Shield
💡 Definition
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
🔑 Key Concepts
- DDoS Protection: Protects against common network and transport layer (Layer 3 and 4) DDoS attacks.
- Always-On: Continuously monitors traffic for DDoS patterns.
- Two Tiers:
- Standard: Included with all AWS accounts (always-on detection and inline mitigation).
- Advanced: Paid service with enhanced protection for applications, near real-time visibility into attacks, and access to the AWS DDoS Response Team.
- Integration: Works with CloudFront, Route 53, and Elastic Load Balancing.
⚙️ How it Works
Shield operates transparently, inspecting incoming network traffic. When a DDoS attack is detected, it automatically applies mitigations to absorb and filter out malicious traffic, allowing legitimate traffic to reach your applications.
🎯 Use Cases
- Protecting Public-Facing Applications: Websites, APIs, and other internet-facing services.
- Maintaining Uptime: Ensuring applications remain available during attacks.
💰 Pricing Model
- Standard: Included free for all AWS customers.
- Advanced: Additional monthly fee, plus data transfer charges for services under protection.
📝 Exam Tips (CLF-C02)
- Shield is AWS's primary DDoS protection service.
- Standard tier is free and provides basic protection.
- Advanced tier provides higher-level protection and access to experts.
- Protects against Layer 3 and 4 attacks (WAF protects Layer 7).
See Also: * WAF * CloudFront * Load Balancer