AWS Shield

Concepts Covered

• DDoS attacks
• AWS Shield Standard
• AWS Shield Advanced
• Network, transport, and application layer attacks
• Protected resources
• CloudFront, Route 53, Global Accelerator, ELB, and Elastic IP patterns
• Shield Response Team
• WAF integration
• DDoS cost protection
• SAA-C03 exam traps

1. Plain-English Mental Model

AWS Shield is managed DDoS protection for AWS resources.

The simple model is:

DDoS traffic -> AWS edge and Shield mitigations -> protected application stays available

Distributed denial of service attacks try to overwhelm a target with traffic. Some attacks flood network capacity. Some abuse transport protocols. Some flood valid-looking application requests.

Shield Standard is automatic baseline DDoS protection for AWS customers. Shield Advanced is a paid subscription with expanded protection, visibility, support, and cost-related features for protected resources.

WAF and Shield are related but different. WAF inspects HTTP requests with custom rules. Shield focuses on DDoS detection and mitigation.

2. Why This Service Exists

Public applications can fail even when the application code is correct.

An attacker can send enough traffic to saturate links, exhaust connection state, overload load balancers, or overwhelm application endpoints. A security group that allows port 443 cannot tell whether the request volume is legitimate. Application code may never get a fair chance to respond.

Shield exists to provide DDoS detection and mitigation on AWS infrastructure and protected resources.

For SAA-C03, Shield appears in questions about DDoS protection, network and transport layer attacks, high-profile public websites, CloudFront and Route 53 resilience, Shield Advanced subscription, Shield Response Team support, application layer DDoS mitigation with WAF, and cost protection during attacks.

3. The Naive Approach And Where It Breaks

The naive pattern is a single public endpoint:

internet -> regional load balancer -> application

This works for normal traffic, but during a large DDoS event the regional entry point and application stack may absorb too much pressure.

Another naive approach is to assume autoscaling solves DDoS. Scaling can help legitimate traffic spikes, but scaling malicious traffic can increase cost and still fail if the attack saturates layers before compute.

Another mistake is subscribing to Shield Advanced but not protecting resources or configuring alarms, health checks, WAF, or response access. Preparation matters before an attack.

DDoS resilience is architecture plus service protection plus response planning.

4. Core Primitives

Shield Standard is automatic and included at no extra charge for AWS customers.

Shield Advanced is a paid service for enhanced DDoS protection.

Protected resources are the resources explicitly protected by Shield Advanced, such as supported CloudFront distributions, Route 53 hosted zones, Global Accelerator accelerators, Elastic IP addresses, and load balancers depending on current resource support.

Network layer attacks target Layer 3 capacity.

Transport layer attacks target Layer 4 protocol behavior, such as SYN floods.

Application layer attacks target Layer 7, such as HTTP request floods.

The Shield Response Team, or SRT, provides specialized support for Shield Advanced customers.

Shield Advanced can work with AWS WAF for application layer protections.

5. Architecture Use Cases

Use CloudFront and Route 53 for public applications that benefit from AWS edge network DDoS resilience.

Use Shield Standard as the default baseline protection that comes with AWS.

Use Shield Advanced for high-visibility applications, business-critical public endpoints, or workloads prone to DDoS attacks.

Use WAF with Shield Advanced for Layer 7 HTTP request protection:

users -> CloudFront -> WAF web ACL -> Shield Advanced protected resource -> origin

Use Route 53 health checks and CloudWatch alarms for operational visibility during events.

Use AWS Firewall Manager when Shield Advanced protections need to be applied across many accounts.

7. Security Model

Shield security is about public entry points and response readiness.

Only trusted roles should manage Shield Advanced subscriptions and protected resources.

If an application needs SRT support, configure access and response contacts before an attack.

WAF web ACL permissions matter because Layer 7 mitigation can involve WAF rules.

CloudWatch alarms, SNS notifications, and health checks should go to operational channels that are staffed.

Do not expose origins unnecessarily. A CloudFront distribution with WAF and Shield benefits can be bypassed if attackers can directly hit the origin.

8. Reliability And Resilience

Shield improves availability during DDoS attacks, especially when paired with resilient architecture.

CloudFront, Route 53, and Global Accelerator can shift the application perimeter to the AWS edge network.

Multi-AZ origins, autoscaling, caching, origin protection, rate limiting, and graceful degradation still matter.

Shield Advanced adds better visibility and support, but it does not make an otherwise fragile application invincible.

Prepare runbooks. During an attack, teams need to know who responds, which dashboards matter, which WAF rules can be changed, and how to contact support.

9. Performance And Scaling

Shield itself is designed for DDoS mitigation at AWS scale.

Application architecture influences the level of benefit. CloudFront can cache and absorb traffic at the edge. Route 53 provides resilient DNS. Global Accelerator can route through the AWS global network.

For Layer 7 attacks, WAF rules and managed DDoS protections can reduce request pressure, but application performance still depends on backend capacity.

Do not treat autoscaling as the only DDoS strategy. Scaling bad traffic may preserve availability for a while, but it can also increase cost and overwhelm dependencies.

Use baselines and alarms to recognize abnormal traffic.

10. Cost Model

Shield Standard is included automatically without additional Shield charges.

Shield Advanced requires a subscription and can include additional protections, support, and cost-related benefits depending on current terms and protected resource configuration.

WAF, CloudFront, load balancers, logs, alarms, and data transfer have their own costs.

During attacks, cost risk matters. Shield Advanced may help with DDoS cost protection for eligible protected resources under AWS terms, but architecture and configuration still matter.

The business question is whether the workload's public exposure and downtime risk justify Advanced subscription cost.

12. SAA-C03 Exam Signals

"DDoS protection" points to Shield.

"Shield Standard automatic protection" points to baseline DDoS protection included with AWS.

"Enhanced DDoS protection for high-profile application" points to Shield Advanced.

"DDoS Response Team or SRT support" points to Shield Advanced.

"Layer 7 request filtering by headers, paths, SQL injection, or rate rules" points to WAF.

"Protect CloudFront, Route 53, Global Accelerator, ELB, or Elastic IP resources from DDoS" can point to Shield Advanced.

"Centrally manage Shield Advanced across accounts" can point to Firewall Manager.

13. Common Exam Traps

Do not confuse Shield with WAF.

Do not assume Shield Advanced protects every resource automatically. Resources must be protected/configured.

Do not rely on autoscaling alone for DDoS resilience.

Do not leave origins directly reachable when CloudFront is intended as the protected entry point.

Do not forget monitoring and response contacts.

Do not use Shield when the question asks for SQL injection filtering. That is WAF.

15. Related Topics

Review AWS WAF, Amazon CloudFront, Amazon Route 53, ALB vs NLB vs GWLB, and AWS Well-Architected Tool.

Official AWS references:

• How AWS Shield and Shield Advanced work
• AWS Shield Standard overview
• Setting up AWS Shield Advanced
• List of resources that AWS Shield Advanced protects