This chapter covers AWS Shield, the managed Distributed Denial of Service (DDoS) protection service. For the CLF-C02 exam, this topic falls under Domain 2: Security and Compliance, Objective 2.3 (Implement protection for AWS workloads). While this objective carries about 10-15% of the exam, DDoS protection questions appear frequently. You need to understand the difference between Shield Standard and Shield Advanced, when to use each, and how they integrate with other AWS services like AWS WAF and CloudFront.
Jump to a section
Imagine you run a popular nightclub. On a normal night, you have one bouncer at the door checking IDs and managing the line. But tonight, a rival club owner sends hundreds of fake partygoers to block your entrance. Real customers can't get in, and your club loses money. The basic bouncer (AWS Shield Standard) is always there—he can spot obvious troublemakers, like someone showing a fake ID, and turn them away. But he's just one person; he can't handle a coordinated flood of thousands of fake guests. For that, you need a VIP security team (AWS Shield Advanced). They deploy extra bouncers, have a direct hotline to the police (the AWS DDoS Response Team), and can instantly adjust the club's layout (your application's traffic routing) to isolate the fake crowd. They also give you a detailed incident report after the attack so you can improve security. The cost? The basic bouncer is free with your club membership (AWS account). The VIP team costs a monthly retainer ($3,000 per month) plus a long-term contract (one year). If the attack causes damage, the VIP team's insurance (cost protection) covers some of your losses.
What is AWS Shield and the Problem It Solves
AWS Shield is a managed DDoS protection service that safeguards web applications running on AWS. A Distributed Denial of Service (DDoS) attack attempts to overwhelm your application with more traffic than it can handle, making it unavailable to legitimate users. Attackers often use botnets—networks of compromised computers—to generate massive amounts of traffic. AWS Shield provides always-on detection and automatic inline mitigations to minimize application downtime and latency.
How AWS Shield Works — The Mechanism
AWS Shield works by analyzing traffic patterns at the AWS network edge. When you use AWS services like CloudFront, Route 53, or a Global Accelerator, traffic passes through AWS's global infrastructure before reaching your application. Shield monitors this traffic in real time, using machine learning models to establish a baseline of normal traffic. When it detects anomalies—such as a sudden spike in traffic from unusual sources or a flood of SYN packets—it automatically applies mitigation rules to drop or rate-limit the malicious traffic. The mitigation happens inline, meaning it doesn't require any manual intervention, and it typically completes within seconds.
Key Tiers: Standard and Advanced
AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It protects against common Layer 3 (network) and Layer 4 (transport) DDoS attacks, such as UDP floods, SYN floods, and reflection attacks. Standard uses the same infrastructure that protects AWS's own services, so you benefit from the scale of AWS's global network. However, Standard provides no visibility into attacks, no dedicated support, and no cost protection.
AWS Shield Advanced is a paid tier that costs $3,000 per month per organization (not per account) plus a one-year commitment. It provides enhanced protection for your applications running on Amazon CloudFront, Route 53, Global Accelerator, Elastic Load Balancing (ELB), and EC2 with Elastic IP. Advanced adds several key features: - Application Layer (Layer 7) protection: Shield Advanced integrates with AWS WAF to protect against web application DDoS attacks like HTTP floods and SQL injection. - DDoS cost protection: If a DDoS attack causes your AWS resource usage to spike, Shield Advanced provides credits for the increased costs. - 24/7 access to the AWS DDoS Response Team (DRT): You can engage experts to help mitigate complex attacks. - Real-time visibility via CloudWatch metrics and AWS Shield Advanced dashboard: You get detailed attack reports and diagnostics. - Proactive engagement: Shield Advanced can automatically contact you during an attack if configured.
Comparison to On-Premises DDoS Protection
Traditional on-premises DDoS mitigation often requires dedicated hardware appliances (e.g., from Arbor Networks or Radware) that sit in your data center. These appliances have limited bandwidth capacity—if the attack exceeds your internet pipe (e.g., 10 Gbps), the appliance can't help because the link is saturated. AWS Shield benefits from the massive scale of AWS's global network. For example, AWS can absorb multi-terabit DDoS attacks across its infrastructure, so only the filtered, clean traffic reaches your application. On-premises solutions also require manual tuning and maintenance, whereas Shield is managed by AWS.
When to Use Shield vs Alternatives
Shield Standard: Sufficient for most small to medium workloads that don't have strict availability requirements. It's free and always on.
Shield Advanced: Required for high-availability workloads, such as e-commerce sites, financial services, or any application where downtime directly translates to revenue loss. Also necessary if you need Layer 7 protection or access to the DRT.
