If you prefer you can watch the video on YouTube
Introduction
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides two levels of protection: Standard and Advanced, with the latter offering added protection and cost protection for larger, more sophisticated attacks.
Product page: https://aws.amazon.com/shield/
Main Purpose
AWS Shield was developed to offer a protective layer against DDoS attacks for applications running on AWS. DDoS attacks can cripple services, causing significant downtime, financial loss, and damage to a company's reputation. By integrating AWS Shield, businesses can ensure that their services remain uninterrupted and their customers retain trust in their platforms.
Strengths
Comprehensive Protection
AWS Shield offers protection against the most common and frequently observed DDoS attack types. With AWS Shield Advanced, users receive protection against larger and more sophisticated attacks.
Integration with AWS Services
AWS Shield is deeply integrated with other AWS services and enabled by default. This tight integration ensures seamless protection without needing changes to existing architectures.
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-protections-by-resource-type.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-standard-summary.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-protected-resources.html
Cost Protection
For AWS Shield Advanced subscribers, AWS offers financial protection by covering extra costs that arise due to a DDoS attack. This ensures businesses don't face unexpected charges in the event of a large-scale attack.
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-capabilities.html
https://docs.aws.amazon.com/waf/latest/developerguide/request-refund.html
24/7 Shield Response Team (SRT) Access
Advanced subscribers gain access to the Shield Response Team (SRT), a group of security experts available round the clock to help with incident response.
Weaknesses
Cost for Advanced Protection
While AWS Shield Standard is available at no extra cost, the Advanced version, can be expensive for small businesses.
Complexity for Novices
Users unfamiliar with AWS or cybersecurity can find AWS Shield's array of features overwhelming.
https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-ddos.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-resource-protections.html
Potential False Positives
Like any security service, AWS Shield can sometimes interpret legitimate traffic as malicious, leading to false positives.
https://aws.amazon.com/shield/features/#Health-based_detection
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-health-checks.html
Dependence on AWS Ecosystem
AWS Shield works best when integrated with other AWS services, making it less suitable for businesses not fully invested in the AWS ecosystem.
https://aws.amazon.com/shield/faqs/#Configuring_protections (see “Can I protect resources outside of AWS?”)
Use Cases
Web Application Protection
For web applications hosted on AWS, integrating Shield can mitigate potential DDoS attacks, ensuring continuous service availability.
https://docs.aws.amazon.com/waf/latest/developerguide/aws-shield-use-case.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-resiliency-example-web.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-resiliency-example-tcp-udp.html
API Gateway Protection
APIs, especially public ones, are frequent targets. AWS Shield offers protection, keeping these gateways secure and operational.
Mistakes
Ignoring AWS Shield Alerts
AWS Shield provides real-time metrics and alerts. Ignoring these can lead to undetected vulnerabilities or threats.
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-events.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-cloudwatch-metrics.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-get-started-create-alarms.html
https://docs.aws.amazon.com/waf/latest/developerguide/shd-incident-response.html
Over-relying on Shield Standard
While Standard offers protection against most common attacks, Advanced is necessary for robust protection against sophisticated threats.
Not Integrating with AWS WAF
Shield works best when combined with AWS Web Application Firewall (WAF) for complete protection against various attack vectors.
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-capabilities.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
Not Engaging with SRT when Needed
Shield Advanced users often don't leverage the expertise of the DDoS Response Team, missing out on valuable guidance during incidents.
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-srt-contacting.html
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-srt-proactive-engagement.html
Misconfiguring Shield
Incorrect configurations can reduce the effectiveness of AWS Shield or even expose vulnerabilities.
Overlooking Cost Protections
AWS Shield Advanced users sometimes aren't aware of the cost protection feature, leading to unnecessary extra costs during attacks.
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary-capabilities.html
https://docs.aws.amazon.com/waf/latest/developerguide/request-refund.html
Not Testing the Setup
Regularly simulating DDoS attacks (in a controlled manner) can help ensure AWS Shield is correctly configured and effective.
I hope you find this overview useful!
Did you like it? Too long? To short? Something is missing?
Please let me know with a comment! 🙏
Your feedback is truly precious to me 😊
Attributions:
Icons from https://www.freepik.com/
Music by Sergii Pavkin from Pixabay
Share this post