0
0
AwsHow-ToBeginner · 4 min read

How to Use AWS Shield for DDoS Protection

To use AWS Shield, enable it on your AWS resources like CloudFront or Elastic Load Balancer to protect against DDoS attacks. AWS Shield Standard is automatically active for free, while AWS Shield Advanced requires subscription and provides detailed attack reports and 24/7 support.
📐

Syntax

AWS Shield is a managed service that protects AWS resources from Distributed Denial of Service (DDoS) attacks. It has two tiers: Standard and Advanced.

  • AWS Shield Standard: Automatically enabled for all AWS customers at no extra cost.
  • AWS Shield Advanced: Requires subscription and provides enhanced protection, attack visibility, and support.

To use AWS Shield Advanced, you configure protection on specific AWS resources like Elastic IPs, CloudFront distributions, or Application Load Balancers.

bash
aws shield create-protection --name MyResourceProtection --resource-arn arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/my-load-balancer/50dc6c495c0c9188
Output
Protection created with ID: protection-id-1234567890abcdef
💻

Example

This example shows how to enable AWS Shield Advanced protection on an Application Load Balancer using AWS CLI.

bash
aws shield create-protection \
  --name MyALBProtection \
  --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/50dc6c495c0c9188
Output
Protection created with ID: protection-0a1b2c3d4e5f6g7h8
⚠️

Common Pitfalls

  • Trying to use AWS Shield Advanced features without subscribing to the service.
  • Not specifying the correct resource ARN when creating protection, causing errors.
  • Assuming AWS Shield Standard protects all resources equally; it only protects certain AWS services automatically.
  • Ignoring the need to monitor attack notifications and logs for timely response.
bash
## Wrong: Missing resource ARN
aws shield create-protection --name MissingARN

## Right: Include resource ARN
aws shield create-protection --name CorrectProtection --resource-arn arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/my-alb/1234567890abcdef
Output
An error occurs for the wrong command: Missing required parameter 'ResourceArn' Protection created with ID: protection-0a1b2c3d4e5f6g7h8 for the right command
📊

Quick Reference

Here is a quick summary of AWS Shield usage:

FeatureDescription
AWS Shield StandardFree automatic protection for AWS services like CloudFront and ELB
AWS Shield AdvancedPaid service with enhanced DDoS protection, attack reports, and 24/7 support
Create ProtectionUse create-protection CLI command with resource ARN to enable Advanced protection
Supported ResourcesElastic IPs, CloudFront distributions, ALBs, Global Accelerators, Route 53 hosted zones
MonitoringUse AWS Shield console or CloudWatch for attack notifications and metrics

Key Takeaways

AWS Shield Standard is free and automatically protects supported AWS services.
Subscribe to AWS Shield Advanced to enable detailed protection and support on specific resources.
Use the AWS CLI create-protection command with the correct resource ARN to enable Advanced protection.
Monitor attack alerts and logs regularly to respond quickly to threats.
Ensure you specify the correct resource ARN to avoid errors when configuring protection.

Related by keyword

How to Sync a Folder to AWS S3 Using AWS CLIS3AWS vs Azure: Key Differences and When to Use EachGetting StartedAWS vs GCP: Key Differences and When to Use EachGetting StartedHow to Choose AWS Region: Simple Guide for BeginnersGetting StartedHow to Configure AWS CLI: Step-by-Step GuideGetting Started

Up next

How to Use AWS Savings Plans to Reduce CostsHow to Use Spot Instances for Savings in AWSHow to Fix Access Denied Errors in AWS QuicklyHow to Fix API Gateway CORS Error Quickly and Easily

More in Security

How to Enable AWS CloudTrail: Step-by-Step GuideHow to Secure AWS Account: Best Practices and StepsHow to Use AWS GuardDuty: Setup and Best PracticesHow to Use AWS Organizations: Setup and Management Guide