• AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
• AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency.
• AWS Shield now provides two key capabilities: AWS Shield network security director (preview) for proactive network posture analysis and AWS Shield Advanced for managed DDoS protection.
• AWS Shield detects the following classes of attacks:
  • Network Volumetric Attacks (Layer 3)
    • This is a sub category of infrastructure layer attack vectors.
    • These vectors attempt to saturate the capacity of the targeted network or resource, to deny service to legitimate users.
  • Network Protocol Attacks (Layer 4)
    • This is a sub category of infrastructure layer attack vectors.
    • These vectors abuse a protocol to deny service to the targeted resource.
    • A common example of a network protocol attack is a TCP SYN flood, which can exhaust connection state on resources like servers, load balancers, or firewalls.
    • A network protocol attack can also be volumetric for e.g., a larger TCP SYN flood may intend to saturate the capacity of a network while also exhausting the state of the targeted resource or intermediate resources.
  • Application Layer Attacks (Layer 7)
    • This category of attack vector attempts to deny service to legitimate users by flooding an application with queries that are valid for the target, such as web request floods.

AWS Shield Tiers

AWS Shield Standard

• provides automatic protections to all customers at no additional charge.
• defends against the most common, frequently occurring network and transport layer DDoS attacks that target websites or applications.
• with CloudFront and Route 53, comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks is provided.
• uses techniques such as deterministic packet filtering and priority-based traffic shaping to automatically mitigate basic network layer attacks.
• provides always-on network flow monitoring, which inspects incoming traffic to AWS services and applies a combination of traffic signatures, anomaly algorithms, and other analysis techniques to detect malicious traffic in real time.
• sets static thresholds for each AWS resource type but does not provide customized protection for individual applications.

AWS Shield Advanced

• is a managed service that helps protect the application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts.
• provides additional detection and mitigation against large and sophisticated DDoS attacks, near real-time visibility into attacks.
• protects resources including Amazon CloudFront distributions, Amazon Route 53 hosted zones, AWS Global Accelerator standard accelerators, Elastic IP addresses, Application Load Balancers, and Classic Load Balancers.
• EC2 instances and Network Load Balancers can be protected by association with protected Elastic IP addresses.
• allows up to 1,000 resources per resource type per AWS account.
• provides integration with AWS WAF at no additional charge. Shield Advanced subscribers receive up to 50 billion AWS WAF requests per calendar month for WAF-protected resources.
• also gives 24×7 access to the AWS Shield Response Team (SRT) and protection against DDoS related spikes in the EC2, ELB, CloudFront, AWS Global Accelerator and Route 53 charges.
• provides DDoS cost protection to safeguard against scaling charges resulting from DDoS-related usage spikes on protected resources.
• in addition to the network and transport layer attacks, it also detects application layer (Layer 7) attacks such as HTTP floods or DNS query floods by baselining traffic on the application and identifying anomalies.
• is available globally on all CloudFront, Global Accelerator, and Route 53 edge locations.
• includes centralized protection management using Firewall Manager (included at no extra cost with Shield Advanced subscription), that can automatically
  • configure policies covering multiple accounts and resources
  • audit accounts to find new or unprotected resources, and ensure that Shield Advanced and AWS WAF protections are universally applied.
• provides complete visibility into DDoS attacks with near real-time notification through CloudWatch and detailed diagnostics on the AWS WAF and AWS Shield console or APIs.

Shield Advanced – Customized Detection

• provides customized detection based on traffic patterns to protected Elastic IP addresses, ELB, CloudFront, Global Accelerator, and Route 53 resources.
• uses additional monitoring techniques for individual regions and resources to detect smaller DDoS attacks and alert about them.
• detects application layer DDoS attacks by baselining incoming traffic and identifying anomalies.

