AWS Shield (DDoS Protection)
A DDoS attack (Distributed Denial of Service — when many machines flood your service with traffic so real users can’t get through) is one of the oldest and most common threats on the internet. AWS Shield is the managed service that absorbs and blocks this traffic for you. It comes in two tiers: Shield Standard, which is on by default and free for every AWS customer, and Shield Advanced, a paid add-on for high-profile targets that need guarantees and a dedicated response team. This page explains the difference so you don’t pay for protection you already have.
What a DDoS attack actually is
Attacks are grouped by the network “layer” they hit:
- Layer 3 / 4 (network and transport) — floods of raw packets, like a SYN flood or a UDP reflection attack. The goal is to saturate your bandwidth or connection table so nothing else can connect. These attacks do not care what your application does.
- Layer 7 (application) — floods of valid-looking requests, like thousands of HTTP GETs to an expensive search endpoint. Each request looks normal, but together they exhaust your servers.
This split matters because Shield handles layer 3/4. It does not stop layer 7 attacks — those need AWS WAF (Web Application Firewall), a separate service that inspects HTTP requests.
Shield Standard (free, automatic)
Shield Standard protects every AWS customer automatically at no extra cost. There is nothing to enable, configure, or click. It continuously defends against the most common network and transport-layer attacks at the edge of the AWS network — in front of services like Amazon CloudFront (the CDN, or Content Delivery Network), Amazon Route 53 (DNS), and the Elastic Load Balancers.
When to use this: always — it is already running. For the vast majority of applications, Shield Standard is all the DDoS protection you will ever need.
Tip: Putting your app behind CloudFront and Route 53 gives you the strongest Shield Standard coverage for free, because those services sit at the AWS network edge where the largest scrubbing capacity lives.
Shield Advanced (paid)
Shield Advanced is a subscription that adds protection and guarantees on top of Standard. You pay for it when the consequences of an attack — downtime cost, bill spikes, reputation — justify the premium.
What you get:
- Enhanced detection and mitigation for larger and more sophisticated layer 3/4 attacks, with finer-grained, application-specific mitigations.
- 24/7 access to the Shield Response Team (SRT) — AWS DDoS experts you can engage during an active attack to help build custom mitigations.
- Cost protection — if an attack causes your bill to spike on protected resources (for example, scaling out EC2 or a surge in CloudFront/Route 53 charges), AWS will credit those scaling costs back to you.
- AWS WAF and AWS Firewall Manager included at no additional charge, so you can also defend against layer 7 attacks without paying separately for WAF rule usage.
- Real-time attack visibility and detailed metrics in the Shield console and CloudWatch.
When to use this — and when NOT to:
| Situation | Use Shield Advanced? |
|---|---|
| Standard website or internal app | No — Shield Standard is enough |
| You want to “be safe” but have no specific need | No — you are paying for guarantees you won’t use |
| High-profile brand, gaming, or fintech likely to be targeted | Yes |
| Strict uptime SLA where downtime costs real money | Yes |
| You need someone (the SRT) to call during an attack | Yes |
| You worry an attack could spike your AWS bill | Yes — cost protection covers it |
Cost warning: Shield Advanced is 1 year minimum commitment at 3,000 USD per month (per organization), plus data transfer fees on protected resources. That is at least 36,000 USD per year. Do not subscribe unless the cost protection, SRT access, or your threat profile clearly justifies it.
Standard vs Advanced vs WAF — which do I need?
| Shield Standard | Shield Advanced | AWS WAF | |
|---|---|---|---|
| Cost | Free | ~3,000 USD/mo + data fees | Pay per rule + per request |
| Layer | 3 / 4 | 3 / 4 (enhanced) | 7 (application) |
| Setup | Automatic | Subscribe + protect resources | Create web ACL + rules |
| Response team | No | Yes (SRT, 24/7) | No |
| Cost protection | No | Yes | No |
| Best for | Everyone | High-value / targeted apps | HTTP-level filtering |
How to enable Shield Advanced
Console steps
- Open the AWS WAF & Shield console.
- In the left menu under AWS Shield, choose Getting started, then Subscribe to Shield Advanced.
- Acknowledge the monthly fee and 1-year commitment, then choose Subscribe.
- Go to Protected resources and choose Add resources to protect.
- Select the resources to protect — for example a CloudFront distribution, an Application Load Balancer, an Elastic IP (a permanent public IP address), or a Route 53 hosted zone.
- (Recommended) Configure health-based detection by associating a Route 53 health check, which helps the SRT distinguish a real attack from normal traffic.
AWS CLI
Subscribe (this starts the billing commitment):
aws shield create-subscriptionProtect a specific resource by its ARN (Amazon Resource Name — the unique ID of an AWS resource):
aws shield create-protection \
--name "prod-alb-protection" \
--resource-arn "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/0a1b2c3d4e5f"Output:
{
"ProtectionId": "a1b2c3d4-0a1b-2c3d-4e5f-0a1b2c3d4e5f"
}List everything you are currently protecting:
aws shield list-protectionsOutput:
{
"Protections": [
{
"Id": "a1b2c3d4-0a1b-2c3d-4e5f-0a1b2c3d4e5f",
"Name": "prod-alb-protection",
"ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/0a1b2c3d4e5f"
}
]
}Infrastructure as Code
You can declare a protection in CloudFormation so it lives with the rest of your stack (this assumes the subscription already exists):
Resources:
AlbShieldProtection:
Type: AWS::Shield::Protection
Properties:
Name: prod-alb-protection
ResourceArn: arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/0a1b2c3d4e5fBest Practices
- Rely on Shield Standard by default — it is free and protects everyone against common layer 3/4 attacks. Only buy Advanced for a clear reason.
- Put public endpoints behind CloudFront and Route 53 to get the strongest edge protection at no cost.
- Always pair DDoS protection with AWS WAF for layer 7 — Shield alone will not stop application-layer floods.
- If you do subscribe to Advanced, attach Route 53 health checks so the SRT can tell a real attack from a traffic spike.
- Use AWS Firewall Manager (included with Advanced) to apply protections consistently across every account in your organization.
- Set CloudWatch alarms on the
DDoSDetectedmetric so you are notified the moment Shield mitigates an attack. - Run a cost-benefit check before committing: 36,000 USD+/year is only worth it when downtime or bill spikes would cost you more.