> ## Documentation Index
> Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Shield

> Managed DDoS protection service for AWS applications

## Overview

AWS Shield is a **managed DDoS (Distributed Denial of Service) protection** service that safeguards applications running on AWS. Think of Shield Standard as the fence around your property that comes free with the house -- it stops casual intruders (Layer 3/4 volumetric attacks) automatically. Shield Advanced is like hiring a 24/7 private security team (the DDoS Response Team) who will actively defend your property during a sophisticated attack, AND your insurance company (cost protection) reimburses you for any damage. Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.

<svg viewBox="0 0 800 500" className="w-full h-auto my-8 rounded-lg">
  <defs>
    <linearGradient id="shieldGrad" x1="0%" y1="0%" x2="100%" y2="100%">
      <stop offset="0%" style={{stopColor:"#232F3E",stopOpacity:1}} />

      <stop offset="100%" style={{stopColor:"#1a2332",stopOpacity:1}} />
    </linearGradient>

    <linearGradient id="attackGrad" x1="0%" y1="0%" x2="100%" y2="0%">
      <stop offset="0%" style={{stopColor:"#DC2626",stopOpacity:1}} />

      <stop offset="100%" style={{stopColor:"#EF4444",stopOpacity:1}} />
    </linearGradient>
  </defs>

  <rect width="800" height="500" fill="url(#shieldGrad)" rx="8" />

  <text x="400" y="35" textAnchor="middle" fill="#FF9900" fontSize="20" fontWeight="bold">AWS Shield - DDoS Protection</text>

  <g transform="translate(50, 80)">
    <text x="80" y="0" textAnchor="middle" fill="#DC2626" fontSize="12" fontWeight="bold">DDoS ATTACK</text>

    {/* Botnet 1 */}

    <g transform="translate(0, 25)">
      <circle cx="20" cy="20" r="15" fill="#DC2626" opacity="0.3" />

      <circle cx="20" cy="20" r="15" fill="none" stroke="#DC2626" strokeWidth="2" />

      <text x="20" y="25" textAnchor="middle" fill="#DC2626" fontSize="10">🤖</text>
      <text x="60" y="25" fill="#E2E8F0" fontSize="8">Botnet 1</text>
    </g>

    {/* Botnet 2 */}

    <g transform="translate(0, 65)">
      <circle cx="20" cy="20" r="15" fill="#DC2626" opacity="0.3" />

      <circle cx="20" cy="20" r="15" fill="none" stroke="#DC2626" strokeWidth="2" />

      <text x="20" y="25" textAnchor="middle" fill="#DC2626" fontSize="10">🤖</text>
      <text x="60" y="25" fill="#E2E8F0" fontSize="8">Botnet 2</text>
    </g>

    {/* Botnet 3 */}

    <g transform="translate(0, 105)">
      <circle cx="20" cy="20" r="15" fill="#DC2626" opacity="0.3" />

      <circle cx="20" cy="20" r="15" fill="none" stroke="#DC2626" strokeWidth="2" />

      <text x="20" y="25" textAnchor="middle" fill="#DC2626" fontSize="10">🤖</text>
      <text x="60" y="25" fill="#E2E8F0" fontSize="8">Botnet 3</text>
    </g>

    {/* Attack Types */}

    <g transform="translate(0, 155)">
      <rect x="0" y="0" width="140" height="80" fill="#1a202c" rx="4" />

      <text x="70" y="20" textAnchor="middle" fill="#DC2626" fontSize="10" fontWeight="bold">Attack Types</text>
      <text x="10" y="40" fill="#E2E8F0" fontSize="8">• UDP Flood</text>
      <text x="10" y="55" fill="#E2E8F0" fontSize="8">• SYN Flood</text>
      <text x="10" y="70" fill="#E2E8F0" fontSize="8">• DNS Amplification</text>
    </g>
  </g>

  <path d="M200 125 L270 240" stroke="#DC2626" strokeWidth="3" strokeDasharray="5,5" />

