Skip to main content

Overview

AWS Shield is a managed DDoS (Distributed Denial of Service) protection service that safeguards applications running on AWS. Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.

Shield Standard vs Advanced

    DDoS Attack Types

    Enabling Shield Advanced

    Via Console

    1
    Subscribe to Shield Advanced
    2
  • Navigate to AWS Shield console
  • Click “Subscribe to Shield Advanced”
  • Review pricing and terms
  • Confirm subscription
    • 3
    Add Resources
    4
  • Select resource types to protect
  • Choose specific resources
  • Configure protection groups (optional)
  • Enable automatic application layer mitigation
    • 5
    Configure Notifications
    6
  • Create SNS topic for alerts
  • Subscribe email/SMS endpoints
  • Configure alert preferences
    • 7
    Set Up DDoS Response Team (DRT) Access
    8
  • Create IAM role for DRT
  • Grant necessary permissions
  • Provide access to AWS WAF (optional)

    • Terraform Configuration

    # Enable Shield Advanced subscription
resource "aws_shield_subscription" "main" {
  auto_renew = "ENABLED"
  
  # This creates a 1-year commitment
  # Cost: $3,000/month minimum
}

# Protect CloudFront distribution
resource "aws_shield_protection" "cloudfront" {
  name         = "cloudfront-protection"
  resource_arn = aws_cloudfront_distribution.main.arn

  tags = {
    Environment = "production"
  }
}

# Protect Application Load Balancer
resource "aws_shield_protection" "alb" {
  name         = "alb-protection"
  resource_arn = aws_lb.main.arn

  tags = {
    Environment = "production"
  }
}

# Protect Elastic IP
resource "aws_shield_protection" "eip" {
  name         = "ec2-eip-protection"
  resource_arn = "arn:aws:ec2:us-east-1:123456789012:eip-allocation/eipalloc-12345678"

  tags = {
    Environment = "production"
  }
}

# Protect Route 53 hosted zone
resource "aws_shield_protection" "route53" {
  name         = "route53-protection"
  resource_arn = aws_route53_zone.main.arn

  tags = {
    Environment = "production"
  }
}

# Protection Group (logical grouping)
resource "aws_shield_protection_group" "web_tier" {
  protection_group_id = "web-tier-protection"
  aggregation         = "MAX"  # or "SUM", "MEAN"
  pattern             = "ARBITRARY"

  members = [
    aws_shield_protection.cloudfront.id,
    aws_shield_protection.alb.id,
  ]

  tags = {
    Tier = "web"
  }
}

# Health-based detection
resource "aws_shield_protection_health_check_association" "alb" {
  health_check_arn     = aws_route53_health_check.alb.arn
  shield_protection_id = aws_shield_protection.alb.id
}

# Route 53 health check for ALB
resource "aws_route53_health_check" "alb" {
  type              = "HTTPS"
  resource_path     = "/health"
  fqdn              = aws_lb.main.dns_name
  port              = 443
  request_interval  = 30
  failure_threshold = 3

  tags = {
    Name = "alb-health-check"
  }
}

# DRT IAM role
resource "aws_iam_role" "drt" {
  name = "AWSShieldDRTRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "drt.shield.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "drt_access" {
  role       = aws_iam_role.drt.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy"
}

# Grant DRT access to Shield
resource "aws_shield_drt_access_role_arn_association" "main" {
  role_arn = aws_iam_role.drt.arn
}

# Grant DRT access to WAF (optional)
resource "aws_shield_drt_access_log_bucket_association" "main" {
  log_bucket                = aws_s3_bucket.waf_logs.id
  role_arn_association_id   = aws_shield_drt_access_role_arn_association.main.id
}

# SNS topic for Shield alerts
resource "aws_sns_topic" "shield_alerts" {
  name = "shield-ddos-alerts"
}

resource "aws_sns_topic_subscription" "email" {
  topic_arn = aws_sns_topic.shield_alerts.arn
  protocol  = "email"
  endpoint  = "[email protected]"
}

# CloudWatch alarm for DDoS detected
resource "aws_cloudwatch_metric_alarm" "ddos_detected" {
  alarm_name          = "shield-ddos-detected"
  comparison_operator = "GreaterThanThreshold"
  evaluation_periods  = "1"
  metric_name         = "DDoSDetected"
  namespace           = "AWS/DDoSProtection"
  period              = "60"
  statistic           = "Sum"
  threshold           = "0"
  alarm_description   = "DDoS attack detected by Shield"
  alarm_actions       = [aws_sns_topic.shield_alerts.arn]

  dimensions = {
    ResourceArn = aws_lb.main.arn
  }
}

    DDoS Response Team (DRT) Engagement

    Proactive Engagement

    # Enable proactive engagement
resource "aws_shield_proactive_engagement" "main" {
  enabled = true

  emergency_contact {
    contact_notes = "Primary security contact"
    email_address = "[email protected]"
    phone_number  = "+1234567890"
  }

  emergency_contact {
    contact_notes = "Secondary security contact"
    email_address = "[email protected]"
    phone_number  = "+0987654321"
  }
}

    DRT Capabilities

    DDoS Response Team Services:
  Initial Response:
    - Attack detection confirmation
    - Impact assessment
    - Immediate mitigation recommendations
    
  During Attack:
    - Real-time monitoring
    - Custom mitigation deployment
    - WAF rule creation and updates
    - Traffic analysis
    
  Post-Attack:
    - Detailed attack analysis
    - Forensic investigation
    - Mitigation effectiveness review
    - Recommendations for future protection
    
  Proactive Engagement:
    - Automatic escalation
    - No need to contact AWS
    - Immediate DRT involvement
    - Based on Route 53 health checks

