AWS Shield
Overview
AWS is dedicated to working towards providing its customers with the best tools, services, and practices that ensure high availability, security, and resiliency in defense against malicious events on the internet. With that being said, AWS offers AWS Shield as a managed Distributed Denial of Service (DDoS) prevention service as an integrated essential protection layer or safeguard for the internet-facing applications running on Amazon Web Services (AWS). It reduces latency, and application downtime by eradicating any benefits to the DDoS attacker with its active monitoring and automatic inline mitigations, making it an important service to rely upon to prevent any DDoS attacks in the future.
What is AWS Shield and How Does It Work?
Before we head on to understand what is AWS Shield, we need to understand why did AWS enable the AWS Shield automatically costing no fee. You may have heard of the DDoS attack that happened in 1996, targeting Panix which was the oldest Internet Service Provider (ISP) in New York.
DDoS attacks or denial of service attacks targets overload the IT resources due to which they cannot function properly. The attack happens either by artificially increasing the workload on cloud services with imitation messages or repetitive communication requests that lead to unresponsiveness and hampers the performance as the network receives insignificant overloaded traffic or consumes excessive memory and processing resources, and excessive cloud service requests are sent which disturbs the whole system of the AWS user making it more prone to threat and data loss in some cases.
Below is a diagram showcasing how DDoS attacks happen:
Well! Worry not, to combat this issue AWS has the AWS Shield which automatically enables the AWS resources to protect from such serious DDoS attacks. The AWS Shield is a managed DDoS protection service running on Amazon Web Services safeguarding its applications. With its active monitoring and automatic inline mitigations, the AWS shield prevents any benefits to the DDoS attacker by reducing latency, and application downtime by eradicating making it an important service to rely upon to prevent any DDoS attacks in the future if any. Protecting against DDoS attack vectors and zero-day attack vectors(A zero-day attack is defined as the use of zero-day exploitation with the objective of causing damage or stealing data when the system is highly vulnerable), shield detection and mitigation are designed such that it gives great coverage against threats even if they are not known at the time of detection. Hence, providing the utmost security and ease to its users.
The below diagram shows how AWS shield safeguards when implemented:
The AWS Shield Standard and AWS Shield Advanced help in providing protections when a DDoS attack(Layer 3, Layer 4, and Layer 7 attacks) may overwhelm the target services leading to the failure of the services. Now a question that might arise is How does AWS Shield work to provide this security and protection to its service and web applications? Let's discuss that in the following points:
- When a DDoS attack attempt is made to hamper any online service by making it unavailable for a few minutes to hours by overwhelming it with malicious traffic and hence utilizing that time to breach into the sensitive data, that is where AWS Shield comes in as an easy service that prevents any such occurrence to happen.
- The AWS Shield with its automatic protections of AWS Shield Standard that too at no additional charge provides this benefit to be available for all its customers to use with Amazon CloudFront, Amazon Route 53, and Elastic Load Balancer.
- For an advanced level of protection, you may need to switch to AWS Shield Advanced and you first need to subscribe to choose the resources that need to be protected.
- You can integrate the AWS Shield Advanced protection for AWS Global Accelerator, Amazon Route 53, Elastic Load Balancer(ELB), Amazon CloudFront distribution, Amazon Elastic Compute Cloud (Amazon EC2), or even Elastic IP addresses.
- Lastly, AWS's infrastructure is so designed that it makes it DDoS resilient and equipped to mitigate the DDoS attack by automatically detecting and filtering excess traffic 24/7.
Types of AWS Shield
The AWS Shield can be described as a managed AWS Cloud service for protection against any DDoS or infrastructure (layer 3 and 4) attacks.
The AWS Shield is available in two different tiers, The AWS Shield Standard and The AWS Shield Advanced which provides a lot more protection and safety in handling any DDoS attacks. We shall be discussing the features of both tiers of AWS Shield along with some additional features of AWS Shield below:
AWS Standard Shield
The features offered by the AWS Shield Standard:
- As the AWS Shield Standard is automatically enabled at no additional cost, all the AWS customers are protected and benefit from it.
