AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
AWS Shield now provides two key capabilities: AWS Shield network security director (preview) for proactive network posture analysis and AWS Shield Advanced for managed DDoS protection.
AWS Shield detects the following classes of attacks:
Network Volumetric Attacks (Layer 3)
This is a sub category of infrastructure layer attack vectors.
These vectors attempt to saturate the capacity of the targeted network or resource, to deny service to legitimate users.
Network Protocol Attacks (Layer 4)
This is a sub category of infrastructure layer attack vectors.
These vectors abuse a protocol to deny service to the targeted resource.
A common example of a network protocol attack is a TCP SYN flood, which can exhaust connection state on resources like servers, load balancers, or firewalls.
A network protocol attack can also be volumetric for e.g., a larger TCP SYN flood may intend to saturate the capacity of a network while also exhausting the state of the targeted resource or intermediate resources.
Application Layer Attacks (Layer 7)
This category of attack vector attempts to deny service to legitimate users by flooding an application with queries that are valid for the target, such as web request floods.
AWS Shield Tiers
AWS Shield Standard
provides automatic protections to all customers at no additional charge.
defends against the most common, frequently occurring network and transport layer DDoS attacks that target websites or applications.
with CloudFront and Route 53, comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks is provided.
uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.
provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time.
sets static thresholds for each AWS resource type but does not provide customized protection for individual applications.
AWS Shield Advanced
is a managed service that helps protect the application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts.
provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks.
protects resources including Amazon CloudFront distributions, Amazon Route 53 hosted zones, AWS Global Accelerator standard accelerators, Elastic IP addresses, Application Load Balancers, and Classic Load Balancers.
EC2 instances and Network Load Balancers can be protected by association with protected Elastic IP addresses.
allows up to 1,000 resources per resource type per AWS account.
provides integration with AWS WAF at no additional charge. Shield Advanced subscribers receive up to 50 billion AWS WAF requests per calendar month for WAF-protected resources.
provides DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected resources.
in addition to the network and transport layer attacks, it also detects application layer (Layer 7) attacks such as HTTP floods or DNS query floods by baselining traffic on the application and identifying anomalies.
includes centralized protection management using Firewall Manager (included at no extra cost with Shield Advanced subscription), that can automatically
configure policies covering multiple accounts and resources
audit accounts to find new or unprotected resources, and ensure that Shield Advanced and AWS WAF protections are universally applied.
provides complete visibility into DDoS attacks with near real-time notification through CloudWatch and detailed diagnostics on the AWS WAF and AWS Shield console or APIs.
Shield Advanced – Customized Detection
provides customized detection based on traffic patterns to protected Elastic IP addresses, ELB, CloudFront, Global Accelerator, and Route 53 resources.
uses additional monitoring techniques for individual regions and resources to detect smaller DDoS attacks and alert about them.
detects application layer DDoS attacks by baselining incoming traffic and identifying anomalies.
Shield Advanced – Health-Based Detection
uses health check data from Route 53 to improve responsiveness, detection accuracy, and mitigation speed.
associate a Route 53 health check with a Shield Advanced-protected resource through the console or API.
enables Shield Advanced to detect attacks faster using lower traffic thresholds, improving application DDoS resilience and preventing false alerts.
resource health status is also available to the SRT to help prioritize remediation of unhealthy applications.
can be used with all Shield Advanced-supported resource types.
Shield Advanced – Protection Groups
allows you to bundle resources into protection groups, treating multiple resources as a single unit for detection and mitigation.
grouping resources improves detection accuracy, reduces false positives, simplifies automatic protection of newly created resources, and accelerates mitigation.
for example, if an application has four CloudFront distributions, they can be added to one protection group for unified detection and protection.
reporting can be collected at the protection group level for a holistic view of overall application health.
Shield Advanced – Proactive Engagement
provides proactive engagement from the SRT after DDoS events are detected.
when enabled, if a Route 53 health check shows your protected resource as unhealthy during a DDoS attack, the SRT contacts you directly.
can be enabled for network and transport layer events on Elastic IP and Global Accelerator resources, and for application layer attacks on CloudFront distributions and Application Load Balancers.