    Integration with AWS WAF

    Automatic DDoS Mitigation

    # WAF Web ACL for Shield Advanced
resource "aws_wafv2_web_acl" "shield_integrated" {
  name  = "shield-advanced-integrated"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  # Shield Advanced automatic mitigation rules
  rule {
    name     = "shield-advanced-auto-mitigation"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        vendor_name = "AWS"
        name        = "AWSManagedRulesAmazonIpReputationList"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "ShieldAutoMitigation"
      sampled_requests_enabled   = true
    }
  }

  # Rate-based rule for DDoS protection
  rule {
    name     = "rate-limit-shield"
    priority = 1

    action {
      block {
        custom_response {
          response_code = 429
        }
      }
    }

    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimitShield"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "ShieldIntegratedWebACL"
    sampled_requests_enabled   = true
  }
}

    Cost Protection

    How It Works

    Shield Advanced Cost Protection:
  Covered Services:
    - Amazon CloudFront
    - Amazon Route 53
    - Elastic Load Balancing (ALB, NLB, CLB)
    - Amazon EC2 (Elastic IPs)
    - AWS Global Accelerator
    
  Protected Costs:
    Data Transfer Charges:
      - Increased data transfer during DDoS
      - Outbound data transfer fees
      - Inter-region data transfer
      
    Scaling Charges:
      - Auto-scaling triggered by DDoS
      - Additional compute costs
      - Load balancer scaling
      
  How to Claim:
    1. DDoS attack must be confirmed
    2. Attack causes resource scaling
    3. Submit cost protection claim
    4. AWS reviews and approves
    5. Credits issued to account
    
  Limitations:
    - Must be Shield Advanced customer
    - Attack must be confirmed by AWS
    - Only covers scaling costs
    - Does not cover base infrastructure
    - Manual claim process required

    Monitoring and Metrics

    CloudWatch Metrics

    import boto3
from datetime import datetime, timedelta

cloudwatch = boto3.client('cloudwatch')

def get_shield_metrics(resource_arn):
    """
    Retrieve Shield Advanced metrics
    """
    end_time = datetime.utcnow()
    start_time = end_time - timedelta(hours=24)
    
    # DDoS detected events
    ddos_detected = cloudwatch.get_metric_statistics(
        Namespace='AWS/DDoSProtection',
        MetricName='DDoSDetected',
        Dimensions=[
            {
                'Name': 'ResourceArn',
                'Value': resource_arn
            }
        ],
        StartTime=start_time,
        EndTime=end_time,
        Period=300,  # 5 minutes
        Statistics=['Sum']
    )
    
    # Attack volume
    attack_volume = cloudwatch.get_metric_statistics(
        Namespace='AWS/DDoSProtection',
        MetricName='AttackVolume',
        Dimensions=[
            {
                'Name': 'ResourceArn',
                'Value': resource_arn
            }
        ],
        StartTime=start_time,
        EndTime=end_time,
        Period=300,
        Statistics=['Maximum', 'Average']
    )
    
    # Attack packets
    attack_packets = cloudwatch.get_metric_statistics(
        Namespace='AWS/DDoSProtection',
        MetricName='AttackPackets',
        Dimensions=[
            {
                'Name': 'ResourceArn',
                'Value': resource_arn
            }
        ],
        StartTime=start_time,
        EndTime=end_time,
        Period=300,
        Statistics=['Sum']
    )
    
    return {
        'ddos_detected': ddos_detected,
        'attack_volume': attack_volume,
        'attack_packets': attack_packets
    }

# Example usage
metrics = get_shield_metrics(
    'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef'
)

    Best Practices

    Security Checklist

    Shield Implementation Checklist:
  Standard (Free):
    ☐ Verify Shield Standard is active (automatic)
    ☐ Use CloudFront for web content
    ☐ Use Route 53 for DNS
    ☐ Monitor CloudWatch metrics
    
  Advanced Setup:
    ☐ Subscribe to Shield Advanced
    ☐ Protect all public-facing resources
    ☐ Create protection groups
    ☐ Configure health checks
    ☐ Set up DRT IAM role
    ☐ Grant DRT access to WAF
    ☐ Configure emergency contacts
    ☐ Enable proactive engagement
    ☐ Set up CloudWatch alarms
    ☐ Test notification channels
    
  Integration:
    ☐ Configure AWS WAF rules
    ☐ Enable automatic mitigation
    ☐ Set rate limiting rules
    ☐ Configure geo-blocking if needed
    
  Operations:
    ☐ Regular review of metrics
    ☐ Test DRT contact procedures
    ☐ Document incident response plan
    ☐ Review cost protection eligibility
    ☐ Maintain architecture diagrams

    Cost Analysis

    Shield Pricing:
  Shield Standard:
    Cost: FREE
    Included: Always-on detection and mitigation
    Coverage: CloudFront and Route 53
    
  Shield Advanced:
    Subscription: $3,000 per month
    Commitment: 1-year minimum
    
    Data Transfer (Outbound):
      First 1 TB: FREE (included in subscription)
      Over 1 TB: Standard data transfer rates
      
    Protected Resources:
      CloudFront: Included
      Route 53: Included
      ALB/NLB/CLB: Included
      EC2 Elastic IP: Included
      Global Accelerator: Included
      
    WAF Charges:
      Web ACL: FREE (normally $5/month)
      Rules: FREE (normally $1/rule/month)
      Requests: Standard WAF rates apply
      
    DRT Access: Included
    Cost Protection: Included
    
Cost Optimization:
  - Start with Shield Standard
  - Upgrade to Advanced for critical workloads
  - Use protection groups for efficient management
  - Monitor attack trends before committing
  - Calculate potential scaling costs
  - Compare with manual mitigation costs

    Exam Tips