- With the visibility features that the AWS Shield provides we can view all the events that get detected and mitigated by AWS Shield in our account.
- By providing always-on network flow monitoring helps the users detect if any malicious traffic is getting detected and even inspect incoming traffic in real-time.
- To make your AWS resource and application extensively protected and enable availability protection against infrastructure attacks, we usually can integrate the AWS shield with CloudFront and Route 53.
- To automatically mitigate DDoS attacks that may hamper and make your application and resource vulnerable, the AWS shield standard uses deterministic packet filtering ( It is defined as dropping malformed TCP packets and invalid DNS requests, that only allows valid traffic for the service to pass ), Heuristics-based anomaly detection ( It evaluates attributes like type, source, and composition of traffic), and priority-based traffic shaping.
- It provides a list of all the events that AWS Shield has detected and neutralized.
AWS Shield Advanced
The features offered by the AWS Shield Advanced:
- The major advantage that the AWS Shield Advanced provides is its enhanced detection, monitoring application layer traffic, and inspecting network flow with the Elastic IP address, CloudFront, Route 53 resources, or Elastic Load Balancing.
- When you enable the AWS Shield advanced, you get 24×7 availability from the AWS DDoS Response Team for which you simply need the Enterprise or Business Support levels of the AWS Premium Support Plan for contacting the DDoS Response Team.
- Majority of the layer 3, layer 4, and layer 7 attacks can be easily handled by enabling the AWS Shield Advanced which enables DDoS protection and mitigation responsibilities.
- The AWS Shield Advanced has the “DDoS cost protection”, which acts as a safeguard from the scaling charges that might be costed due to the DDoS attacks. The DDoS attack can cause a sudden spike in our AWS services which might generate a large bill when cost protection is not enabled. This is done by providing service credits for the charging cost due to usage spikes.
- To protect against enormous DDoS attacks, the AWS Shield Advanced automatically provides additional mitigation capacity. Manual mitigation is also applied by the AWS DDoS Response Team when more complex and sophisticated DDoS attacks take place.
- Near real-time notification is possible with CloudWatch in addition to Detailed diagnostics is also available and visible on the AWS WAF and AWS Shield Management Console, which helps to give the user complete visibility into any DDoS attacks.
- Global Availability of the AWS Shield Advanced expands to all CloudFront and Route 53 edge locations.
- By enabling the AWS Shield Advanced, we can see the history of all the DDoS events and incidents that have taken place in the past 13 months.
- When you enable the AWS shield Advanced you need to choose the service that you want to protect as it only protects the resources that you specify.
The diagram below depicts the comparison between the two tiers of AWS Shield:
Additional Features:
Some additional features that might be learned so that if we come across any scenarios then we can make use of the knowledge we gather here:
- Identification of sensitive data is possible with details like line numbers, record index, page numbers, and row/column numbers. Once a job gets submitted, findings are generated on the Amazon Macie console (A fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS) which are then transferred to Amazon EventBridge where sensitive data location information is included in the findings.
- Performing scoping of scan is also possible with the AWS shield, where we can scan the Amazon S3 buckets across multiple AWS accounts.
- Whenever you are about to run the jobs, an estimation of the approximate costs is sent to you for review.
Pricing of AWS Shield
With AWS being in the picture we know that the organization saves a lot of money by paying no penny for the maintenance or buying any support tools for the services they use and paying for only what they used and also until the time they used. Whenever you are about to run the jobs, an estimation of the approximate costs is sent to you for review. Adding to this service is why the AWS Shield gained so much popularity as we don't have to pay any upfront cost for any inbound data transfer on AWS. No charges are allowed even if our services are compromised against any DDoS attack which eventually the AWS mitigates.
Below is the snapshot that reflects the Pricing details for the two tiers of the AWS Shield that can help you plan better as per your requirements:
The AWS Shield Pricing for the two tiers is listed below:
The AWS Shield Standard: As the AWS Shield Standard is already enabled for the AWS services we can directly start using it with our website or applications without incurring any extra cost.