  <path d="M200 165 L270 240" stroke="#DC2626" strokeWidth="3" strokeDasharray="5,5" />

  <path d="M200 205 L270 240" stroke="#DC2626" strokeWidth="3" strokeDasharray="5,5" />

  <g transform="translate(280, 150)">
    <rect x="0" y="0" width="240" height="180" fill="#FF9900" rx="8" opacity="0.3" />

    <rect x="0" y="0" width="240" height="180" fill="none" stroke="#FF9900" strokeWidth="3" rx="8" />

    <text x="120" y="25" textAnchor="middle" fill="#FF9900" fontSize="14" fontWeight="bold">AWS Shield</text>

    {/* Shield Standard */}

    <g transform="translate(15, 40)">
      <rect x="0" y="0" width="210" height="55" fill="#2D3748" rx="4" stroke="#63B3ED" strokeWidth="2" />

      <text x="105" y="18" textAnchor="middle" fill="#63B3ED" fontSize="11" fontWeight="bold">Shield Standard (FREE)</text>
      <text x="10" y="35" fill="#E2E8F0" fontSize="8">• Layer 3/4 protection</text>
      <text x="10" y="48" fill="#E2E8F0" fontSize="8">• Always-on detection</text>
    </g>

    {/* Shield Advanced */}

    <g transform="translate(15, 100)">
      <rect x="0" y="0" width="210" height="65" fill="#2D3748" rx="4" stroke="#FF9900" strokeWidth="2" />

      <text x="105" y="18" textAnchor="middle" fill="#FF9900" fontSize="11" fontWeight="bold">Shield Advanced (Paid)</text>
      <text x="10" y="35" fill="#E2E8F0" fontSize="8">• Enhanced protection</text>
      <text x="10" y="48" fill="#E2E8F0" fontSize="8">• DDoS Response Team</text>
      <text x="10" y="61" fill="#E2E8F0" fontSize="8">• Cost protection</text>
    </g>
  </g>

  <path d="M530 240 L590 150" stroke="#10B981" strokeWidth="3" markerEnd="url(#protectArrow)" />

  <path d="M530 240 L590 240" stroke="#10B981" strokeWidth="3" markerEnd="url(#protectArrow)" />

  <path d="M530 240 L590 330" stroke="#10B981" strokeWidth="3" markerEnd="url(#protectArrow)" />

  <defs>
    <marker id="protectArrow" markerWidth="10" markerHeight="7" refX="9" refY="3.5" orient="auto">
      <polygon points="0 0, 10 3.5, 0 7" fill="#10B981" />
    </marker>
  </defs>

  <g transform="translate(600, 100)">
    <text x="75" y="0" textAnchor="middle" fill="#1DB954" fontSize="12" fontWeight="bold">PROTECTED</text>

    {/* CloudFront */}

    <g transform="translate(0, 20)">
      <rect x="0" y="0" width="150" height="40" fill="#2D3748" rx="4" stroke="#1DB954" strokeWidth="2" />

      <text x="75" y="25" textAnchor="middle" fill="#1DB954" fontSize="10" fontWeight="bold">CloudFront</text>
    </g>

    {/* Route 53 */}

    <g transform="translate(0, 70)">
      <rect x="0" y="0" width="150" height="40" fill="#2D3748" rx="4" stroke="#1DB954" strokeWidth="2" />

      <text x="75" y="25" textAnchor="middle" fill="#1DB954" fontSize="10" fontWeight="bold">Route 53</text>
    </g>

    {/* ALB */}

    <g transform="translate(0, 120)">
      <rect x="0" y="0" width="150" height="40" fill="#2D3748" rx="4" stroke="#1DB954" strokeWidth="2" />

      <text x="75" y="25" textAnchor="middle" fill="#1DB954" fontSize="10" fontWeight="bold">Application Load Balancer</text>
    </g>

    {/* EC2 EIP */}

    <g transform="translate(0, 170)">
      <rect x="0" y="0" width="150" height="40" fill="#2D3748" rx="4" stroke="#1DB954" strokeWidth="2" />

