Cargando...
Cargando...
Always-on, managed DDoS protection that keeps your AWS workloads available under attack — automatically.
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield Standard is automatically included at no extra cost for all AWS customers, defending against the most common network and transport layer attacks. Shield Advanced is a paid tier that adds sophisticated attack detection, near real-time visibility, 24/7 access to the AWS DDoS Response Team (DRT), cost protection, and enhanced protections for resources like EC2, ELB, CloudFront, Global Accelerator, and Route 53.
Protect AWS-hosted applications from volumetric, protocol, and application-layer DDoS attacks with automated mitigation and expert support.
Use When
Avoid When
Always-on L3/L4 DDoS detection and mitigation
Both Standard and Advanced tiers
Application Layer (L7) DDoS protection
Shield Advanced only, requires AWS WAF integration
24/7 DDoS Response Team (DRT) access
Shield Advanced only
Cost protection against DDoS-induced scaling charges
Shield Advanced only — credits for EC2, ELB, CloudFront, Route 53, Global Accelerator
Near real-time attack notifications via CloudWatch
Shield Advanced only
Attack forensics reports
Shield Advanced only
Global threat environment dashboard
Shield Advanced only
Proactive engagement (DRT contacts you during events)
Shield Advanced only, must be enabled
AWS WAF fees waived for protected resources
Shield Advanced only
Automatic WAF rule creation for L7 attacks
Shield Advanced with automatic mitigation enabled
Integration with AWS Firewall Manager
Enables centralized Shield Advanced policy management across accounts
Protection for non-AWS origin servers via CloudFront
CloudFront can front on-premises origins; Shield protects the CloudFront distribution
No additional data transfer charges for Shield Standard
Standard is completely free
Multi-account management via AWS Organizations
Via Firewall Manager — single $3,000/month fee covers the organization
Layered DDoS + Application Layer Defense
high freqShield Advanced detects and mitigates L3/L4 attacks automatically. AWS WAF handles L7 (HTTP floods, SQL injection, bot traffic). Together they form a complete defense stack. Shield Advanced can automatically create WAF rules during L7 attacks. Shield Advanced also waives WAF fees for protected resources.
Edge-Based DDoS Absorption
high freqCloudFront distributions are a primary Shield Advanced protected resource type. Traffic is absorbed at AWS edge locations globally, reducing attack surface. Shield Standard automatically protects all CloudFront distributions. Shield Advanced adds visibility, DRT access, and L7 auto-mitigation via WAF.
DNS Layer DDoS Protection
high freqRoute 53 is explicitly supported as a Shield Advanced protected resource. Shield protects Route 53 from DNS query floods and reflection attacks. Route 53's anycast architecture combined with Shield provides highly resilient DNS.
Anycast Network Edge Protection
high freqGlobal Accelerator is a Shield Advanced protected resource. It routes traffic through AWS's global network, and Shield mitigates attacks at the edge before they reach your application. Preferred for non-HTTP/HTTPS workloads (gaming, IoT, VoIP) where CloudFront isn't suitable.
Centralized Multi-Account Shield Management
high freqFirewall Manager enables you to create Shield Advanced protection policies that automatically apply to resources across all accounts in an AWS Organization. Ensures new accounts and resources are automatically enrolled in Shield Advanced without manual intervention.
DDoS Attack Monitoring and Alerting
high freqShield Advanced publishes DDoS attack metrics to CloudWatch (e.g., DDoSDetected, DDoSAttackBitsPerSecond). CloudWatch alarms can trigger SNS notifications or Lambda functions for automated incident response. Shield Standard provides NO CloudWatch metrics.
Threat Intelligence Correlation
high freqGuardDuty detects malicious activity and threat intelligence (e.g., reconnaissance, compromised instances). Shield handles the DDoS protection layer. Together they provide comprehensive threat detection — GuardDuty for internal/account threats, Shield for volumetric external attacks.
Application Traffic DDoS Absorption
high freqALB, NLB, and CLB are all Shield Advanced protected resource types. Placing ELB in front of EC2 instances provides a Shield-protected ingress point. ELB scales to absorb traffic while Shield mitigates the attack.
Automated DDoS Incident Response
high freqCloudWatch alarms on Shield Advanced metrics (DDoSDetected) can trigger Lambda functions for automated responses — e.g., updating WAF rules, sending PagerDuty alerts, scaling resources, or updating Security Groups. This creates an automated incident response pipeline.