Anti-DDoS Managed Rule Group (AMR) for AWS WAF
Launched in June 2025, the Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) is an AWS Managed Rule for AWS WAF that automatically detects and mitigates application layer (L7) DDoS events within seconds.
As of March 26, 2026, the Anti-DDoS AMR is the default solution for protection against HTTP request flood attacks, superseding the legacy Layer 7 Auto Mitigation (L7AM) feature.
Existing Shield Advanced customers can continue using the legacy L7AM but are encouraged to adopt the Anti-DDoS AMR for faster detection (seconds vs. minutes).
The AMR learns traffic patterns and establishes baselines for each protected resource within minutes of activation.
Uses machine learning models to identify traffic anomalies and assigns suspicion scores to requests for use in mitigations.
Supports resources behind Amazon CloudFront, Application Load Balancer (ALB), and API Gateway.
For Shield Advanced customers, the AMR is included in the subscription. It is also available as a pay-as-you-go alternative for non-Shield Advanced customers.
Provides configurable sensitivity settings and URI-path-specific protection.
When a DDoS event is detected, the AMR adds labels (event-detected, ddos-request) to requests for custom downstream handling.
DDoS Attack Flow Logs (2026)
Announced May 2026, AWS Shield Advanced now provides DDoS attack flow logs for forensic analysis and compliance.
Captures critical packet-level details during active attacks, including:
Source and destination IP addresses
Ports and protocols
Packet and byte counts
Source country information
Log data is automatically published to your chosen destination (Amazon S3, CloudWatch Logs, or Amazon Data Firehose) at 5-minute intervals during active attacks.
Enables you to pinpoint attack sources, verify mitigations, and feed existing analysis pipelines.
Helps organizations reconstruct attack patterns and verify mitigation effectiveness without additional infrastructure.
AWS Shield Network Security Director (Preview)
Announced June 2025, AWS Shield network security director is a new capability that provides proactive network security posture analysis.
Discovers resources across AWS accounts, identifies connectivity between resources, and determines which network security services and configurations are in place.
Key capabilities:
Network Topology Visualization – provides a complete view of your AWS environment with resource connectivity, security configurations, and potential security issues. Resources are grouped by tags and connectivity patterns.
Prioritized Findings Dashboard – assigns severity levels (NONE, INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL) based on identified network security issues, considering network context, AWS best practices, and threat intelligence.
Remediation Recommendations – provides step-by-step instructions to fix identified misconfigurations in services like AWS WAF, VPC security groups, and VPC network ACLs.
Amazon Q Integration – analyze network security issues using natural language through Amazon Q Developer.
Supports multi-account analysis (added December 2025).
Findings are available in AWS Security Hub (added March 2026).
Does not require a Shield Advanced subscription.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which AWS service has inbuilt DDoS protection?
AWS Shield
AWS CloudWatch
AWS EC2
AWS Inspector
A media company has monetized their APIs to external third parties. During the last month, the platform has come under DDoS attacks multiple times leading to scaling of underlying instances and cost incurred. Which AWS service would help provide cost protection against such spikes, if such situations do occur in the future?
AWS Systems Manager
AWS WAF
AWS Shield Advanced
AWS Inspector
A company is hosting an important revenue generating application. On the last few occasions, the application has come under large DDoS attacks. As a result of this, a lot of users were complaining about the slowness of the application. You need to now avoid these situations in the future and now require 24×7 support from AWS if such situations do occur in the future. Which of the following service can help in this regard?
AWS Shield Advanced
AWS Inspector
AWS WAF
AWS Systems Manager
A company wants to automatically detect and mitigate Layer 7 DDoS attacks on their web application within seconds without manual rule configuration. Which solution provides the fastest automated response?
AWS WAF rate-based rules
AWS Shield Standard
AWS WAF Anti-DDoS Managed Rule Group (AMR)
AWS Network Firewall
A security team needs packet-level visibility into DDoS attack traffic targeting their Shield Advanced-protected resources for forensic analysis. Which feature should they enable?
VPC Flow Logs
AWS CloudTrail
Shield Advanced DDoS Attack Flow Logs
AWS WAF logging
An organization wants to proactively identify missing or misconfigured network security services across their AWS accounts and receive remediation guidance. Which AWS Shield capability should they use?
Shield Advanced Protection Groups
AWS Firewall Manager
AWS Shield Network Security Director
AWS Security Hub
A company has multiple CloudFront distributions serving their e-commerce application and wants Shield Advanced to treat them as a single unit for DDoS detection and mitigation. What feature should they use?
AWS WAF rule groups
AWS Firewall Manager policies
Shield Advanced Protection Groups
CloudFront origin groups
A company wants the AWS Shield Response Team (SRT) to automatically contact them when a DDoS event is detected and their application becomes unhealthy. What must they configure? (Choose 2)
Enable Proactive Engagement in Shield Advanced
Associate a Route 53 health check with the protected resource
The original AWS DDoS Best Practices whitepaper (June 2015) has been updated multiple times, with the latest revision dated August 9, 2023. AWS now marks it as “historical reference.” The current AWS DDoS protection guidance is integrated into the AWS WAF, Shield, and Firewall Manager Developer Guide.
This post has been updated to reflect the modern AWS DDoS protection services including AWS Shield, AWS WAF v2, AWS Firewall Manager, and the new Anti-DDoS Managed Rule Group (2026).
Denial of Service (DoS) is an attack, carried out by a single attacker, which attempts to make a website or application unavailable to the end users.
Distributed Denial of Service (DDoS) is an attack, carried out by multiple attackers either controlled or compromised by a group of collaborators, which generates a flood of requests to the application making it unavailable to the legitimate end users.
DDoS attacks can be segregated by which layer of the OSI model they attack:
Application layer attacks (Layer 6 and 7) — HTTP/S floods, DNS query floods, SSL/TLS abuse
AWS DDoS Protection Services
AWS Shield Standard — Free, automatic protection for all AWS customers against common infrastructure DDoS attacks (Layer 3/4)
AWS Shield Advanced — Paid managed DDoS protection with enhanced detection, always-on automatic mitigation, 24/7 access to Shield Response Team (SRT), cost protection, and application layer protections
AWS WAF — Web application firewall for application layer (Layer 7) protection with managed rule groups, rate-based rules, and bot control
AWS Firewall Manager — Centralized security policy management across multiple accounts and resources in AWS Organizations
AWS Shield Network Security Director (Preview, 2025) — Analyzes network resources, identifies configuration issues, and provides remediation recommendations for comprehensive DDoS posture
Mitigation Techniques
Minimize the Attack Surface Area
Reduce the attack surface by minimizing the different Internet entry points that allow access to your application
Strategy to minimize the Attack surface area:
Reduce the number of necessary Internet entry points
Don’t expose back-end servers
Eliminate non-critical Internet entry points
Separate end user traffic from management traffic
Obfuscate necessary Internet entry points to the level that untrusted end users cannot access them
Decouple Internet entry points to minimize the effects of attacks
Benefits:
Minimizes the effective attack vectors and targets
Less to monitor and protect
Strategy can be achieved using AWS Virtual Private Cloud (VPC):
Defines a logically isolated virtual network within AWS
Provides ability to create Public & Private Subnets to launch internet-facing and non-public-facing instances accordingly
Provides NAT gateway allowing instances in private subnets to have internet access without Public IPs
Allows creation of Bastion hosts (or use AWS Systems Manager Session Manager) for connecting to instances in private subnets
Provides security groups for instances and NACLs for subnets to control and limit outbound and inbound traffic
Supports VPC endpoints (Gateway and Interface) to access AWS services privately without traversing the internet
Be Ready to Scale to Absorb the Attack
DDoS attacks mainly aim to overload systems beyond their capacity, rendering them unusable
Scaling out Benefits:
Helps build a resilient architecture
Makes the attacker work harder
Gives you time to think, analyze, and adapt
AWS services for scaling:
Auto Scaling & Elastic Load Balancing
Horizontal scaling using Auto Scaling with ELB (ALB, NLB, or CLB)
Auto Scaling allows instances to be added and removed as demand changes
ELB distributes traffic across multiple EC2 instances while acting as a single point of contact
Auto Scaling automatically registers and deregisters EC2 instances with the ELB during scale-out and scale-in events
Application Load Balancer (ALB) integrates natively with AWS WAF for Layer 7 protection
Network Load Balancer (NLB) handles millions of requests per second with ultra-low latency for Layer 4 traffic
EC2 Instance
Vertical scaling can be achieved by using appropriate EC2 instance types (e.g., EBS-optimized or ones with 25/100 Gbps network connectivity) to handle the load
Enhanced Networking
Use instances with Enhanced Networking capabilities (ENA) for high packet-per-second performance, low latency networking, and improved scalability
Amazon CloudFront
CloudFront is a CDN that acts as a proxy between end users and Origin servers, distributing content without sending all traffic to the Origin
Has inherent ability to mitigate both infrastructure and application layer DDoS attacks by dispersing traffic across multiple edge locations globally
AWS has multiple Internet connections for capacity and redundancy at each location, allowing isolation of attack traffic while serving legitimate end users
CloudFront filters to ensure only valid TCP connections and HTTP requests are processed, dropping invalid requests (commonly used in UDP & SYN floods, and slow reads)
CloudFront Security Dashboard (2023) provides unified CDN and security experience with one-click AWS WAF protection and built-in security monitoring
Integrates natively with AWS WAF and AWS Shield Advanced
Amazon Route 53
DDoS attacks also target DNS — if DNS is unavailable, the application is effectively unavailable
AWS Route 53 is a highly available and scalable DNS service with capabilities to withstand DDoS attacks:
Shuffle Sharding — spreads DNS requests over numerous PoPs using independent sets of edge locations, providing multiple paths to your application
Anycast Routing — advertises the same IP address from multiple PoPs, increasing redundancy; if one endpoint is overwhelmed, traffic routes to others
AWS Global Accelerator
Uses static anycast IP addresses as entry points to the AWS global network
Integrates with AWS Shield for DDoS mitigation at the edge, including a stateless SYN proxy that challenges new connections and only serves legitimate end users
Routes traffic over the AWS backbone network, away from the congested public internet
Provides fault isolation and deterministic routing for improved DDoS resiliency
Safeguard Exposed & Hard-to-Scale Resources
If entry points cannot be limited, additional measures to restrict access and protect those entry points without interrupting legitimate end user traffic
AWS services for protection:
CloudFront
Restrict access using Geo Restriction and Origin Access Control (OAC)
With Geo Restriction, access can be restricted to whitelisted countries or blocked from blacklisted countries
Origin Access Control (OAC) replaces the legacy Origin Access Identity (OAI) — allows access to S3 origins only through CloudFront while denying direct access. OAC supports SSE-KMS, dynamic requests, and all S3 regions.
Route 53
Alias Record sets and Private DNS make it easier to scale infrastructure and respond to DDoS attacks
Route 53 health checks enable automatic failover to healthy resources
AWS WAF (Web Application Firewall)
AWS WAF is a fully managed service (not EC2-based) that filters web traffic using customizable rules
Integrates directly with CloudFront, ALB, API Gateway, AppSync, App Runner, Cognito, and Verified Access
Managed Rule Groups — pre-built rules for OWASP Top 10, known bad inputs, SQL injection, XSS
Bot Control — managed bot detection and mitigation covering 650+ unique bots and AI agents
Fraud Control — Account Takeover Prevention (ATP) and Account Creation Fraud Prevention (ACFP)
Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) — launched March 2026 as the default L7 DDoS protection; establishes traffic baselines, detects anomalies within seconds, and mitigates HTTP floods automatically
AI Bot Management — AI Activity Dashboard (Feb 2026) for visibility into AI scrapers, tools, and agents; supports AI traffic monetization
Geo-match conditions, IP set rules, regex pattern sets
Custom response bodies and headers
No longer requires the “WAF sandwich” pattern — AWS WAF is now a native, managed Layer 7 service that does not require separate EC2 instances
AWS Shield Advanced
Provides managed DDoS protection for CloudFront, Route 53, Global Accelerator, ELB, and EC2 Elastic IPs
Key features:
Always-on detection and automatic mitigation with sub-second time-to-mitigate
Shield Response Team (SRT) — 24/7 expert support during active DDoS events
Cost protection — credits for scaling charges incurred during DDoS attacks
DDoS visibility — real-time metrics, attack notifications, and forensic reports
Health-based detection — uses Route 53 health checks to improve detection accuracy and reduce false positives
Network Security Director (Preview, June 2025) — discovers resources, visualizes network topology, identifies security misconfigurations, and provides remediation recommendations using Amazon Q Developer
AWS Firewall Manager
Centrally configure and manage AWS WAF rules, Shield Advanced protections, security groups, Network Firewall, and DNS Firewall policies across all accounts in AWS Organizations
Automatically applies security policies to new resources as they are created
Provides compliance monitoring and reporting
Note: The WAF Sandwich pattern shown above is a legacy architecture. AWS WAF is now a fully managed service that integrates natively with ALB, CloudFront, API Gateway, and other services — no separate EC2-based WAF instances are needed.