      <text x="75" y="25" textAnchor="middle" fill="#1DB954" fontSize="10" fontWeight="bold">EC2 (Elastic IP)</text>
    </g>
  </g>

  <g transform="translate(50, 360)">
    <text x="350" y="0" textAnchor="middle" fill="#A0AEC0" fontSize="13" fontWeight="bold">Shield Advanced Benefits</text>

    <g transform="translate(0, 20)">
      <rect x="0" y="0" width="160" height="50" fill="#2D3748" rx="4" stroke="#FF9900" strokeWidth="1" />

      <text x="80" y="20" textAnchor="middle" fill="#FF9900" fontSize="9" fontWeight="bold">DRT Support</text>
      <text x="80" y="35" textAnchor="middle" fill="#E2E8F0" fontSize="7">24/7 DDoS Response Team</text>
    </g>

    <g transform="translate(175, 20)">
      <rect x="0" y="0" width="160" height="50" fill="#2D3748" rx="4" stroke="#63B3ED" strokeWidth="1" />

      <text x="80" y="20" textAnchor="middle" fill="#63B3ED" fontSize="9" fontWeight="bold">Cost Protection</text>
      <text x="80" y="35" textAnchor="middle" fill="#E2E8F0" fontSize="7">Credits for scaling costs</text>
    </g>

    <g transform="translate(350, 20)">
      <rect x="0" y="0" width="160" height="50" fill="#2D3748" rx="4" stroke="#1DB954" strokeWidth="1" />

      <text x="80" y="20" textAnchor="middle" fill="#1DB954" fontSize="9" fontWeight="bold">Advanced Metrics</text>
      <text x="80" y="35" textAnchor="middle" fill="#E2E8F0" fontSize="7">Near real-time visibility</text>
    </g>

    <g transform="translate(525, 20)">
      <rect x="0" y="0" width="160" height="50" fill="#2D3748" rx="4" stroke="#F6AD55" strokeWidth="1" />

      <text x="80" y="20" textAnchor="middle" fill="#F6AD55" fontSize="9" fontWeight="bold">Health-Based</text>
      <text x="80" y="35" textAnchor="middle" fill="#E2E8F0" fontSize="7">Detection & Mitigation</text>
    </g>
  </g>

  <g transform="translate(50, 470)">
    <circle cx="5" cy="5" r="4" fill="#10B981" />

    <text x="15" y="9" fill="#A0AEC0" fontSize="10">Standard: FREE with all AWS accounts</text>

    <circle cx="300" cy="5" r="4" fill="#FF9900" />

    <text x="310" y="9" fill="#A0AEC0" fontSize="10">Advanced: \$3,000/month + data transfer</text>
  </g>
</svg>

## Shield Standard vs Advanced

<Tabs items={['Shield Standard', 'Shield Advanced']}>
  <Tabs.Tab>
    **Shield Standard (FREE)**

    ```yaml theme={null}
    Automatic Protection:
      - Enabled by default for all AWS customers
      - No additional cost
      - Always-on detection
      - Automatic inline mitigation
      
    Protection Coverage:
      Layer 3/4 DDoS Attacks:
        - SYN/ACK floods
        - UDP reflection attacks
        - DNS query floods
        
      Protected Resources:
        - Amazon CloudFront
        - Amazon Route 53
        - All AWS regions
        
    Detection:
      - Network flow monitoring
      - Baseline traffic analysis
      - Anomaly detection
      - Automatic mitigation
      
    Limitations:
      - No DDoS cost protection
      - No DDoS Response Team access
      - Limited visibility
      - No custom mitigations
      
    Best For:
      - All AWS workloads (default)
      - Cost-sensitive applications
      - Basic DDoS protection needs
      - Standard web applications
    ```
  </Tabs.Tab>