AWS WAF alone: WAF protects against web application attacks (e.g., SQL injection, cross-site scripting) but does not protect against network-layer DDoS. You often combine WAF with Shield Advanced for full protection.
Third-party DDoS services: Some customers use third-party services like Cloudflare or Akamai for DDoS protection. However, the exam focuses on native AWS services. You should know that AWS Shield Advanced provides a similar level of protection with tighter integration to AWS services.
Pricing and Limits
Shield Standard: Free.
Shield Advanced: $3,000/month (covers all accounts in an organization) + 1-year commitment. Data transfer out costs are not included; you pay standard data transfer rates. Cost protection covers usage spikes caused by DDoS attacks but not the subscription fee.
Shield Advanced can be enabled on up to 1,000 protected resources per account (soft limit, can be increased).
The DRT (DDoS Response Team) is available only with Shield Advanced and can be engaged via a support case.
Integration with Other Services
Shield works transparently with: - Amazon CloudFront: Protects edge locations. - Amazon Route 53: Protects DNS queries. - AWS Global Accelerator: Protects static IP addresses. - Elastic Load Balancing (ALB/NLB): Protects load balancers. - EC2 with Elastic IP: Protects individual instances (Advanced only). - AWS WAF: Shield Advanced can automatically update WAF rules to block malicious traffic.
Step-by-Step Configuration (CLI Example)
To enable Shield Advanced on a resource using AWS CLI:
aws shield create-protection --name "MyALB" --resource-arn "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef"To list protections:
aws shield list-protectionsTo associate a health-based detection (for proactive engagement):
aws shield associate-health-check --protection-id "abc123" --health-check-arn "arn:aws:route53:::healthcheck/abcdef12-3456-7890-abcd-ef1234567890"Note: You must subscribe to Shield Advanced first via the AWS Management Console or CLI.
Common Attack Types Shield Mitigates
UDP flood: Sends many UDP packets to random ports.
SYN flood: Sends TCP SYN requests without completing handshake.
DNS query flood: Sends massive DNS queries to Route 53.
HTTP flood: Sends many HTTP GET/POST requests (Layer 7).
Reflection/amplification attacks: Uses vulnerable servers to amplify traffic (e.g., NTP, SSDP).
Enable Shield Advanced Subscription
First, an AWS admin must subscribe to Shield Advanced from the AWS Management Console. Navigate to the Shield console, choose 'Subscribe to Shield Advanced', and accept the $3,000/month fee plus one-year commitment. This subscription applies to the entire AWS organization (not per account). Once subscribed, you can start creating protections for specific resources. Behind the scenes, AWS activates enhanced monitoring and DRT access for your account.
Add Protection to Resources
After subscription, you add protection to specific resources such as CloudFront distributions, Route 53 hosted zones, Global Accelerator accelerators, load balancers, or EC2 Elastic IPs. In the Shield console, choose 'Add protected resource', select the resource type, and pick the specific resource from your account. Shield Advanced then begins monitoring traffic to that resource. You can protect up to 1,000 resources per account by default. For each resource, Shield Advanced applies both network-layer and application-layer DDoS mitigation.
Configure Health-Based Detection
For proactive engagement, you can associate a Route 53 health check with the protected resource. This allows Shield Advanced to automatically detect when your application becomes unhealthy (e.g., due to a DDoS attack) and trigger an incident response. In the Shield console, under 'Health-based detection', select a health check that monitors your application's endpoint. If the health check fails, Shield Advanced can automatically engage the DRT and send notifications via CloudWatch alarms. This step is optional but recommended for critical workloads.
Integrate with AWS WAF for Layer 7
To protect against application-layer attacks, you need to associate an AWS WAF web ACL with your CloudFront distribution or ALB. In the WAF console, create a web ACL with rules to block common attack patterns (e.g., rate-based rules to limit requests per IP). Then, in the Shield Advanced console, you can enable 'Proactive engagement' and 'Automatic application layer DDoS mitigation'. Shield Advanced will then automatically update the WAF rules to block traffic that matches DDoS signatures. This integration is key for Layer 7 protection.
Monitor and Respond to Attacks
During an attack, you can view real-time metrics in the Shield Advanced dashboard, including total traffic volume, mitigated traffic, and attack vectors. CloudWatch metrics like `DDoSDetected` and `DDoSProtection` are available. If you have proactive engagement enabled, the DRT may contact you via the contact information on your account. You can also manually engage the DRT by opening a support case. After the attack, you receive a post-attack report summarizing the incident. The cost protection feature automatically applies credits for any usage spikes caused by the attack.
