⬡ Hub
Skip to content

AWS Shield

Detailed Content

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency. There are two tiers of AWS Shield: Standard and Advanced.

Core Concepts and Features

  • DDoS Protection: Shield provides protection against various types of DDoS attacks, including:
    • Infrastructure Layer Attacks (Layer 3 and 4): Such as SYN floods, UDP floods, reflection attacks.
    • Application Layer Attacks (Layer 7): Such as HTTP floods, DNS query floods (with Shield Advanced and WAF).
  • Always-on Detection: Shield continuously monitors incoming traffic to your AWS resources for DDoS attack signatures.
  • Automatic Inline Mitigations: When an attack is detected, Shield automatically applies mitigations to block malicious traffic and allow legitimate traffic to pass through, minimizing impact on your applications.
  • AWS Shield Standard:
    • Included by Default: All AWS customers benefit from Shield Standard's protection against common, most frequent network and transport layer (Layer 3 and 4) DDoS attacks. There is no additional cost for Shield Standard.
    • Protects: EC2, ELB, CloudFront, Route 53.
  • AWS Shield Advanced:
    • Enhanced Protection: Provides enhanced protections for EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources. It offers more sophisticated detection and mitigation capabilities against larger and more complex DDoS attacks.
    • Cost Protection: Protects against scaling charges resulting from a DDoS attack on covered resources. AWS will provide service credits for usage spikes due to DDoS attacks.
    • AWS WAF Integration: Integrates with AWS WAF to provide application layer (Layer 7) DDoS protection. Shield Advanced customers get AWS WAF at no additional cost.
    • Shield Response Team (SRT): Provides 24/7 access to the AWS Shield Response Team (SRT) for expert assistance during a DDoS attack. The SRT can help analyze attacks, apply custom mitigations, and provide post-attack forensics.
    • Visibility and Reporting: Provides near real-time visibility into DDoS attacks through detailed metrics and reports in CloudWatch.
  • Global Network: Leverages the AWS global network and edge infrastructure to absorb and mitigate DDoS attacks close to their source.

Use Cases

  • Protecting Public-Facing Applications: Safeguard web applications, APIs, and websites hosted on AWS from various types of DDoS attacks.
  • Ensuring Business Continuity: Maintain application availability and performance during DDoS events, minimizing downtime and revenue loss.
  • Meeting Compliance Requirements: Help meet regulatory and compliance requirements for protecting applications from cyber threats.
  • Cost Management during Attacks: Shield Advanced's cost protection feature helps prevent unexpected billing spikes due to increased resource usage during a DDoS attack.
  • Expert Incident Response: For critical applications, leverage the Shield Response Team (SRT) for hands-on assistance during active DDoS attacks.
  • Securing Gaming and Streaming Services: Protect high-traffic, real-time applications that are common targets for DDoS attacks.

Interview Questions

Conceptual Questions

  1. What is AWS Shield and what problem does it solve?
    • AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. It solves the problem of protecting AWS resources from various types of DDoS attacks, ensuring application availability and minimizing downtime.
  2. Explain the difference between AWS Shield Standard and AWS Shield Advanced.
    • Shield Standard: Included by default for all AWS customers at no additional cost. Provides protection against common, most frequent network and transport layer (Layer 3 and 4) DDoS attacks.
    • Shield Advanced: A paid service that provides enhanced protections against larger and more complex DDoS attacks, cost protection against usage spikes during attacks, 24/7 access to the Shield Response Team (SRT), and integration with AWS WAF at no additional cost.
  3. What types of DDoS attacks does AWS Shield protect against?
    • Shield Standard protects against network and transport layer (Layer 3 and 4) attacks like SYN floods, UDP floods, and reflection attacks. Shield Advanced, especially with WAF integration, also protects against application layer (Layer 7) attacks like HTTP floods and DNS query floods.
  4. What is the Shield Response Team (SRT) and when is it available?
    • The Shield Response Team (SRT) is a team of DDoS experts available 24/7 to AWS Shield Advanced customers. They provide expert assistance during active DDoS attacks, helping to analyze attacks, apply custom mitigations, and provide post-attack forensics.
  5. How does AWS Shield Advanced help with cost management during a DDoS attack?
    • Shield Advanced includes cost protection. This means AWS will provide service credits for usage spikes (e.g., increased EC2, ELB, CloudFront usage) that result from a DDoS attack on resources covered by Shield Advanced. This helps prevent unexpected billing increases during an attack.