  <Tabs.Tab>
    **Shield Advanced (\$3,000/month)**

    ```yaml theme={null}
    Enhanced Protection:
      - Advanced DDoS detection
      - Layer 7 attack mitigation
      - Near real-time attack visibility
      - Health-based detection
      
    Protected Resources:
      - CloudFront distributions
      - Route 53 hosted zones
      - Application Load Balancers (ALB)
      - Network Load Balancers (NLB)
      - Classic Load Balancers
      - EC2 Elastic IP addresses
      - AWS Global Accelerator
      
    DDoS Response Team (DRT):
      - 24/7 access to AWS experts
      - Attack analysis and mitigation
      - Post-event analysis
      - Proactive engagement during attacks
      - Custom mitigation strategies
      
    Cost Protection:
      - Protection against scaling costs
      - Credits for DDoS-related charges
      - Covers:
        * CloudFront
        * Route 53
        * ELB
        * EC2 data transfer
        * Global Accelerator
      
    Advanced Features:
      - Custom AWS WAF rules at no cost
      - Integration with WAF for L7 protection
      - Attack diagnostics and forensics
      - Historical attack data
      - Proactive health checks
      
    Visibility:
      - Real-time attack metrics
      - CloudWatch metrics
      - Attack notifications
      - Detailed attack reports
      
    Best For:
      - Mission-critical applications
      - High-traffic websites
      - Gaming platforms
      - Financial services
      - E-commerce sites
      - Applications requiring SLA
    ```
  </Tabs.Tab>
</Tabs>

## DDoS Attack Types

<svg viewBox="0 0 700 400" className="w-full h-auto my-6 rounded-lg">
  <defs>
    <linearGradient id="attackTypeGrad" x1="0%" y1="0%" x2="100%" y2="100%">
      <stop offset="0%" style={{stopColor:"#232F3E",stopOpacity:1}} />

      <stop offset="100%" style={{stopColor:"#1a2332",stopOpacity:1}} />
    </linearGradient>
  </defs>

  <rect width="700" height="400" fill="url(#attackTypeGrad)" rx="8" />

  <text x="350" y="30" textAnchor="middle" fill="#FF9900" fontSize="16" fontWeight="bold">Common DDoS Attack Types</text>

  <g transform="translate(30, 60)">
    <rect x="0" y="0" width="310" height="300" fill="#2D3748" rx="6" stroke="#63B3ED" strokeWidth="2" />

    <text x="155" y="25" textAnchor="middle" fill="#63B3ED" fontSize="13" fontWeight="bold">Layer 3/4 (Network/Transport)</text>
    <text x="155" y="42" textAnchor="middle" fill="#A0AEC0" fontSize="9">Shield Standard Protection</text>

    {/* SYN Flood */}

    <g transform="translate(15, 55)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">SYN Flood</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Exploits TCP handshake</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Exhausts connection table</text>
    </g>

    {/* UDP Flood */}

    <g transform="translate(15, 115)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">UDP Flood</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Floods with UDP packets</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Overwhelms bandwidth</text>
    </g>

    {/* DNS Amplification */}

    <g transform="translate(15, 175)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">DNS Amplification</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Amplifies traffic via DNS</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Small query → large response</text>
    </g>

    {/* NTP Amplification */}

    <g transform="translate(15, 235)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">NTP Amplification</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Exploits NTP protocol</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Monlist command abuse</text>
    </g>
  </g>

  <g transform="translate(360, 60)">
    <rect x="0" y="0" width="310" height="300" fill="#2D3748" rx="6" stroke="#F6AD55" strokeWidth="2" />

    <text x="155" y="25" textAnchor="middle" fill="#F6AD55" fontSize="13" fontWeight="bold">Layer 7 (Application)</text>
    <text x="155" y="42" textAnchor="middle" fill="#A0AEC0" fontSize="9">Shield Advanced + WAF</text>

    {/* HTTP Flood */}

    <g transform="translate(15, 55)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">HTTP Flood</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Floods with HTTP requests</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Appears legitimate</text>
    </g>