The AWS Shield Advanced: For internet-facing applications, the AWS Shield Advanced is a paid service that provides extra security. We will need to pay $3000 for each organization that enables the AWS Shield Advanced with a one-year committed subscription. The AWS Shield Advanced also asks for a monthly cost when the organization has many AWS accounts in addition to a usage fee based on data transfer out from CloudFront, ELB, EC2, and AWS Global Accelerator.
Below are the pricing details related to OUT Data Transfer when we enable the AWS Shield Advanced:
What Does AWS Shield Protect Against?
One question that might be popping into your head, would be What Does AWS Shield Protect against? Well, to answer this question, we have explained how both The AWS shield Standard and the AWS Shield Advanced protect the users and the AWS resource that they are using against any DDoS attack.
- The AWS Shield Standard: Below are the type of DDoS attacks that the AWS Shield Standard protect the AWS resources, websites, and applications from:
- Volumetric (Layer 3) Attacks: The Volumetric attack also known as the Layer 3 attacks, is the kind of DDoS attack that is referred to as the network floods including the UDP floods (UDP reflection attacks) and the ICMP floods. These attacks make your application or AWS services that the user is using become unavailable by overwhelming through malicious traffic.
- State-Exhaustion (Layer 4) Attacks: The State-Exhaustion, also known as the Layer 4 attacks, are the kind of DDoS attack that is mostly referred to as the SYN Flood which consumes mostly the TCP connection status tables. These are found across various network infrastructures, application servers, and security devices. Without completing the TCP connection the DDoS attacker connects with a server rapidly prohibiting legitimate AWS users from accessing data. This makes data theft quite prominent as the security systems are vulnerable.
- The AWS Shield Advanced: Below are the type of DDoS attacks that the AWS Shield Advanced protect the AWS resources, websites, and applications from, which are mostly the same attacks as the Standard version but with some specific modified and advanced functions. It does so as it includes AWS WAF ( It is a web application firewall that protects our web applications or APIs against any web exploitation and bot attacks that makes our systems vulnerable, affect availability, compromise security, or consume excessive resources) to protect against:
- Application-Layer (Layer 7) Attacks: – The Application-Layer attack, also known as the Layer 7 attack, is mainly the HTTP floods or DNS query floods that affect the AWS resource and services. It is comprised of HTTP GETs and DNS queries that are modified and designed to invade and consume the AWS application, resources, and services used by the AWS customers. By submitting a contact form or even sending any API request, a DDoS attacker would continuously utilize the functionality of the application and this may lead to the attacker knowing that the database and application processing is getting affected and it can take undue advantage of the vulnerability of the system.
- Other Application-Layer Attacks: The Other Application-Layer Attacks mainly comprise SQL injection (SQLi), Remote file inclusion (RFI), Cross-site scripting (XSS), Sensitive Data Exposure, Broken Authentication (By incorrectly implementing the authentication and session management can lead to a huge security risk as by this the attackers notice the vulnerabilities and may be able to easily assume legitimate users' identities and take unfair advantage of the data), XML External Entities (Risk occurs when attackers upload or include the hostile XML content due to insecure code, integrations, or dependencies which affects the system posing to threats) and other web applications attack and threats.
The below diagram shows some of the features highlighting the advanced L3/L4 and L7 DDoS protection:
Benefits of AWS Shield
Well! After understanding the concepts around AWS Shield and exploring the features of different types of AWS Shield, Let us now summarize all the benefits that AWS Shield offers.
- Attack Visibility for any DDoS attacks by Managed Protection: As we have already talked about how the active and heuristics-based network flow monitoring and automatic inline mitigations eliminate any advantage that DDoS attacks can snatch away through their frequent occurring network and transport layer DDoS attacks. The AWS Shield Standard with its advanced mitigation and routing techniques enables enhanced resource-specific detection eradicating even sophisticated attacks as well.
- User Friendly: AWS is known for the user-friendly services that it offers making the life of the users simpler. To allow users to protect their applications in a simple, quick, and easy manner, the AWS Shield has been designed that provides a very user-friendly experience that makes it easy to adapt to any AWS user. Using the AWS Management Console, The AWS Shield is used for any existing or new applications with no extra routing changes being required for enabling the AWS shield protections.