Shield Advanced Compliance Auditing
high freqAWS Config rules can verify that critical resources have Shield Advanced protection enabled. This ensures compliance requirements for DDoS protection are continuously monitored and any unprotected resources are flagged for remediation.
Shield Standard is FREE and AUTOMATIC for ALL AWS customers — it requires zero configuration and cannot be disabled. It protects against L3/L4 attacks (SYN floods, UDP reflection, etc.). If an exam question asks 'what is the minimum DDoS protection for AWS resources,' the answer is Shield Standard.
Shield Advanced costs $3,000/month per organization with a mandatory 1-year commitment. This is NOT a pay-per-use service. Any exam scenario asking about cost-effective DDoS protection for a small workload should lean toward Shield Standard (free) + WAF, NOT Shield Advanced.
WAF does NOT provide DDoS protection by itself. WAF is an application firewall (L7 rules for HTTP/HTTPS). Shield provides DDoS protection. They are complementary — Shield Advanced + WAF together provide L3 through L7 protection. Never pick WAF alone as the answer to 'protect against DDoS attacks.'
The DDoS Response Team (DRT) is ONLY available with Shield Advanced. If a scenario mentions needing 24/7 expert support during a DDoS attack, the answer requires Shield Advanced — no AWS Support plan (even Enterprise) grants DRT access without Shield Advanced.
Shield Advanced provides COST PROTECTION — if a DDoS attack causes your EC2 Auto Scaling group, ELB, CloudFront, Route 53, or Global Accelerator to scale up and incur extra charges, you can request service credits. This is a unique financial protection feature that differentiates Shield Advanced in cost-optimization questions.
Shield Standard is FREE, AUTOMATIC, and protects ALL AWS resources against L3/L4 DDoS attacks — no setup required. Shield Advanced ($3,000/month, 1-year commitment) adds L7 protection, visibility, DRT access, and cost protection.
WAF does NOT provide DDoS protection. Shield protects against DDoS attacks. WAF filters application-layer HTTP/HTTPS requests. They are complementary, not interchangeable. Shield Advanced + WAF = complete L3-L7 protection.
The DDoS Response Team (DRT) is exclusively available with Shield Advanced. No AWS Support plan tier provides DRT access. If a scenario requires expert DDoS incident response, the answer is Shield Advanced.
For multi-account DDoS protection at scale, use AWS Firewall Manager with Shield Advanced. Firewall Manager auto-enrolls new accounts/resources in Shield Advanced policies. The $3,000/month covers the entire AWS Organization — not per account.
CloudFront + Shield is the classic architecture for protecting web applications. CloudFront absorbs traffic at edge locations globally, reducing the attack surface. Shield Standard automatically protects CloudFront. Adding Shield Advanced + WAF adds L7 protection and DRT support.
Shield Advanced supports AUTOMATIC L7 mitigation — when enabled, it can automatically create WAF rules to block DDoS traffic patterns at the application layer. This is a Shield Advanced exclusive feature and requires WAF to be associated with the protected resource.
Global Accelerator is the right choice over CloudFront for non-HTTP/HTTPS protocols (gaming, VoIP, IoT) that still need DDoS protection. Both are Shield Advanced protected resource types, but Global Accelerator works at the TCP/UDP level while CloudFront is HTTP/HTTPS only.
Proactive Engagement must be explicitly ENABLED in Shield Advanced. When enabled, the DRT proactively contacts you (via your emergency contact info) when an attack is detected against a protected resource with a health check. Without enabling it, DRT only responds when you contact them.
Shield Advanced metrics in CloudWatch (like DDoSDetected) only appear DURING an active attack. You cannot pre-test alarms by simulating an attack — AWS prohibits DDoS testing without prior approval. Set alarms with appropriate thresholds and test the alarm notification pipeline separately.
Common Mistake
AWS WAF provides DDoS protection and can replace AWS Shield.
Correct
WAF is a web application firewall that filters HTTP/HTTPS requests based on rules (L7). Shield is a DDoS protection service that mitigates volumetric and protocol attacks (L3/L4/L7). WAF has NO automatic DDoS detection or mitigation capabilities. You need Shield for DDoS protection and WAF for application-layer filtering — they solve different problems and work best together.