    {/* Slowloris */}

    <g transform="translate(15, 115)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">Slowloris</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Slow, partial HTTP requests</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Holds connections open</text>
    </g>

    {/* Cache-Busting */}

    <g transform="translate(15, 175)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">Cache-Busting</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Random query strings</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Bypasses CDN cache</text>
    </g>

    {/* Application-Specific */}

    <g transform="translate(15, 235)">
      <rect x="0" y="0" width="280" height="55" fill="#1a202c" rx="4" />

      <text x="10" y="18" fill="#DC2626" fontSize="10" fontWeight="bold">Application-Specific</text>
      <text x="10" y="33" fill="#E2E8F0" fontSize="8">Targets app vulnerabilities</text>
      <text x="10" y="46" fill="#A0AEC0" fontSize="7">Login pages, search, etc.</text>
    </g>
  </g>
</svg>

## Enabling Shield Advanced

### Via Console

<Steps>
  ### Subscribe to Shield Advanced

  1. Navigate to AWS Shield console
  2. Click "Subscribe to Shield Advanced"
  3. Review pricing and terms
  4. Confirm subscription

  ### Add Resources

  1. Select resource types to protect
  2. Choose specific resources
  3. Configure protection groups (optional)
  4. Enable automatic application layer mitigation

  ### Configure Notifications

  1. Create SNS topic for alerts
  2. Subscribe email/SMS endpoints
  3. Configure alert preferences

  ### Set Up DDoS Response Team (DRT) Access

  1. Create IAM role for DRT
  2. Grant necessary permissions
  3. Provide access to AWS WAF (optional)
</Steps>

### Terraform Configuration

```hcl theme={null}
# Enable Shield Advanced subscription
resource "aws_shield_subscription" "main" {
  auto_renew = "ENABLED"
  
  # This creates a 1-year commitment at $3,000/month ($36,000/year).
  # Cost tip: The $3,000/month covers ALL protected resources in your
  # organization -- it is a flat fee, not per-resource. So protecting
  # 5 ALBs costs the same as protecting 50. The real variable cost is
  # data transfer on protected resources (standard rates above 1 TB).
  #
  # Common mistake: Subscribing to Shield Advanced for a small website
  # that gets 1,000 visits/day. At $36K/year, you need to be protecting
  # revenue-critical workloads where a DDoS-related outage costs more
  # than $36K. For most small-medium workloads, Shield Standard + WAF
  # rate limiting is sufficient.
}

# Protect CloudFront distribution
resource "aws_shield_protection" "cloudfront" {
  name         = "cloudfront-protection"
  resource_arn = aws_cloudfront_distribution.main.arn

  tags = {
    Environment = "production"
  }
}

# Protect Application Load Balancer
resource "aws_shield_protection" "alb" {
  name         = "alb-protection"
  resource_arn = aws_lb.main.arn

  tags = {
    Environment = "production"
  }
}

# Protect Elastic IP
resource "aws_shield_protection" "eip" {
  name         = "ec2-eip-protection"
