← Back to Home | All Services | View Old Version
← Back to Services

Shield

Priority Tier 4 Domain 1: Design Secure Architectures

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that offers always-on detection and protection against various types of DDoS attacks, with both a free standard tier and a paid advanced tier.

Learning Objectives

Introduction to AWS Shield

AWS Shield provides managed DDoS protection for applications on AWS.

Shield is a managed Distributed Denial of Service (DDoS) protection service. It provides always-on detection and protection against common and frequently occurring attacks.
A Denial of Service (DoS) attack aims to damage the availability of a site by flooding it with requests that consume all available resources. A Distributed Denial of Service (DDoS) is a DoS attack originating from multiple sources, often using compromised or controlled systems, which makes manual intervention difficult.
Technical Specs: DDOS Attack Classification: • Infrastructure Layer Attacks • Application Layer Attacks
General techniques for protecting applications against DDoS attacks include reducing the attack surface area, planning for scale, understanding normal vs. abnormal traffic patterns, and deploying Web Application Firewalls (WAF) for sophisticated application attacks.
Technical Specs: • Reduce Attack Surface Area • Plan for Scale • Know what is normal and abnormal traffic • Deploy WAF for Sophisticated Application attacks

AWS Shield Offerings

AWS Shield is available in two tiers: Standard and Advanced, each offering different levels of DDoS protection.

AWS Shield offers two tiers: Standard (free) and Advanced (paid service), providing varying degrees of DDoS protection.

AWS Shield Standard

AWS Shield Standard is a free service automatically enabled for all AWS customers. It provides active network monitoring and DDoS protection against common and frequently occurring attacks.
cost: Free
protection_scope: Common and frequently occurring attacks
features: Active network monitoring, DDoS protection
availability_protection_for_services: CloudFront and Route 53
Use Cases:
  • Basic DDoS protection for all AWS customers

AWS Shield Advanced

AWS Shield Advanced is a paid service offering enhanced protections against larger and more sophisticated DDoS attacks. It includes a dedicated DDoS Response Team (DRT) and cost protection for DDoS scaling charges.
cost: Paid service
protection_scope: Expanded protection (UDP reflection, SYN flood, DNS query flood, HTTP flood)
support: AWS DDoS Response Team (DRT), 24/7 access to AWS experts
cost_protection: For DDoS scaling charges
notifications: Real-time notifications of suspected DDoS incidents via CloudWatch metrics
Use Cases:
  • High-visibility websites
  • Mission-critical applications
  • Protection against large and sophisticated attacks

Supported AWS Services for Shield Advanced

AWS Shield Advanced provides DDoS protection across several key AWS services.

DDoS protection via Shield Advanced is supported on the following AWS services:
Technical Specs: • CloudFront • Route 53 • Elastic Load Balancing • AWS Global Accelerator

Exam Tips

Glossary

DDoS (Distributed Denial of Service)
A DOS attack from multiple sources, often using compromised or controlled systems, designed to flood a site with requests and consume all available resources, making manual intervention difficult.
AWS DDoS Response Team (DRT)
A team of AWS experts available 24/7 to assist during a DDoS attack for AWS Shield Advanced customers.

Key Takeaways

Content Sources

AWS Well-Architected Framework: Pilla... Security Services API Gateway Stage and Canary Deployments AWS Systems Manager for Hybrid Enviro... RSARCH_EN-US_SG_M07_AWSWELLARCHITECTE... Extracted: 2026-01-26 12:54:33.900416 Model: gemini-2.5-flash