This is the #1 most common wrong answer on certification exams. Remember: WAF = web application rules (SQL injection, XSS, rate limiting). Shield = DDoS attack mitigation. Shield Advanced + WAF = complete protection stack.
Common Mistake
Shield Standard and Shield Advanced both cost money — Standard is just the cheaper tier.
Correct
Shield Standard is completely FREE for all AWS customers with no configuration required. Shield Advanced is the paid tier at $3,000/month with a 1-year commitment. There is no 'Shield Standard pricing' — it is $0.
Exam questions frequently test whether candidates know Shield Standard is free and automatic. If a scenario asks for the most cost-effective DDoS protection, Shield Standard (free) is the answer for basic protection needs.
Common Mistake
CloudFront itself provides DDoS protection — you don't need Shield if you use CloudFront.
Correct
CloudFront is a CDN that caches and delivers content from edge locations. Shield Standard automatically protects CloudFront distributions against L3/L4 attacks (because Standard covers all AWS resources). However, CloudFront itself is not a DDoS protection service — Shield is. For advanced DDoS protection, visibility, DRT access, and L7 mitigation, you need Shield Advanced explicitly configured with CloudFront.
CloudFront's global distribution does help absorb some attack traffic by spreading it across edge locations, but this is a side effect of its architecture, not a DDoS protection feature. Shield is the DDoS protection service.
Common Mistake
Shield Advanced is priced per AWS account, so using it across 10 accounts costs $30,000/month.
Correct
Shield Advanced is priced at $3,000/month per AWS Organization (consolidated billing family), NOT per account. When managed through AWS Firewall Manager and AWS Organizations, the entire organization pays a single $3,000/month subscription fee, making it significantly more cost-effective for multi-account environments.
This misconception causes candidates to incorrectly eliminate Shield Advanced as 'too expensive' in multi-account scenarios. The per-organization pricing model is a key architectural and cost-optimization fact.
Common Mistake
Shield Advanced automatically protects all your AWS resources once you subscribe.
Correct
Shield Advanced requires you to EXPLICITLY specify which resources you want to protect (EC2 Elastic IPs, ELB ARNs, CloudFront distributions, Route 53 hosted zones, Global Accelerator accelerators). Simply subscribing to Shield Advanced does NOT automatically protect all your resources. You must either manually add resources in the Shield console or use Firewall Manager policies to auto-protect resources matching criteria.
This is a critical operational misconception. Candidates assume Shield Advanced is like Standard (automatic for everything). Advanced requires explicit resource enrollment. Use Firewall Manager to automate this at scale.
Common Mistake
Shield Standard protects against all types of DDoS attacks including application layer (L7) attacks.
Correct
Shield Standard protects against the most common L3 (network layer) and L4 (transport layer) attacks: SYN floods, UDP reflection attacks, and similar volumetric attacks. Application layer (L7) DDoS protection (HTTP floods, Slowloris, etc.) requires Shield Advanced combined with AWS WAF.
The L3/L4 vs L7 distinction is heavily tested. Standard = L3/L4 only. Advanced + WAF = L3/L4/L7 complete protection.
STANDARD = 'S' for Silently free (automatic, no cost, no config, no visibility). ADVANCED = 'A' for Active, Aware, and Assisted (active monitoring, attack awareness via CloudWatch, DRT assistance).
Shield layers: Think of a SHIELD with 3 layers — Standard covers the outer shell (L3/L4 free), Advanced adds the middle layer (visibility + DRT), WAF covers the inner core (L7 application rules). You need all three for full protection.
DRT = '$3,000 Response Team' — if you see DRT in an exam question, the answer involves Shield Advanced (and its $3,000/month price tag).
The 'WAF ≠ DDoS' rule: WAF = 'Web Application Filter' (rules you write). Shield = 'Stop the Flood' (automated DDoS mitigation). Never confuse the two.
Shield Advanced protected resources acronym: 'EC2-ELB-CF-GA-R53' (EC2, Elastic Load Balancing, CloudFront, Global Accelerator, Route 53) — these 5 resource types are the only ones explicitly protectable under Shield Advanced.
CertAI Tutor · SAA-C03, SAP-C02, DEA-C01, DOP-C02, SCS-C02, CLF-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns