Are you currently experiencing an attack?

Are you currently experiencing an attack?

AWS Shield: How to Set Up and Use Amazon’s DDoS Protection Service

Distributed Denial of Service (DDoS) attacks continue to be a serious problem for organizations online. DDoS extortion is rampant; attackers bring down a victim’s web applications with overwhelming floods of traffic, and then demand payments in cryptocurrency. Some attacks are not intended to produce financial gain; instead, the attacker seeks revenge, or wants to make a political statement. Other DDoS attacks occur seemingly at random, with no obvious reason. Whatever the attacker’s motivation, DDoS attack protection is one of the top security concerns on the web today, as disruption of availability can lead to financial losses, reputational damage, and other unwelcome consequences.

As a result of this, a number of solutions for DDoS mitigation are available. In this article, we’ll discuss how to set up and use AWS Shield, which is an important part of AWS cloud security.

DDoS Protection with AWS Shield

AWS Shield is a managed service for protecting AWS-hosted applications from DDoS attacks. AWS Shield inspects traffic in real time and automatically implements mitigation techniques to avoid negative impacts on performance. It uses a multivariate approach (based on traffic signatures, anomaly algorithms, packet filtering, and other techniques) to quickly inspect incoming requests and block malicious traffic. Amazon notes that “Automatic mitigations are applied inline to protect AWS services, so there is no latency impact.”

There are two types of AWS Shield: AWS Shield Standard (the free version) and AWS Shield Advanced (paid).

AWS Shield Standard is applicable to all AWS customers and focuses on layer 3 and 4 attacks, while AWS Shield Advanced supports layer 7 attacks as well. Resource types that AWS Shield Advanced supports are Amazon CloudFront, AWS Route 53 zones, Global Accelerators, app load balancers, ELB, and Amazon EC2.

Is AWS Shield Advanced for You? 

AWS Shield Standard protects against network and transport layer DDoS attacks aimed at AWS resources. It is available free of charge to AWS customers, which can seem compelling.

However, Shield Advanced offers considerably stronger security. This includes more sophisticated attack detection (based on application traffic patterns and health checks), deeper visibility, specialized support (for Business and Enterprise support customers) from the AWS Shield Response Team, DDoS cost protection, and the use (for no additional charge) of AWS Firewall Manager, which offers a number of additional benefits.

For most organizations with a significant online presence, AWS Shield Advanced will be the preferred choice, because it provides:

  • Threat mitigation for both infrastructure and application-layer attacks
  • In-depth attack visibility
  • Better resource protection
  • DDoS cost protection (which offers service credits to compensate for resource scaling during an attack)

How to Set Up AWS Shield Advanced

Deploying AWS Shield Advanced is straightforward. First, you need to log into the AWS Management Console to subscribe:

You will then be directed to the management console, where you should search for “WAF in the top search bar so that “WAF & Shield is shown.

Click on “Subscribe to Shield Advanced” on the right side of the page.

Next, you will see a page with the service terms. You need to accept all of these to enable the “Subscribe to Shield Advanced” button.

Note: If your organization maintains multiple AWS accounts, you will need to follow the above steps separately for each.

Selecting Resources to Protect 

If you haven’t created a Firewall Manager Shield Advanced policy through the AWS Firewall Manager, this step is required. Also, if you are considering protection for EC2 instances, make sure you associate an Elastic IP address first. If an Elastic IP is selected as a resource to protect, then AWS Shield will be applicable to any resources bound with that Elastic IP.

Click on “Add resource to protect” after subscribing, followed by “Protected Resources” from the navigation bar, and select “Add resources to protect.”

Now, choose the regions and resource types from the “Choose resources to protect with Shield Advanced”, then click “Load resources,” followed by “Protect with Shield Advanced.”

Set Up Layer 7 DDoS Mitigation

This step is optional, but recommended.

If you have not used AWS Firewall Manager for the AWS Shield Advanced policy, configure rate-based rules in a web ACL. On theConfigure layer 7 DDoS mitigation page, you can create a web ACL to do this. Layer 7 mitigation will be applicable to each region of the allocated resources.