Learn Normal Behavior
Understand the normal levels and patterns of traffic for your application and use that as a benchmark for identifying abnormal traffic or resource spikes
Benefits:
Allows one to spot abnormalities
Configure alarms with accurate thresholds
Assists with generating forensic data
AWS services for tracking and detection:
Amazon CloudWatch
Monitor infrastructure and applications running on AWS
Collect metrics, log files, and set alarms for when metrics pass predetermined thresholds
Network Layer: AWS Global Accelerator + Elastic Load Balancing (ALB/NLB) + VPC with NACLs and Security Groups
Application Layer: Auto Scaling groups + EC2 instances in multiple AZs
Management Layer: AWS Firewall Manager for centralized policy management across accounts
Key principle: Push traffic as far from the origin as possible using CloudFront, Global Accelerator, and Route 53 to leverage AWS’s globally distributed DDoS mitigation capacity (terabits scale).
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You are designing a social media site and are considering how to mitigate distributed denial-of-service (DDoS) attacks. Which of the below are viable mitigation techniques? (Choose 3 answers)
Add multiple elastic network interfaces (ENIs) to each EC2 instance to increase the network bandwidth.
Use dedicated instances to ensure that each instance has the maximum performance possible.
Use an Amazon CloudFront distribution for both static and dynamic content.
Use an Elastic Load Balancer with auto scaling groups at the web app and Amazon Relational Database Service (RDS) tiers
Add alert Amazon CloudWatch to look for high Network in and CPU utilization.
Create processes and capabilities to quickly add and remove rules to the instance OS firewall.
You’ve been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access. Which approach provides a cost effective scalable mitigation to this kind of attack?
Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC. (Not cost effective)
Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet. (does not protect against new source)
Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would then pass the traffic to the current web tier. The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group (Note: This describes the legacy “WAF sandwich” pattern. In modern AWS, you would simply enable AWS WAF on the existing ALB — no separate EC2 WAF tier is needed.)
Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. (No advanced protocol filtering in ELB)
A company wants to protect its web application from Layer 7 DDoS attacks and common web exploits. The application uses Amazon CloudFront with an Application Load Balancer origin. Which combination of AWS services provides the MOST effective protection? (Choose 2 answers)
Enable AWS Shield Advanced on the CloudFront distribution and ALB with automatic application layer DDoS mitigation
Deploy AWS Network Firewall in front of the ALB
Associate an AWS WAF web ACL with rate-based rules and the Anti-DDoS Managed Rule Group on the CloudFront distribution
Use Security Groups on the ALB to block malicious IPs
Enable VPC Flow Logs and manually block attacking IPs
A security team needs to protect multiple AWS accounts’ web applications from DDoS attacks with consistent security policies. Which approach provides centralized management with automatic enforcement?
Manually configure AWS WAF rules on each account’s resources
Use AWS Firewall Manager to define WAF and Shield Advanced policies across the AWS Organization
Deploy third-party WAF appliances in each VPC
Use AWS Config rules to audit WAF configurations
Which AWS service provides automatic, always-on protection against common DDoS attacks at no additional cost for ALL AWS customers?
AWS WAF
AWS Shield Standard
AWS Shield Advanced
AWS Firewall Manager
A company is experiencing an active DDoS attack on their application behind CloudFront. They have AWS Shield Advanced enabled. Which features are available to help mitigate the attack? (Choose 3 answers)
24/7 access to the AWS Shield Response Team (SRT)
Automatic VPC security group rule updates
Automatic application layer mitigation through managed WAF rules
Cost protection credits for scaling charges incurred during the attack