  resource_arn = "arn:aws:ec2:us-east-1:123456789012:eip-allocation/eipalloc-12345678"

  tags = {
    Environment = "production"
  }
}

# Protect Route 53 hosted zone
resource "aws_shield_protection" "route53" {
  name         = "route53-protection"
  resource_arn = aws_route53_zone.main.arn

  tags = {
    Environment = "production"
  }
}

# Protection Group (logical grouping).
# Groups let you treat related resources as a unit for detection.
# "MAX" aggregation means Shield triggers when ANY resource in the group
# is attacked. Use "SUM" when you want to detect distributed attacks that
# spread traffic across multiple resources to stay under individual thresholds.
resource "aws_shield_protection_group" "web_tier" {
  protection_group_id = "web-tier-protection"
  aggregation         = "MAX"
  pattern             = "ARBITRARY"

  members = [
    aws_shield_protection.cloudfront.id,
    aws_shield_protection.alb.id,
  ]

  tags = {
    Tier = "web"
  }
}

# Health-based detection
resource "aws_shield_protection_health_check_association" "alb" {
  health_check_arn     = aws_route53_health_check.alb.arn
  shield_protection_id = aws_shield_protection.alb.id
}

# Route 53 health check for ALB
resource "aws_route53_health_check" "alb" {
  type              = "HTTPS"
  resource_path     = "/health"
  fqdn              = aws_lb.main.dns_name
  port              = 443
  request_interval  = 30
  failure_threshold = 3

  tags = {
    Name = "alb-health-check"
  }
}

# DRT IAM role
resource "aws_iam_role" "drt" {
  name = "AWSShieldDRTRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Action = "sts:AssumeRole"
        Effect = "Allow"
        Principal = {
          Service = "drt.shield.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "drt_access" {
  role       = aws_iam_role.drt.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy"
}

# Grant DRT access to Shield
resource "aws_shield_drt_access_role_arn_association" "main" {
  role_arn = aws_iam_role.drt.arn
}

# Grant DRT access to WAF (optional)
resource "aws_shield_drt_access_log_bucket_association" "main" {
  log_bucket                = aws_s3_bucket.waf_logs.id
  role_arn_association_id   = aws_shield_drt_access_role_arn_association.main.id
}

# SNS topic for Shield alerts
resource "aws_sns_topic" "shield_alerts" {
  name = "shield-ddos-alerts"
}

resource "aws_sns_topic_subscription" "email" {
  topic_arn = aws_sns_topic.shield_alerts.arn
  protocol  = "email"
  endpoint  = "security-team@example.com"
}

# CloudWatch alarm for DDoS detected
resource "aws_cloudwatch_metric_alarm" "ddos_detected" {
  alarm_name          = "shield-ddos-detected"
  comparison_operator = "GreaterThanThreshold"
  evaluation_periods  = "1"
  metric_name         = "DDoSDetected"
  namespace           = "AWS/DDoSProtection"
  period              = "60"
  statistic           = "Sum"
  threshold           = "0"
  alarm_description   = "DDoS attack detected by Shield"
  alarm_actions       = [aws_sns_topic.shield_alerts.arn]

  dimensions = {
    ResourceArn = aws_lb.main.arn
  }
}
```

