【Table of contents】
-
1. What is AWS Shield?
AWS Shield is a service that provides protection against DDoS attacks for web applications on AWS. There are two types of AWS Shield, Standard and Advanced, with Standard being free and Advanced being paid version.
AWS Shield Standard provides protection for all AWS customers from common, most frequently occurring network and transport layer DDoS attacks that target your web site or application at no additional charge.
AWS Shield Advanced is a paid service that provides additional protections for internet-facing applications running on Amazon Elastic Compute (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53.
Note that the AWS Shield Standard is automatically applied when you start using AWS.
-
a) What is DDoS?
DDoS (Distributed Denial of Service) is one of the DoS attacks which aims to take the service down and is also called a distributed DoS attack. The method of attacking with a single computer and bringing down services is called a denial of service (DoS) attack. Among them, DDoS is an attack that uses a large number of computers that have been turned into bots through virus infection, etc., to bring down a service. Both are common in that they both send malicious packets to stop a service, but when a very large number of computers are the source of the attack, it is known as a DDoS attack.
In general, when a DDoS attack occurs, even if the gateway side tries to restrict the IP address of the attacker, there are too many of them, making it difficult to take measures. For this, WAF (Web Application Firewall) is an effective measure because it can analyze the contents of packets and control it. (※WAF is only able to mitigate DDoS attacks). However, since AWS is a cloud environment, gateway measures cannot be freely implemented (AWS WAF can take such measures). In this case, AWS Shield is an effective solution.
-
b) Difference between Standard & Advanced in AWS Shield
There are two types of AWS Shield: Standard and Advanced. Standard is automatically free for all AWS users, but if you want to use Advanced, you'll have to pay extra. Check out the rates mentioned below.
■ Standard (free)
・Automatically available to all AWS users at no additional cost.
・Protects against DDoS attacks targeting the infrastructure (L3 and L4 layer)
・Monitor incoming traffic to AWS and detects any malicious activity.
・Automatically mitigate attacksAlthough the Standard version is free for all AWS users, it doesn't allow you to see your DDoS attack history, make reports, or send notifications. However, if you use it with AWS WAF, it is possible to detect and notify DDoS at the L7 layer.
■ Advanced (paid)
・DDoS attacks at the application layer (L7 layer) are also detected.
・Additional mitigation against larger DDoS attacks using advanced routing technology.
・Provides more visibility into the state and notifications of attacks by linking with other AWS services
・Refund in the event of a significant increase in the amount billed due to a DDoS attack
・24/7 Professional supportFor users who are worried about DDoS attacks, we recommend using the Advanced version, which can detect up to the application layer and supports the fee guarantee in case of emergency. Especially if you're also thinking about protecting against targeted attacks on applications from services such as Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53, you might want to consider using the advanced version.
-
c) Benefits of deploying AWS Shield
The benefits of deploying AWS Shield are as follows:
・If you use AWS, you can use the standard type for free without any special settings.
・Anyone using the Standard type will be able to protect against L3 and L4 level attacks.
・Upgrading to Advanced type gives you L7 level attack protection.
・Upgrading to Advanced will allow for 24/7 support and dealing with abnormal billing due to DDoS.As mentioned above, AWS Shield can protect against DDoS attacks on L3 and L4 (network and port level) for all users on AWS. The fact that this can be done at no additional cost is a big advantage in terms of cost. In addition, if you're running a server that may be subject to DDoS attacks, you will be able to receive a higher level of protection from DDoS by signing up for Advanced.
-
d) How to use AWS Shield?
If it is the Standard type, there is no need for any setup.
To use the Advanced type, the following steps are required.- (i) Activating AWS Shield Advanced
After signing into AWS, if you’re signing into AWS WAF console for the first time,
select Go to Shield > Activate AWS Shield Advanced.
Otherwise, select AWS Shield > Protected resources.
Next, select 'Activate service'.
- (ii) Specify the resources to be protected
Next, select the resources that you want to protect and click “Protect selected resources”.
- (iii) Add a rate-based rule
By adding a rate-based rule, you will be notified of alerts to sudden increases in traffic that may be DDoS events. To create a rule, create a web ACL for the resource and then create a rate-based rule for that resource.
- (iv) Granting permission to DDoS Response Team
If you want to enable support from the DDoS Response Team (DRT), you can pre-authorize the DRT to take care of the actual attack on your behalf by granting them the necessary permissions.
- (v) Configuring an Amazon CloudWatch alarm
Using it together with Amazon CloudWatch, you can configure it to send notifications about resources that are protected from possible DDoS attacks. To create an alarm, configure the Amazon CloudWatch notification settings in the resource.
- (vi) Deploying AWS WAF rules
It's also important to take advantage of security automation templates and set up rules in your AWS WAF. Using it together with AWS WAF, it will be able to take care of not only DDoS attacks, but also other attacks such as SQL injection, etc. against the L7 layer.
- (vii) Monitoring the global threat environment dashboard
For AWS Shield, monitoring is also important. The Global Threat Environment Dashboard provides a near real-time overview of the threat landscape, including the largest attacks, the top attack vectors, and the relative number of critical attacks.
- (i) Activating AWS Shield Advanced
-
-
2. AWS Shield pricing
The AWS Shield Standard is free and Advanced is paid. The monthly fee for Advanced is about US$ 3,000.
In addition, there are usage fees that apply based on the amount of data transferred from Amazon CloudFront, Elastic Load Balancing (ELB), Amazon Elastic Compute (EC2), Amazon Route 53, and AWS Global Accelerator.
-
3. Conclusion
If you are an AWS user, you can use the standard features of AWS Shield for free, easing your DDoS fears. And if you want a higher level of DDoS support, you can sign up for Advanced Type to provide DDoS protection and support for L7 layer, as well as to cover the massive billing caused by attacks. Please select the appropriate one based on your environment and requirements.