Security, Identity & Compliance | AWS Shield

Question 1

What is AWS Shield?

General

AWS Shield | Security, Identity & Compliance

Answer 1

AWS Shield is a managed service that provides protection against DDoS attacks for web applications running on AWS. AWS Shield Standard is available to all AWS customers at no additional cost. AWS Shield Advanced is an optional paid service available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced provides additional protections against larger and more sophisticated attacks for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53.

Question 2

What is AWS Shield Standard?

General

AWS Shield | Security, Identity & Compliance

Answer 2

AWS Shield Standard provides protection for all AWS customers against common and most frequently occurring Infrastructure (layer 3 and 4) attacks like SYN/UDP Floods, Reflection attacks, and others to support high availability of your applications on AWS.

Question 3

What is AWS Shield Advanced?

General

AWS Shield | Security, Identity & Compliance

Answer 3

AWS Shield Advanced provides enhanced protections for your applications running on Elastic Load Balancing (ELB), Amazon CloudFront and Route 53 against larger and more sophisticated attacks. AWS Shield Advanced is available to AWS Business Support and AWS Enterprise Support customers. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of DDoS attacks. AWS Shield Advanced also gives customers highly flexible controls over attack mitigations to take actions instantly. Customers can also engage the DDoS Response Team (DRT) 24X7 to manage and mitigate their application layer DDoS attacks. The DDoS cost protection feature of AWS Shield Advanced protects your AWS bill against higher fees due to Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53 usage spikes during a DDoS attack.

Question 4

What is DDoS cost protection?

General

AWS Shield | Security, Identity & Compliance

Answer 4

AWS Shield Advanced includes DDoS cost protection, a safeguard from scaling charges as a result of a DDoS attack that causes usage spikes on Elastic Load Balancing (ELB), Amazon CloudFront or Amazon Route 53. If any of these services scale up in response to a DDoS attack, you can request credits via the regular AWS Support channel.

Question 5

Can I use AWS Shield to protect web sites not hosted in AWS?

General

AWS Shield | Security, Identity & Compliance

Answer 5

Yes, AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS.

Question 6

Can I use IPv6 with all AWS Shield features?

General

AWS Shield | Security, Identity & Compliance

Answer 6

Yes. All of AWS Shield’s detection and mitigations work with IPv6 and IPv4 without any discernable changes to performance, scalability or availability of the service.

Question 7

Are there any pre-requisites to activate AWS Shield Advanced?

General

AWS Shield | Security, Identity & Compliance

Answer 7

Yes. The AWS Account you want to subscribe for AWS Shield Advanced must have AWS Business Support or AWS Enterprise Support. See AWS Support website for more details on support plans.

Question 8

How can I test AWS Shield?

General

AWS Shield | Security, Identity & Compliance

Answer 8

AWS Acceptable Use Policy describes permitted and prohibited behavior on AWS and includes descriptions of prohibited security violations and network abuse. However, because penetration testing and other simulated events are frequently indistinguishable from these activities, we have established a policy for customers to request permission to conduct penetration tests and vulnerability scans to or originating from the AWS environment. Visit our Penetration testing page to request permissions.

Question 9

In which AWS regions is AWS Shield Standard available?

General

AWS Shield | Security, Identity & Compliance

Answer 9

AWS Shield Standard is available on all AWS services in every AWS Region and AWS edge location worldwide.

Please refer to Regional Products and Services for details of AWS Shield Standard availability by region.

Question 10

In which AWS regions is AWS Shield Advanced available?

General

AWS Shield | Security, Identity & Compliance

Answer 10

AWS Shield Advanced is available globally on all Amazon CloudFront and Amazon Route 53 edge locations worldwide. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon S3, Amazon EC2, Elastic Load Balancing, or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on Elastic Load Balancing in the following AWS Regions - Northern Virginia, Northern California, Oregon, Ireland, and Tokyo.

Please refer to Regional Products and Services for details of AWS Shield Advanced availability by region.

Question 11

is AWS Shield HIPAA eligible?

Configuring Protections

AWS Shield | Security, Identity & Compliance

Answer 11

Yes, AWS has expanded its HIPAA compliance program to include AWS Shield as a HIPAA eligible service. If you have an executed Business Associate Agreement (BAA) with AWS, you can use AWS Shield to safeguard your web applications running on AWS from Distributed Denial of Service (DDoS) attacks. For more information, see HIPAA Compliance.

Question 12

What types of attacks can AWS Shield help me stop?

Configuring Protections

AWS Shield | Security, Identity & Compliance

Answer 12

AWS Shield helps protects your website from all types of DDoS attacks including Infrastructure layer attacks (like UDP floods), State exhaustion attacks (like TCP SYN floods), and Application layer attacks (like HTTP GET or POST floods). See the AWS WAF and AWS Shield Advanced Developer Guide for examples.

Question 13

What types of attacks can AWS Shield Standard help protect me from?

Configuring Protections

AWS Shield | Security, Identity & Compliance

Answer 13

AWS Shield Standard automatically provides protection for web applications running on AWS against the most common, frequently occurring Infrastructure layer attacks like UDP floods, and State exhaustion attacks like TCP SYN floods. Customers can also use AWS WAF to protect against Application layer attacks like HTTP POST or GET floods. Find more details on how to deploy application layer protections in the AWS WAF and AWS Shield Advanced Developer Guide.