Final Review 

There are two optional steps before you enable AWS Shield. You can configure health check-based DDoS detection if you wish to refine your event responsiveness. Or, click “Next” to create alarms and notifications. 

Afterwards, keep selecting “Next” until you land in “Review and configure DDoS mitigation and visibility” to review your settings, then click on “Finish configuration.”

Configuring Support

Merely having a subscription is not enough to have all the benefits of AWS Shield, such as the AWS SRT (Shield Response Team), which can offer direct assistance during an attack (including proactive event response, i.e. they will start to mitigate the attack as soon as they notice it). For SRT support, you need to sign up for Enterprise or Business support.

Things to Consider Before Purchasing AWS Shield

We’ve seen that AWS Shield can offer a number of benefits, and is straightforward to set up within an AWS account. However, there are some limitations that need to be evaluated before purchasing this service.

As noted earlier, AWS Shield Standard is free, and provides mitigation for basic layer 3 and 4 attacks, but it will not provide sufficient protection for most AWS customers. Therefore, the rest of this section will discuss AWS Shield Advanced.

Vendor Lock-in

AWS Shield Advanced only protects AWS resources (and further, they must be directly owned and managed by the subscribing AWS Account holder). However, many organizations today are moving to a hybrid or multi-cloud architecture. 

Subscription Commitment

AWS Shield Advanced has a minimum commitment period of one year. 

Fixed Price

Unlike most AWS offerings, Shield Advanced is not flexible and does not offer a “pay as you go” pricing model. Regardless of your type of business, there is a set monthly charge for all customers of $3,000—a fee that some organizations find difficult to swallow. Also, on the pricing page, it shows that on top of the monthly fee, there is an additional usage fee for CloudFront, Elastic Load Balancing (ELB), Amazon Route 53, etc. 

Resource Limitation

For Shield Advanced, you can only monitor and protect up to 1,000 resources for each of the five resource types (ELB load balancers, EC2 Elastic IP addresses, CloudFront distributions, Route 53 hosted zones, and Global Accelerators). To enable more, you must contact support.

Constraints in Web Application Mitigation

Although AWS Shield has strong automated capabilities for DDoS attack mitigation on network and transport layers, it is weaker against application-layer attacks (such as bad bots). For these, customers need to apply AWS WAF rules.

Additional Support Package

To receive 24/7 SRT support, you must already be an existing customer with an enterprise or business support package. If you have a different support plan, you will not be eligible for SRT support.

No Trial Period 

A trial period is always helpful when evaluating a product, but AWS Shield Advanced does not offer this.

Larger Issues to Consider

The threat environment today is broad and diverse, and comprises much more than just DDoS attacks. Although AWS Shield provides the benefits that it promises, it does not provide full protection.

Even when you consider all of AWS’s security tools combined—including AWS Shield Advanced, AWS WAF, Firewall Manager, and so on—they do not provide comprehensive web security. For example, AWS WAF:

  • Does not include self-learning mechanisms such as machine learning.
  • Does not include mobile or API security. (To compensate, users must manually create a complex framework of additional services, such as Amplify, Lambda, and API Gateway, which is challenging and creates further vendor lock-in.)
  • Provides only rudimentary bot protection, based on elementary techniques such as honeypots and a reputational database. AWS WAF does not offer basic capabilities such as device fingerprinting, device analytics, or Javascript challenges, nor advanced features such as UEBA (User and Behavioral Analytics).

AWS customers should consider augmenting these native tools with Reblaze. Reblaze converts AWS WAF and AWS Shield into an autonomous system which reacts immediately to every type of attack, and continually adapts to the changing Internet threat environment. It’s an important part of securely using AWS.

Reblaze is a comprehensive web security solution, providing next-generation WAF security, DDoS protection, industry-leading bot detection & management, precise ACL, real time reporting, full traffic transparency, API security, ATO (Account Takeover) prevention, and more, all fully integrated with (and running natively on) AWS.

It runs natively on your clouds of choice, in any combination, across multiple regions. And as a fully managed solution, Reblaze is updated automatically as new threats emerge. Your protection is always up-to-date, and always effective.

For more information about Reblaze, contact us here.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.