CRUCIBLE
Log in
← Back to Services

Shield

LOW Domain 1: Design Secure Architectures

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that offers always-on detection and protection against various types of DDoS attacks, with both a free standard tier and a paid advanced tier.

Learning Objectives

  • Understand the purpose and functionality of AWS Shield for DDoS protection.
  • Differentiate between AWS Shield Standard and AWS Shield Advanced features and benefits.
  • Identify AWS services that are protected by AWS Shield Advanced.
  • Comprehend the support options available with AWS Shield Advanced during a DDoS attack.
  • Recognize Shield as a key service within the Security Pillar of the Well-Architected Framework.

Introduction to AWS Shield

AWS Shield provides managed DDoS protection for applications on AWS.

Shield is a managed Distributed Denial of Service (DDoS) protection service. It provides always-on detection and protection against common and frequently occurring attacks.
A Denial of Service (DoS) attack aims to damage the availability of a site by flooding it with requests that consume all available resources. A Distributed Denial of Service (DDoS) is a DoS attack originating from multiple sources, often using compromised or controlled systems, which makes manual intervention difficult.
Technical Specs: DDOS Attack Classification: • Infrastructure Layer Attacks • Application Layer Attacks
General techniques for protecting applications against DDoS attacks include reducing the attack surface area, planning for scale, understanding normal vs. abnormal traffic patterns, and deploying Web Application Firewalls (WAF) for sophisticated application attacks.
Technical Specs: • Reduce Attack Surface Area • Plan for Scale • Know what is normal and abnormal traffic • Deploy WAF for Sophisticated Application attacks

AWS Shield Offerings

AWS Shield is available in two tiers: Standard and Advanced, each offering different levels of DDoS protection.

AWS Shield offers two tiers: Standard (free) and Advanced (paid service), providing varying degrees of DDoS protection.

AWS Shield Standard

AWS Shield Standard is a free service automatically enabled for all AWS customers. It provides active network monitoring and DDoS protection against common and frequently occurring attacks.
cost Free
protection_scope Common and frequently occurring attacks
features Active network monitoring, DDoS protection
availability_protection_for_services CloudFront and Route 53
Use Cases:
  • Basic DDoS protection for all AWS customers

AWS Shield Advanced

AWS Shield Advanced is a paid service offering enhanced protections against larger and more sophisticated DDoS attacks. It includes a dedicated DDoS Response Team (DRT) and cost protection for DDoS scaling charges.
cost Paid service
protection_scope Expanded protection (UDP reflection, SYN flood, DNS query flood, HTTP flood)
support AWS DDoS Response Team (DRT), 24/7 access to AWS experts
cost_protection For DDoS scaling charges
notifications Real-time notifications of suspected DDoS incidents via CloudWatch metrics
Use Cases:
  • High-visibility websites
  • Mission-critical applications
  • Protection against large and sophisticated attacks

Supported AWS Services for Shield Advanced

AWS Shield Advanced provides DDoS protection across several key AWS services.

DDoS protection via Shield Advanced is supported on the following AWS services:
Technical Specs: • CloudFront • Route 53 • Elastic Load Balancing • AWS Global Accelerator

Exam Focus

  • Shield provides DDoS protection and works with CloudFront, Route 53, Elastic Load Balancing, and AWS Global Accelerator. (source_page 8)
  • Remember Standard is free, Advanced is a paid service with enhanced features. (source_page 8)

Glossary

DDoS (Distributed Denial of Service)
A DOS attack from multiple sources, often using compromised or controlled systems, designed to flood a site with requests and consume all available resources, making manual intervention difficult.
AWS DDoS Response Team (DRT)
A team of AWS experts available 24/7 to assist during a DDoS attack for AWS Shield Advanced customers.

Key Takeaways

  • AWS Shield is a fully managed DDoS protection service with always-on detection. (source_page 2)
  • Shield Standard is free and offers basic protection; Shield Advanced is a paid service with enhanced protection and access to the DDoS Response Team. (source_page 2)
  • Understanding Shield's role in AWS architectures is valuable for SAA-C03 exam scenarios.

Content Sources

AWS Well-Architected Framework: Pilla... Security Services API Gateway Stage and Canary Deployments AWS Systems Manager for Hybrid Enviro... RSARCH_EN-US_SG_M07_AWSWELLARCHITECTE... Extracted: 2026-01-26 12:54:33.900416 Model: gemini-2.5-flash