Scenario 1: E-commerce Platform During Black Friday
An online retailer expects a surge in traffic during Black Friday but must remain available to avoid revenue loss. They use Amazon CloudFront with an ALB backend. The security team enables Shield Advanced on the CloudFront distribution and associates an AWS WAF rate-based rule to limit requests per IP to 2,000 per minute. During the sale, a competitor launches an HTTP flood attack targeting the checkout page. Shield Advanced detects the abnormal traffic pattern and automatically updates the WAF rule to block the malicious IPs. The DDoS cost protection covers the increased CloudFront data transfer costs during the attack. The retailer remains online and processes orders without interruption. Without Shield Advanced, the attack could have overwhelmed the ALB and caused a costly outage.
Scenario 2: Financial Services Company Under SYN Flood
A financial services company hosts a trading application on EC2 instances with Elastic IPs. They need to ensure low latency and high availability. They subscribe to Shield Advanced and protect the Elastic IPs. One day, a SYN flood attack targets one of the instances. Shield Advanced's network-layer mitigation automatically drops the malicious SYN packets at the AWS edge, allowing only legitimate traffic to reach the instance. The company's security team receives a CloudWatch alarm and views the attack details in the Shield dashboard. They engage the DRT to fine-tune the mitigation. The cost protection covers the additional EC2 usage costs from the attack. The application remains responsive throughout.
Scenario 3: Misconfiguration Leading to Bill Shock
A startup enables Shield Advanced on all resources without understanding the cost implications. They protect 50 resources but only have a small website. A minor DDoS attack occurs, and Shield Advanced mitigates it automatically. However, the startup receives a monthly bill of $3,000 for Shield Advanced plus standard data transfer costs. They expected the cost protection to cover everything, but cost protection only covers usage spikes caused by attacks, not the subscription fee. The startup realizes they only needed Shield Standard for their low-risk application. This scenario highlights the importance of evaluating risk before subscribing to Advanced.
Exactly What CLF-C02 Tests
The CLF-C02 exam tests your understanding of AWS Shield as part of Objective 2.3: Implement protection for AWS workloads. You need to know:
The difference between Shield Standard (free, always on, Layer 3/4 protection) and Shield Advanced ($3,000/month, Layer 7, DRT access, cost protection).
Which services Shield Advanced can protect (CloudFront, Route 53, Global Accelerator, ELB, EC2 Elastic IP).
That Shield Standard is automatically enabled for all AWS customers.
That Shield Advanced requires a one-year subscription.
That Shield Advanced integrates with AWS WAF for Layer 7 protection.
The concept of cost protection (credits for usage spikes during attacks).
Common Wrong Answers and Why Candidates Choose Them
"Shield Standard provides Layer 7 protection." This is false. Standard only protects Layer 3/4. Candidates confuse Standard with Advanced because both are DDoS protection. Remember: Standard = network layer only.
"Shield Advanced is free for the first year." No, it's $3,000/month with a one-year commitment. There is no free tier. Candidates might think it's free because Standard is free.
"Shield Advanced can protect any AWS resource." It only protects the five listed services. Candidates may think it protects S3 buckets or DynamoDB tables. It does not.
"Shield Advanced automatically mitigates all DDoS attacks without any configuration." While it provides automatic mitigation, you must subscribe and add protection to specific resources. It's not automatic for all resources.
Specific AWS Terms That Appear on the Exam - "AWS Shield Standard" and "AWS Shield Advanced" - "DDoS Response Team (DRT)" - "Cost protection" - "Layer 3, Layer 4, Layer 7" - "AWS WAF" (often paired with Shield Advanced)
Tricky Distinctions - Shield Standard vs. AWS WAF: WAF is for web application attacks (Layer 7), not DDoS. Shield is for DDoS. They are complementary. - Shield Advanced vs. AWS Firewall Manager: Firewall Manager centrally manages WAF rules across accounts, but does not provide DDoS protection.
Decision Rule for Multi-Choice Questions If a question asks about protecting against a DDoS attack, first determine the layer: if it's a network-layer attack (e.g., SYN flood), Shield Standard may suffice. If it's an application-layer attack (e.g., HTTP flood) or you need cost protection and DRT access, choose Shield Advanced. If the question mentions "always-on" and "free", it's Shield Standard. If it mentions "$3,000/month" or "cost protection", it's Shield Advanced.
AWS Shield Standard is free and automatically protects all AWS customers from common Layer 3/4 DDoS attacks.
AWS Shield Advanced costs $3,000/month (with 1-year commitment) and provides enhanced protection including Layer 7, DRT access, and cost protection.