Scenario-Based Questions

  1. You are responsible for a critical public-facing web application that is a frequent target of DDoS attacks. The application must maintain high availability and performance even under attack. You also want expert assistance during an attack. How would you protect this application using AWS Shield?
    • I would subscribe to AWS Shield Advanced and enable it for the application's resources (e.g., Application Load Balancer, CloudFront distribution). This provides enhanced DDoS protection against larger and more complex attacks. Crucially, it gives me 24/7 access to the Shield Response Team (SRT) for expert assistance during an active attack, and includes cost protection to mitigate billing spikes caused by the attack.
  2. Your company has a new web service that is expected to receive a high volume of traffic, and you are concerned about potential application layer (Layer 7) DDoS attacks like HTTP floods. How would you protect this service?
    • I would deploy the web service behind an Application Load Balancer (ALB) and associate an AWS WAF Web ACL with the ALB. To enhance protection against Layer 7 DDoS attacks, I would subscribe to AWS Shield Advanced. Shield Advanced customers get AWS WAF at no additional cost, and it provides advanced detection and mitigation capabilities for application layer attacks when integrated with WAF. I would configure WAF rules, including rate-based rules, to block malicious HTTP traffic.
  3. You need to protect your DNS infrastructure from DDoS attacks. Which AWS service would you use, and how does it help?
    • I would use Amazon Route 53 as my DNS service. Route 53 is inherently protected by AWS Shield Standard against common DDoS attacks. For enhanced protection against more sophisticated DNS-based DDoS attacks, I would enable AWS Shield Advanced for my Route 53 hosted zones. Shield Advanced provides advanced detection and mitigation capabilities specifically for DNS infrastructure, ensuring the availability of my domain resolution.

Coding/CLI Examples

Here are some common AWS Shield operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Describe your Shield subscription (to check if Advanced is enabled): bash aws shield describe-subscription

  2. Enable Shield Advanced for a resource (e.g., an ALB): ```bash RESOURCE_ARN="arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188" # Replace with your ALB ARN

    aws shield create-protection \ --name MyAlbProtection \ --resource-arn $RESOURCE_ARN ```

  3. List all protected resources: bash aws shield list-protections

  4. Describe a DDoS attack (if one is active): ```bash ATTACK_ID="your-attack-id" # Get this from CloudWatch or Shield console

    aws shield describe-attack \ --attack-id $ATTACK_ID ```

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Check Shield subscription status: ```python import boto3

    shield_client = boto3.client('shield')

    try: response = shield_client.describe_subscription() subscription_type = response['Subscription']['SubscriptionType'] print(f"AWS Shield Subscription Type: {subscription_type}") if subscription_type == 'ADVANCED': print("Shield Advanced is enabled.") else: print("Shield Standard is enabled.") except shield_client.exceptions.ResourceNotFoundException: print("No Shield subscription found (Shield Standard is active by default).") except Exception as e: print(f"Error describing subscription: {e}") ```

  2. Create a Shield Advanced protection for an ALB: ```python import boto3

    shield_client = boto3.client('shield')

    resource_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188" # REPLACE with your ALB ARN protection_name = "MyBoto3AlbProtection"

    try: response = shield_client.create_protection( Name=protection_name, ResourceArn=resource_arn ) protection_id = response['ProtectionId'] print(f"Created Shield Advanced protection {protection_name} with ID: {protection_id}") except Exception as e: print(f"Error creating protection: {e}") ```

  3. List all Shield Advanced protections: ```python import boto3

    shield_client = boto3.client('shield')

    try: response = shield_client.list_protections() print("AWS Shield Advanced Protections:") for protection in response['Protections']: print(f"- Name: {protection['Name']}, ARN: {protection['ResourceArn']}") except Exception as e: print(f"Error listing protections: {e}") ```