Shield Advanced – Health-Based Detection

• uses health check data from Route 53 to improve responsiveness, detection accuracy, and mitigation speed.
• associate a Route 53 health check with a Shield Advanced-protected resource through the console or API.
• enables Shield Advanced to detect attacks faster using lower traffic thresholds, improving application DDoS resilience and preventing false alerts.
• resource health status is also available to the SRT to help prioritize remediation of unhealthy applications.
• can be used with all Shield Advanced-supported resource types.

Shield Advanced – Protection Groups

• allows you to bundle resources into protection groups, treating multiple resources as a single unit for detection and mitigation.
• grouping resources improves detection accuracy, reduces false positives, simplifies automatic protection of newly created resources, and accelerates mitigation.
• for example, if an application has four CloudFront distributions, they can be added to one protection group for unified detection and protection.
• reporting can be collected at the protection group level for a holistic view of overall application health.

Shield Advanced – Proactive Engagement

• provides proactive engagement from the SRT after DDoS events are detected.
• when enabled, if a Route 53 health check shows your protected resource as unhealthy during a DDoS attack, the SRT contacts you directly.
• can be enabled for network and transport layer events on Elastic IP and Global Accelerator resources, and for application layer attacks on CloudFront distributions and Application Load Balancers.

Anti-DDoS Managed Rule Group (AMR) for AWS WAF

• Launched in June 2025, the Anti-DDoS Managed Rule Group (AWSManagedRulesAntiDDoSRuleSet) is an AWS Managed Rule for AWS WAF that automatically detects and mitigates application layer (L7) DDoS events within seconds.
• As of March 26, 2026, the Anti-DDoS AMR is the default solution for protection against HTTP request flood attacks, superseding the legacy Layer 7 Auto Mitigation (L7AM) feature.
• Existing Shield Advanced customers can continue using the legacy L7AM but are encouraged to adopt the Anti-DDoS AMR for faster detection (seconds vs. minutes).
• The AMR learns traffic patterns and establishes baselines for each protected resource within minutes of activation.
• Uses machine learning models to identify traffic anomalies and assigns suspicion scores to requests for use in mitigations.
• Supports resources behind Amazon CloudFront, Application Load Balancer (ALB), and API Gateway.
• For Shield Advanced customers, the AMR is included in the subscription. It is also available as a pay-as-you-go alternative for non-Shield Advanced customers.
• Provides configurable sensitivity settings and URI-path-specific protection.
• When a DDoS event is detected, the AMR adds labels (event-detected, ddos-request) to requests for custom downstream handling.

DDoS Attack Flow Logs (2026)

• Announced May 2026, AWS Shield Advanced now provides DDoS attack flow logs for forensic analysis and compliance.
• Captures critical packet-level details during active attacks, including:
  • Source and destination IP addresses
  • Ports and protocols
  • Packet and byte counts
  • Source country information
• Log data is automatically published to your chosen destination (Amazon S3, CloudWatch Logs, or Amazon Data Firehose) at 5-minute intervals during active attacks.
• Enables you to pinpoint attack sources, verify mitigations, and feed existing analysis pipelines.
• Helps organizations reconstruct attack patterns and verify mitigation effectiveness without additional infrastructure.

AWS Shield Network Security Director (Preview)

• Announced June 2025, AWS Shield network security director is a new capability that provides proactive network security posture analysis.
• Discovers resources across AWS accounts, identifies connectivity between resources, and determines which network security services and configurations are in place.
• Key capabilities:
  • Network Topology Visualization – provides a complete view of your AWS environment with resource connectivity, security configurations, and potential security issues. Resources are grouped by tags and connectivity patterns.
  • Prioritized Findings Dashboard – assigns severity levels (NONE, INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL) based on identified network security issues, considering network context, AWS best practices, and threat intelligence.
  • Remediation Recommendations – provides step-by-step instructions to fix identified misconfigurations in services like AWS WAF, VPC security groups, and VPC network ACLs.
  • Amazon Q Integration – analyze network security issues using natural language through Amazon Q Developer.
• Supports multi-account analysis (added December 2025).
• Findings are available in AWS Security Hub (added March 2026).
• Does not require a Shield Advanced subscription.