Shield Advanced can be enabled on CloudFront, Route 53, Global Accelerator, ELB, and EC2 Elastic IPs only.
Shield Advanced integrates with AWS WAF for application-layer DDoS mitigation.
Cost protection in Shield Advanced provides credits for usage spikes directly caused by DDoS attacks.
The DDoS Response Team (DRT) is available only with Shield Advanced and can be engaged via support cases.
Shield Standard does not provide any attack visibility or notification; Shield Advanced provides CloudWatch metrics and a dashboard.
To protect a resource with Shield Advanced, you must subscribe and then add the resource as a protected resource.
Shield Advanced supports proactive engagement by associating a Route 53 health check with the protected resource.
Shield Standard is sufficient for low-risk workloads; Shield Advanced is recommended for business-critical applications.
These come up on the exam all the time. Here's how to tell them apart.
AWS Shield Standard
Free for all AWS customers
Automatic Layer 3/4 DDoS protection
No visibility into attacks
No access to DRT
No cost protection
AWS Shield Advanced
$3,000/month per organization
Layer 3/4 and Layer 7 protection (with WAF)
Real-time attack visibility via dashboard
24/7 access to DDoS Response Team
Cost protection for usage spikes during attacks
Mistake
Shield Standard protects against all DDoS attacks.
Correct
Shield Standard only protects against common Layer 3/4 attacks. It does not protect against application-layer (Layer 7) attacks like HTTP floods. For that, you need Shield Advanced with AWS WAF integration.
Mistake
Shield Advanced is billed per resource protected.
Correct
Shield Advanced is billed at a flat rate of $3,000 per month per organization, not per resource. You can protect up to 1,000 resources per account under that fee.
Mistake
Shield Advanced automatically protects all resources in the account.
Correct
You must explicitly add protection to each resource you want to protect. Shield Advanced does not automatically protect all resources.
Mistake
Shield Advanced provides unlimited cost protection.
Correct
Cost protection covers usage spikes caused by DDoS attacks, but it does not cover the $3,000 monthly fee or normal usage. There are also limits on the amount of credit you can receive.
Mistake
Shield Standard requires manual activation.
Correct
Shield Standard is automatically enabled for all AWS customers. No action is required.
AWS Shield Standard is a free, always-on DDoS protection service that protects against common Layer 3 and Layer 4 attacks. AWS Shield Advanced is a paid tier ($3,000/month) that adds Layer 7 protection via AWS WAF integration, access to the DDoS Response Team (DRT), real-time attack visibility, and cost protection for usage spikes caused by DDoS attacks. For the exam, remember that Standard is free but limited, while Advanced is paid and comprehensive.
Shield Advanced can protect Amazon CloudFront distributions, Amazon Route 53 hosted zones, AWS Global Accelerator accelerators, Elastic Load Balancers (ALB/NLB), and EC2 instances with Elastic IP addresses. It cannot protect other services like S3 or DynamoDB directly. Exam tip: If a question asks about protecting an EC2 instance, ensure it has an Elastic IP; otherwise, Shield Advanced may not apply.
No. After subscribing to Shield Advanced, you must explicitly add each resource you want to protect. You can do this via the AWS Management Console, CLI, or API. The default limit is 1,000 protected resources per account. This is a common exam trap: candidates assume it's automatic.
The DRT is a team of AWS security experts available 24/7 to help you mitigate complex DDoS attacks. Access to the DRT is a feature of Shield Advanced. You can engage them by opening a support case under 'Shield' or via proactive engagement if configured. The DRT can also update your WAF rules during an attack. For the exam, know that DRT is exclusive to Shield Advanced.
Cost protection provides credits for any increase in AWS usage costs that are directly caused by a DDoS attack. For example, if an attack causes your CloudFront data transfer to spike, you can request a credit for the extra cost. It does not cover the $3,000 monthly Shield Advanced fee or normal usage. The credit is applied after you submit a request with evidence of the attack. Exam tip: This is a key differentiator from Shield Standard.
Shield Advanced itself does not block application-layer attacks like SQL injection. However, it integrates with AWS WAF, which can block such attacks. Shield Advanced can automatically update WAF rules to mitigate Layer 7 DDoS attacks (e.g., HTTP floods). For SQL injection, you need to configure WAF rules manually. The exam may test that Shield Advanced + WAF provides comprehensive Layer 7 protection.
No. AWS Shield Advanced has no free tier. It costs $3,000 per month with a one-year commitment. AWS Shield Standard is free. The exam may trick you by offering a free trial for Shield Advanced; there is none.
You've just covered AWS Shield — DDoS Protection — now see how well it sticks with free CLF-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?