## DDoS Response Team (DRT) Engagement

### Proactive Engagement

```hcl theme={null}
# Enable proactive engagement
resource "aws_shield_proactive_engagement" "main" {
  enabled = true

  emergency_contact {
    contact_notes = "Primary security contact"
    email_address = "security-primary@example.com"
    phone_number  = "+1234567890"
  }

  emergency_contact {
    contact_notes = "Secondary security contact"
    email_address = "security-secondary@example.com"
    phone_number  = "+0987654321"
  }
}
```

### DRT Capabilities

```yaml theme={null}
DDoS Response Team Services:
  Initial Response:
    - Attack detection confirmation
    - Impact assessment
    - Immediate mitigation recommendations
    
  During Attack:
    - Real-time monitoring
    - Custom mitigation deployment
    - WAF rule creation and updates
    - Traffic analysis
    
  Post-Attack:
    - Detailed attack analysis
    - Forensic investigation
    - Mitigation effectiveness review
    - Recommendations for future protection
    
  Proactive Engagement:
    - Automatic escalation
    - No need to contact AWS
    - Immediate DRT involvement
    - Based on Route 53 health checks
```

## Integration with AWS WAF

### Automatic DDoS Mitigation

```hcl theme={null}
# WAF Web ACL for Shield Advanced
resource "aws_wafv2_web_acl" "shield_integrated" {
  name  = "shield-advanced-integrated"
  scope = "REGIONAL"

  default_action {
    allow {}
  }

  # Shield Advanced automatic mitigation rules
  rule {
    name     = "shield-advanced-auto-mitigation"
    priority = 0

    override_action {
      none {}
    }

    statement {
      managed_rule_group_statement {
        vendor_name = "AWS"
        name        = "AWSManagedRulesAmazonIpReputationList"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "ShieldAutoMitigation"
      sampled_requests_enabled   = true
    }
  }

  # Rate-based rule for DDoS protection.
  # This is your first line of Layer 7 defense -- it blocks any single IP
  # that exceeds 2,000 requests in a 5-minute window. During a DDoS attack,
  # this catches the most aggressive bot IPs before they hit your origin.
  #
  # Cost tip: WAF rules are FREE with Shield Advanced (normally $1/rule/month
  # + $0.60/M requests). This alone can save $50-100/month on WAF costs.
  rule {
    name     = "rate-limit-shield"
    priority = 1

    action {
      block {
        custom_response {
          response_code = 429
        }
      }
    }

    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }

    visibility_config {
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimitShield"
      sampled_requests_enabled   = true
    }
  }

  visibility_config {
    cloudwatch_metrics_enabled = true
    metric_name                = "ShieldIntegratedWebACL"
    sampled_requests_enabled   = true
  }
}
```

## Cost Protection

### How It Works

```yaml theme={null}
Shield Advanced Cost Protection:
  Covered Services:
    - Amazon CloudFront
    - Amazon Route 53
    - Elastic Load Balancing (ALB, NLB, CLB)
    - Amazon EC2 (Elastic IPs)
    - AWS Global Accelerator
    
  Protected Costs:
    Data Transfer Charges:
      - Increased data transfer during DDoS
      - Outbound data transfer fees
      - Inter-region data transfer
      
    Scaling Charges:
      - Auto-scaling triggered by DDoS
      - Additional compute costs
      - Load balancer scaling
      
  How to Claim:
    1. DDoS attack must be confirmed
    2. Attack causes resource scaling
    3. Submit cost protection claim
    4. AWS reviews and approves
    5. Credits issued to account
    
  Limitations:
    - Must be Shield Advanced customer
    - Attack must be confirmed by AWS
    - Only covers scaling costs
    - Does not cover base infrastructure
    - Manual claim process required
```

## Monitoring and Metrics

### CloudWatch Metrics

```python theme={null}
import boto3
from datetime import datetime, timedelta

cloudwatch = boto3.client('cloudwatch')

def get_shield_metrics(resource_arn):
    """
    Retrieve Shield Advanced metrics
    """
    end_time = datetime.utcnow()
    start_time = end_time - timedelta(hours=24)
    
    # DDoS detected events
    ddos_detected = cloudwatch.get_metric_statistics(
        Namespace='AWS/DDoSProtection',
        MetricName='DDoSDetected',
        Dimensions=[
            {
                'Name': 'ResourceArn',
                'Value': resource_arn
            }
        ],
        StartTime=start_time,
        EndTime=end_time,
        Period=300,  # 5 minutes
        Statistics=['Sum']
    )
    
    # Attack volume
    attack_volume = cloudwatch.get_metric_statistics(
        Namespace='AWS/DDoSProtection',
        MetricName='AttackVolume',
        Dimensions=[
            {
                'Name': 'ResourceArn',
                'Value': resource_arn
            }
        ],
        StartTime=start_time,
        EndTime=end_time,
        Period=300,
        Statistics=['Maximum', 'Average']
    )
    
    # Attack packets
    attack_packets = cloudwatch.get_metric_statistics(
        Namespace='AWS/DDoSProtection',
        MetricName='AttackPackets',
        Dimensions=[
            {
                'Name': 'ResourceArn',
                'Value': resource_arn
            }
        ],
        StartTime=start_time,
        EndTime=end_time,
        Period=300,
        Statistics=['Sum']
    )
    
    return {
        'ddos_detected': ddos_detected,
        'attack_volume': attack_volume,
        'attack_packets': attack_packets
    }

# Example usage
metrics = get_shield_metrics(
    'arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef'
)
```

## Best Practices

<Cards>
  <Card title="Use CloudFront + Shield" icon="cloud">
    Distribute content globally with CloudFront for best Shield protection
  </Card>