Question 14

How many resources can I enable for AWS Shield Standard protection?

Configuring Protections

AWS Shield | Security, Identity & Compliance

Answer 14

There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.

Question 15

How many resources can I enable for AWS Shield Advanced protection?

Configuring Protections

AWS Shield | Security, Identity & Compliance

Answer 15

You can enable up to 100 AWS resources (e.g., load balancers, Amazon CloudFront distributions, Amazon Route 53 delegation sets) for AWS Shield Advanced protection. If you want to enable more than 100, you can request for a limit increase by creating an AWS Support case.

Question 16

Can I activate AWS Shield Advanced protection via API?

Configuring Protections

AWS Shield | Security, Identity & Compliance

Answer 16

Yes. AWS Shield Advanced can be activated via APIs. You can also add or remove AWS resources from AWS Shield Advanced protection via APIs.

Question 17

How quickly are attacks mitigated?

Responding to Attacks

AWS Shield | Security, Identity & Compliance

Answer 17

Typically, 99% of infrastructure layer attacks detected by AWS Shield are mitigated in less than 1 second for attacks on Amazon CloudFront and Amazon Route 53, and less than 5 minutes for attacks on Elastic Load Balancing. The remaining 1% of infrastructure attacks are typically mitigated in under 20 minutes. Application layer attacks are mitigated by writing rules on AWS WAF, which are inspected and mitigated inline with incoming traffic.

Question 18

What tools does AWS Shield Standard provide me to mitigate DDoS attacks?

Responding to Attacks

AWS Shield | Security, Identity & Compliance

Answer 18

AWS Shield Standard automatically protects your web applications running on AWS against the most common, frequently occurring DDoS attacks. You can get the full benefits of AWS Shield Standard by following the best practices of DDoS resiliency on AWS.

Question 19

What tools does AWS Shield Advanced provide me to mitigate DDoS attacks?

Responding to Attacks

AWS Shield | Security, Identity & Compliance

Answer 19

AWS Shield Advanced manages mitigation of layer 3 and layer 4 DDoS attacks. This means that your designated web applications are protected from attacks like UDP Floods, or TCP SYN floods. In addition, for application layer (layer 7) attacks, you can use AWS WAF to apply your own mitigations, or you can engage the 24X7 AWS DDoS Response Team (DRT), who can write rules on your behalf to mitigate Layer 7 DDoS attacks.

Question 20

How can I contact the AWS DDoS Response Team?

Responding to Attacks

AWS Shield | Security, Identity & Compliance

Answer 20

You can engage the AWS DDoS Response Team (DRT) via regular AWS support, or contact AWS Support.

Question 21

How quickly can I engage the AWS DDoS Response Team (DRT)?

Visibility and Reporting

AWS Shield | Security, Identity & Compliance

Answer 21

Response times for DRT depends on the AWS Support plan you are subscribed to. We will make every reasonable effort to respond to your initial request within the corresponding timeframes. See the AWS Support website for more details about AWS Support plans.

Question 22

Does AWS Shield notify me when attacks happen?

Visibility and Reporting

AWS Shield | Security, Identity & Compliance

Answer 22

Yes. With AWS Shield Advanced you will get notification of DDoS attacks via CloudWatch metrics.

Question 23

How quickly will I get an attack notifications?

Visibility and Reporting

AWS Shield | Security, Identity & Compliance

Answer 23

Typically, AWS Shield Advanced provides notification of an attack within a few minutes of attack detection.

Question 24

Can I get a history of all DDoS attacks on my AWS resources?

Visibility and Reporting

AWS Shield | Security, Identity & Compliance

Answer 24

Yes. With AWS Shield Advanced you will be able to see the history of all incidents in the trailing 13 months.

Question 25

How can I see if my AWS WAF rules are working?

Billing

AWS Shield | Security, Identity & Compliance

Answer 25

AWS WAF includes two different ways to see how your website is being protected: one-minute metrics are available in CloudWatch and Sampled Web Requests are available in the AWS WAF API or management console. These allow you to see which requests were blocked, allowed, or counted and what rule was matched on a given request (i.e., this web request was blocked due to an IP address condition, etc.). For more information see the AWS WAF and AWS Shield Advanced Developer Guide.

Question 26

How am I charged for AWS Shield Standard?

Billing

AWS Shield | Security, Identity & Compliance

Answer 26

AWS Shield Standard is built into the AWS services that you already use for your web applications. There are no additional costs for AWS Shield Standard.

Question 27

How am I charged for AWS Shield Advanced?

Billing

AWS Shield | Security, Identity & Compliance

Answer 27

With AWS Shield Advanced, you pay a monthly fee of $3,000 per month. In addition, you also pay for the Data Transfer usage fees for AWS resources enabled for advanced protection. AWS Shield Advanced charges are in addition to standard fees on Elastic Load Balancing (ELB), Amazon CloudFront and Amazon Route 53. Please see the AWS Shield Pricing page for more details.