- Highly-customized Protection: With the customizable protection options that you get with the AWS Shield Advanced allow the AWS users to freely choose which resources need to be safeguarded for infrastructure (Layer 3 and 4). With protection being enabled for sophisticated application-layer assaults, we can simply use the AWS WAF custom rules that we can define and activate in a matter of seconds enabling protection against any attacks.
- Efficient Pricing: When any user is using the AWS services, The AWS Shield Standard has been automatically enabled that too at no additional cost. While if the users choose the AWS Shield Advanced protection then they get AWS WAF and AWS Firewall Manager also at no additional cost as we understand from the pricing topic in the article above.
- Integration and Deployment are quite Seamless: The AWS Shield protection is automatically enabled for our AWS resources which protect the AWS resources and services against any common network and transport layer DDoS attacks. For a seamless experience that AWS Shield gives for any integration and deployment-related activities with any other AWS resources such as enabling Advanced protection for AWS Global Accelerator, Elastic IP, Amazon CloudFront, Elastic Load Balancing (ELB), or Amazon Route 53 resources with just a few easy clicks on the AWS Management Console or APIs.
Difference Between AWS WAF and AWS Shield
The AWS WAF and AWS Shield belong to the AWS Edge Services ( Referred to as the component that gets exposed to the public internet which acts as a gateway for all other platform services ) ecosystem which allows its users to protect the AWS resources that they use against any sophisticated DDoS attacks. With this section of the article, we shall learn about some key points that differentiate between both the AWS WAF and the AWS Shield:
- With AWS Shield, the user of the AWS resources get protection against any State Exhaustion or Volumetric Attacks whereas the AWS WAF (Web Application Firewall) gives protection against any HTTP floods, DNS Query Floods, SQL injections, Cross-site scripting, or any remote file Inclusion attacks.
- The AWS shield protects the OSI model’s infrastructure layers (Layer 3 and Layer 4) whereas the AWS WAF protects the application layer (Layer 7).
- The mechanism by which AWS Shield Protects against any DDoS attacks is by offering automatic DDoS protection against more common layer 3, the network layer, layer 4, and the transport layer attacks. On the other side, The AWS WAF mechanism protects the web applications by filtering, monitoring, and blocking any malicious HTTP/S traffic ( usually on layer 7) that mostly travel to the web apps.
- The AWS Shield is a single-purpose service whereas, the AWS WAF enables a firewall that protects its user from multiple types of attacks and also provides various whitelisting options.
- Concerning pricing that AWS Shield and AWS WAF offer, the AWS Shield Standard ( which is automatically enabled ) is charged at no additional cost whereas while enabling the AWS Shield Advanced we can encounter a fee associated with it. While the AWS WAF also has a cost associated and is charged for every web ACL ad rule that we create along with the number of processed web requests.
VS
Conclusion
- The AWS Shield is a managed Distributed Denial of Service (DDoS) prevention service. It is an integrated essential protection layer that safeguards the internet-facing applications running on Amazon Web Services (AWS).
- The AWS Shield reduces latency, and application downtime by eradicating any benefits to the DDoS attacker with its active monitoring and automatic inline mitigations, making it an important service to rely upon to prevent any DDoS attacks in the future.
- The customizable protection options that you get with the AWS Shield Advanced allow the AWS users to freely choose which resources need to be safeguarded for infrastructure (Layer 3 and 4) or with protection being enabled for sophisticated application-layer assaults.
- Concerning pricing of AWS Shield, the AWS Shield Standard (automatically enabled) is charged at no additional cost whereas the AWS Shield Advanced has a fee associated with it.
- For an advanced level of protection, you may need to switch to AWS Shield Advanced for which you first need to subscribe to choose the resources that need to be protected. After which you can integrate the AWS Shield Advanced protection for AWS Global Accelerator, Amazon Route 53, Elastic Load Balancer(ELB), Amazon CloudFront distribution, Amazon Elastic Compute Cloud (Amazon EC2), or even Elastic IP addresses.