This chapter covers AWS Shield Advanced, a paid DDoS protection service that provides enhanced detection, mitigation, and cost protection for your applications. For the SAA-C03 exam, you need to understand when Shield Advanced is necessary versus when Shield Standard is sufficient, what features it adds, and how it integrates with other services like AWS WAF, CloudFront, and Route 53. Expect 2-3 questions on DDoS protection, with one specifically testing Shield Advanced's cost protection feature or its 24/7 access to the DDoS Response Team (DRT).
Jump to a section
Imagine a high-profile celebrity staying at a hotel. The hotel has basic security (Shield Standard) that stops typical troublemakers. But the celebrity hires a VIP security detail (Shield Advanced). This detail does more: they get a dedicated hotline to the hotel's security command center (AWS DDoS Response Team) for immediate response. They monitor the celebrity's movements 24/7 (always-on traffic monitoring) and can instantly block anyone who approaches too aggressively (DDoS mitigation). The hotel also provides free unlimited room service (cost protection against scaling charges) and a special insurance policy that covers any damages caused by the security team's actions (DDoS cost protection). The VIP detail can also coordinate with the hotel to block entire groups of people (layer 7 rules via WAF) and get real-time alerts about any suspicious activity (CloudWatch metrics). Without this detail, the celebrity would have to rely on the hotel's basic security and pay out of pocket for any extra security measures taken.
What is AWS Shield Advanced?
AWS Shield Advanced is a paid DDoS protection service that extends the capabilities of the free AWS Shield Standard. It provides enhanced detection and mitigation for larger, more sophisticated DDoS attacks, 24/7 access to the AWS DDoS Response Team (DRT), and financial protection against scaling costs incurred during an attack. Shield Advanced is designed for organizations that require higher availability and lower latency for their critical applications, especially those that are frequently targeted by DDoS attacks.
Why Shield Advanced Exists
Shield Standard automatically protects all AWS customers from common, volumetric DDoS attacks like SYN floods and UDP reflection attacks. However, it has limitations:
It does not provide visibility into attack metrics or detailed logs.
It does not offer proactive support or human intervention.
It does not protect against application-layer (Layer 7) attacks.
It does not cover the cost of scaling resources during an attack.
Shield Advanced fills these gaps, providing:
Enhanced detection and mitigation for both infrastructure (Layer 3/4) and application (Layer 7) attacks.
24/7 access to the DDoS Response Team (DRT).
Cost protection to prevent unexpected scaling charges.
Detailed attack diagnostics via AWS WAF and CloudWatch.
Integration with AWS WAF for custom Layer 7 rules.
How Shield Advanced Works Internally
Shield Advanced uses a combination of always-on traffic monitoring, anomaly detection, and signature-based mitigation to protect your resources. When you enable Shield Advanced on a resource (e.g., an Elastic IP, CloudFront distribution, or ALB), AWS deploys detection sensors that analyze traffic patterns. These sensors look for deviations from baseline behavior, such as sudden spikes in traffic from a single IP or unusual packet sizes.
When an attack is detected, Shield Advanced automatically applies mitigations. For Layer 3/4 attacks, it uses AWS's global infrastructure to scrub traffic, dropping malicious packets while allowing legitimate traffic through. For Layer 7 attacks, it can integrate with AWS WAF to block malicious requests based on rules you define or those automatically created by the DRT.
Key Components, Values, Defaults, and Timers
Protected Resources: You can protect up to 1,000 resources per account per region by default (can be increased via service limit increase). Supported resources include: Elastic IP addresses, CloudFront distributions, Route 53 hosted zones, Application Load Balancers, Global Accelerator accelerators, and Amazon EC2 instances.
Cost: Shield Advanced costs $3,000 per month per organization (not per account), but you can get a 1-year or 3-year commitment for a discount. Additionally, you pay for data transfer out of AWS Shield Advanced, which is $0.025 per GB for the first 10 TB, then tiered pricing.
Cost Protection: Shield Advanced provides cost protection for scaling charges (e.g., EC2, ALB, CloudFront) that result from a DDoS attack. AWS will issue credits for these costs if you have Shield Advanced enabled on the affected resources.
DRT Access: The DDoS Response Team is available 24/7. You can engage them via the AWS Support Center or by creating a case. They can create WAF rules on your behalf during an attack.
Attack Metrics: Shield Advanced publishes metrics to CloudWatch, including DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, and DDoSAttackRequestsPerSecond. These have a default resolution of 1 minute.
Health-Based Detection: Shield Advanced can use AWS Health events to automatically apply mitigations. For example, if an ALB becomes unhealthy due to a DDoS attack, Shield Advanced can trigger additional mitigation.
Configuration and Verification Commands
You can enable Shield Advanced via the AWS Management Console, CLI, or SDK. Here's an example using the AWS CLI:
aws shield create-protection --name "MyALBProtection" --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890123456To verify protection:
aws shield list-protections --region us-east-1To view attack events:
aws shield list-attacks --start-time 2024-01-01T00:00:00Z --end-time 2024-01-31T23:59:59ZInteraction with Related Technologies
AWS WAF: Shield Advanced integrates with WAF to provide Layer 7 protection. You can create WAF ACLs and associate them with your protected resources. During an attack, the DRT can create rate-based rules to block malicious sources.
