AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

It comes in two tiers: Shield Standard and Shield Advanced.

1. AWS Shield Standard

AWS Shield Standard is automatically enabled for all AWS customers at no additional cost.

  1. Features:
    1. Basic DDoS Protection against common and most frequently occurring network and transport layer DDoS attacks (Layer 3 and Layer 4 attacks).
    2. Protects workloads served through Amazon CloudFront or Route 53 without additional setup.
    3. Enabled by default for all AWS resources.
  2. Limitations:
    1. Does not include application-layer (Layer 7) protection.
    2. No advanced analytics, reporting, or cost protection for scaling during an attack.

2. AWS Shield Advanced

  1. Feature:
    1. Incurs additional costs and requires enabling on specific resources.
    2. Covers network (Layer 3), transport (Layer 4), and application layer (Layer 7) attacks.
    3. 24/7 access to the AWS DDoS Response Team (DRT) for attack mitigation.
    4. Real-time visibility into attacks through detailed metrics and reports in the AWS Management Console.
    5. Automatic application-layer detection and response with AWS WAF integration.
    6. Integrates with AWS Firewall Manager for centralized management of DDoS protections across your accounts and resources.
  2. Limitations:
    1. AWS Shield Advanced does offer protection to resources outside of AWS.
    2. Shield Advanced protects against DDoS attacks. Shield Advanced does not protect against cross-site scripting or SQL injection.

Question: AWS Shield Advanced

A company is preparing to launch a public-facing web application in the AWS Cloud. The architecture consists of Amazon EC2 instances within a VPC behind an Elastic Load Balancer (ELB). A third-party service is used for the DNS. The company's solutions architect must recommend a solution to detect and protect against large-scale DDoS attacks. Which solution meets these requirements?

  1. Enable Amazon GuardDuty on the account.
  2. Enable Amazon Inspector on the EC2 instances.
  3. Enable AWS Shield and assign Amazon Route 53 to it.
  4. Enable AWS Shield Advanced and assign the ELB to it. (Correct An)