT
• limited visibility
• no cost protection
• no application mitigation

MOST TESTED:

Shield Standard already exists.

Never choose deployment steps.

---

Shield Advanced

Paid managed DDoS protection.

Adds:

• attack diagnostics
• attack visibility
• DRT access
• proactive engagement
• cost protection
• application-layer mitigation
• health-aware protection

Protected resources:

• CloudFront
• Global Accelerator
• Route 53
• ALB
• NLB
• Elastic IP
• EC2 via Elastic IP

---

Health-Based Detection

HIGH VALUE

Shield Advanced can consume:

• Route 53 health checks
• CloudWatch metrics
• application health indicators

Purpose:

Differentiate:

• traffic spikes
• actual service degradation

Benefits:

• better mitigation decisions
• lower false positives

---

Proactive Engagement

Shield Advanced feature.

Allows:

AWS Shield Response Team (SRT) to contact your team automatically.

Requirements:

• Shield Advanced
• emergency contacts configured
• health-based detection enabled

Typical implementation:

Route 53 health checks.

Trigger:

1. Attack detected
2. Health deteriorates
3. SRT engages

MASSIVE EXAM TRAP:

Attack detection alone does not trigger proactive engagement.

---

Application Layer DDoS Protection

MOST TESTED

Shield Advanced integrates with AWS WAF.

Detection:

• request anomalies
• flood patterns
• behavioral baselines

Mitigation:

• challenge
• CAPTCHA
• blocking
• managed rules

Shield handles:

• attack identification

WAF handles:

• request enforcement

---

Rate-Based Rule Exam Trap

HIGH VALUE

Scenario:

Immediate mitigation required for HTTP floods.

Best answer:

AWS WAF Rate-Based Rule

Why:

Rate-based rules react instantly to thresholds.

Example:

• 100 requests
• per IP
• per rolling evaluation window

Shield Advanced:

• learns patterns
• builds behavioral baselines
• not always fastest first response

Rule:

Immediate HTTP mitigation → WAF

Adaptive mitigation → Shield Advanced

---

DDoS Response Team (DRT)

Only with Shield Advanced.

Capabilities:

• traffic analysis
• mitigation guidance
• architecture recommendations
• incident assistance

Not responsible for:

• application debugging
• infrastructure deployment
• code remediation

---

Cost Protection

Shield Advanced may provide cost protection.

Examples:

• CloudFront scaling
• EC2 expansion
• Route 53 query spikes
• ELB expansion

Purpose:

Prevent financial exhaustion.

MASSIVE EXAM TRAP:

Not unlimited reimbursement.

---

Protection Groups

Logical grouping.

Types:

• By application
• By account
• By organization

Benefits:

• attack aggregation
• unified visibility

---

Important Integrations

Service	Purpose
AWS WAF	Layer 7 mitigation
CloudFront	Edge absorption
Route 53	DNS protection
Global Accelerator	Edge ingress
CloudWatch	Health signals
EventBridge	Automation
Security Hub	Findings
Firewall Manager	Governance
Organizations	Central control
Lambda	Auto-remediation

---

Security Features

Edge Mitigation

Traffic filtered before origin.

Benefits:

• lower regional pressure
• preserve capacity

---

Automatic Mitigation

Infrastructure defense occurs automatically.

No route changes required.

---

Centralized Governance

Firewall Manager enables:

• deployment
• compliance
• automation

---

Multi-Account Protection

Delegated admin supported.

Central account manages:

• policies
• attacks
• visibility

---

Advanced Security and Operational Concepts

Control Plane vs Data Plane

Control Plane:

• create protections
• manage policies
• monitor attacks

Data Plane:

• actual inspection
• mitigation execution

Exam trap:

Mitigation does not happen inside your VPC.

---

Global Accelerator + Shield Advanced

HIGH VALUE

Architecture:

flowchart LR

Users --> Edge

Edge --> GA[Global Accelerator]

GA --> Shield[Shield Advanced]

Shield --> ALB1[Regional ALB]
Shield --> ALB2[Regional ALB]

ALB1 --> App
ALB2 --> App

Security benefits:

• traffic enters AWS backbone earlier
• reduced regional saturation
• attack absorption closer to source
• improved availability

Exam takeaway:

Global Accelerator + Shield Advanced is stronger than exposing ALBs directly.

---

Regional vs Global Protection

Global:

• CloudFront
• Route 53
• Global Accelerator

Regional:

• ALB
• NLB
• Elastic IP

Protection follows resource scope.

---

Firewall Manager + Shield

MOST TESTED

flowchart TB

Org[AWS Organizations]

Config[AWS Config]

FMS[Firewall Manager]

Config --> FMS

FMS --> ShieldPolicies

ShieldPolicies --> Account1
ShieldPolicies --> Account2
ShieldPolicies --> Account3

Requirements:

• Organizations
• delegated administrator
• AWS Config enabled

Why Config matters:

Firewall Manager discovers resources through Config.

MASSIVE EXAM TRAP:

Without Config, Shield automation cannot enforce policies.

---

Logging and Visibility

Shield provides:

• attack reports
• diagnostics
• CloudWatch metrics

Not supported:

• packet inspection
• payload capture

Use alongside:

• CloudFront logs
• VPC Flow Logs
• Security Lake
• Security Hub
• WAF logs

---

Incident Response Pattern

flowchart LR

Shield --> SecurityHub

SecurityHub --> EventBridge

EventBridge --> Lambda

Lambda --> WAF

Lambda --> SNS

Flow:

Detect → Alert → Mitigate → Notify

---

Comparisons

Service	Primary Goal	Scope
Shield Standard	Infrastructure DDoS	L3/L4
Shield Advanced	Managed DDoS	L3/L4/L7 coordination
AWS WAF	HTTP filtering	L7
Network Firewall	Network inspection	VPC
GuardDuty	Threat detection	Detection
CloudFront	CDN	Edge acceleration

---

Common Exam Traps

1. Shield Standard is enabled automatically.

2. Shield is not WAF.

3. Shield does not inspect application code.

4. Immediate HTTP mitigation → WAF Rate-Based Rule.

5. Shield Advanced learns behavioral baselines.

6. Cost protection is limited.

7. Shield protects availability.

8. DRT requires Shield Advanced.

9. Proactive engagement requires health checks.

10. Firewall Manager requires AWS Config.

11. Global Accelerator improves DDoS resilience.

12. Shield mitigation occurs outside VPC.

13. Shield does not replace DR.

14. CloudFront + WAF + Shield is preferred architecture.

15. Shield cannot protect private-only endpoints.

---

5-Second Recall

• Shield = DDoS protection
• Standard = free + automatic
• Advanced = DRT + visibility + cost protection
• WAF = Layer 7 enforcement
• Rate-based rules = fastest HTTP mitigation
• Global Accelerator strengthens resilience
• Firewall Manager requires Config

---

Quick Revision Notes

• Shield protects Availability
• Standard → L3/L4 automatic protection
• Advanced → operational DDoS platform
• WAF handles request filtering
• Health-based detection powers proactive engagement
• DRT supports active incidents
• Global Accelerator improves attack absorption
• Config required for Firewall Manager automation
• Use EventBridge + Lambda for response automation
• CloudFront + WAF + Shield = preferred internet-facing pattern