  <Card title="Health-Based Detection" icon="heart-pulse">
    Configure Route 53 health checks for proactive DDoS detection
  </Card>

  <Card title="Layer Defense" icon="layer-group">
    Combine Shield Advanced with WAF for comprehensive protection
  </Card>

  <Card title="DRT Access" icon="headset">
    Grant DRT necessary permissions before an attack occurs
  </Card>
</Cards>

### Security Checklist

```yaml theme={null}
Shield Implementation Checklist:
  Standard (Free):
    ☐ Verify Shield Standard is active (automatic)
    ☐ Use CloudFront for web content
    ☐ Use Route 53 for DNS
    ☐ Monitor CloudWatch metrics
    
  Advanced Setup:
    ☐ Subscribe to Shield Advanced
    ☐ Protect all public-facing resources
    ☐ Create protection groups
    ☐ Configure health checks
    ☐ Set up DRT IAM role
    ☐ Grant DRT access to WAF
    ☐ Configure emergency contacts
    ☐ Enable proactive engagement
    ☐ Set up CloudWatch alarms
    ☐ Test notification channels
    
  Integration:
    ☐ Configure AWS WAF rules
    ☐ Enable automatic mitigation
    ☐ Set rate limiting rules
    ☐ Configure geo-blocking if needed
    
  Operations:
    ☐ Regular review of metrics
    ☐ Test DRT contact procedures
    ☐ Document incident response plan
    ☐ Review cost protection eligibility
    ☐ Maintain architecture diagrams
```

## Cost Analysis

```yaml theme={null}
Shield Pricing:
  Shield Standard:
    Cost: FREE
    Included: Always-on detection and mitigation
    Coverage: CloudFront and Route 53
    
  Shield Advanced:
    Subscription: $3,000 per month
    Commitment: 1-year minimum
    
    Data Transfer (Outbound):
      First 1 TB: FREE (included in subscription)
      Over 1 TB: Standard data transfer rates
      
    Protected Resources:
      CloudFront: Included
      Route 53: Included
      ALB/NLB/CLB: Included
      EC2 Elastic IP: Included
      Global Accelerator: Included
      
    WAF Charges:
      Web ACL: FREE (normally $5/month)
      Rules: FREE (normally $1/rule/month)
      Requests: Standard WAF rates apply
      
    DRT Access: Included
    Cost Protection: Included
    
Cost Optimization:
  - Start with Shield Standard
  - Upgrade to Advanced for critical workloads
  - Use protection groups for efficient management
  - Monitor attack trends before committing
  - Calculate potential scaling costs
  - Compare with manual mitigation costs
```

## Exam Tips

<Accordions>
  <Accordion title="Key Concepts for AWS Exams">
    * **Shield Standard** is FREE and automatic for all AWS customers
    * **Shield Advanced** costs \$3,000/month with 1-year commitment
    * Shield Standard protects **Layer 3/4** (network/transport)
    * Shield Advanced adds **Layer 7** protection with WAF integration
    * **DRT (DDoS Response Team)** available only with Shield Advanced
    * **Cost protection** credits for DDoS-related scaling costs
    * Shield Advanced required for **proactive engagement**
    * **Health-based detection** uses Route 53 health checks
  </Accordion>

  <Accordion title="Common Exam Scenarios">
    **Q: How to protect against SYN flood attacks?**
    A: Shield Standard (FREE) provides automatic protection

    **Q: Need 24/7 DDoS support during attacks?**
    A: Use Shield Advanced to access DDoS Response Team (DRT)

    **Q: How to protect against Layer 7 DDoS?**
    A: Shield Advanced + AWS WAF integration

    **Q: Want credits for DDoS-related scaling costs?**
    A: Shield Advanced provides cost protection

    **Q: How to get automatic DDoS notifications?**
    A: Shield Advanced with CloudWatch alarms and SNS
  </Accordion>
</Accordions>