CloudFront: Shield Advanced can be enabled on CloudFront distributions to protect against DDoS attacks at the edge. CloudFront's global edge network provides additional capacity to absorb large volumetric attacks.
Route 53: Shield Advanced protects Route 53 hosted zones by monitoring DNS queries and mitigating DDoS attacks against your domain.
Global Accelerator: Similar to CloudFront, Global Accelerator provides edge protection and can be protected by Shield Advanced.
AWS Firewall Manager: You can centrally manage Shield Advanced protections across multiple accounts using Firewall Manager.
How Shield Advanced Mitigates Attacks
When an attack is detected, Shield Advanced uses the following mechanisms: 1. Network ACLs and Security Groups: Shield Advanced does not modify these directly but can work with them to block traffic. 2. Traffic Scrubbing: For Layer 3/4 attacks, traffic is redirected to AWS's scrubbing centers where malicious packets are dropped based on signatures and rate limits. 3. WAF Rules: For Layer 7 attacks, WAF rules are applied to inspect HTTP/HTTPS requests and block those that match attack patterns (e.g., SQL injection, XSS, or HTTP floods). 4. Rate Limiting: Shield Advanced can automatically apply rate limits on a per-source-IP basis to mitigate slow DDoS attacks.
Important Limitations
Shield Advanced does not protect against all DDoS attacks. It is designed to handle common attack vectors but may not mitigate zero-day or highly sophisticated attacks.
It requires you to enable it on each resource individually. You cannot enable it globally for all resources in an account without explicitly adding each one.
The cost protection feature only covers scaling charges directly attributable to a DDoS attack. You must have Shield Advanced enabled on the affected resources at the time of the attack.
Shield Advanced does not provide DDoS protection for on-premises resources unless they are fronted by AWS services like CloudFront or Global Accelerator.
Enable Shield Advanced on resource
To protect a resource, you first subscribe to Shield Advanced (costs $3,000/month). Then, you create a protection by specifying the resource ARN. For example, for an ALB, you run `aws shield create-protection --name "ALB-Protection" --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890123456`. This registers the resource with Shield Advanced, enabling monitoring and mitigation.
Baseline traffic analysis
Shield Advanced begins analyzing traffic to the protected resource over a period of time (typically 24 hours) to establish a baseline of normal traffic patterns. This includes metrics like bits per second, packets per second, and requests per second. The baseline is used to detect anomalies that may indicate an attack.
Attack detection via anomaly and signature
Shield Advanced uses both anomaly detection and signature-based detection. Anomaly detection compares current traffic to the baseline; if traffic exceeds a threshold (e.g., 200% of baseline), an alert is generated. Signature-based detection looks for known attack patterns (e.g., SYN flood, UDP amplification). When an attack is detected, the system logs the event and updates CloudWatch metrics like `DDoSDetected`.
Automatic mitigation applied
Upon detection, Shield Advanced automatically applies mitigations. For Layer 3/4 attacks, traffic is scrubbed at AWS edge locations. For Layer 7 attacks, if WAF is associated, Shield Advanced can automatically create rate-based rules to block sources exceeding a threshold (e.g., 2,000 requests per 5 minutes). The mitigation is applied within seconds of detection.
Cost protection and DRT engagement
During an attack, Shield Advanced monitors scaling costs incurred by the protected resource. If you have cost protection enabled (default), AWS will credit any scaling charges caused by the attack. You can also engage the DRT via AWS Support for manual intervention. The DRT can create custom WAF rules or adjust mitigation settings in real-time.
Scenario 1: E-commerce Website During Holiday Season
A large e-commerce company uses AWS to host its website, which handles millions of transactions daily. During Black Friday, they expect high traffic but also face DDoS extortion threats. They enable Shield Advanced on their CloudFront distribution and ALB. During an attack, Shield Advanced automatically mitigates a volumetric SYN flood at the edge, preventing any impact on the origin servers. The cost protection feature saves them $50,000 in EC2 scaling costs that would have been incurred due to the attack. The DRT is engaged to fine-tune WAF rules to block malicious bots while allowing legitimate shoppers.
Scenario 2: Financial Services with Compliance Requirements
A bank uses Route 53 for DNS and ALBs for its trading applications. They need to ensure availability even under DDoS attacks for regulatory compliance. They enable Shield Advanced on all Route 53 hosted zones and ALBs. An attacker launches a DNS amplification attack targeting their domain. Shield Advanced detects the attack and drops malicious DNS queries at the edge, ensuring legitimate queries are still resolved. The bank also uses AWS WAF with Shield Advanced to block SQL injection attempts during the attack.
Scenario 3: Gaming Company with Real-Time Multiplayer
A gaming company runs its game servers on EC2 instances behind a Network Load Balancer (NLB). They protect the NLB's Elastic IPs with Shield Advanced. During a major game launch, they face a UDP flood attack. Shield Advanced scrubs the traffic at the edge, dropping malicious UDP packets while allowing game traffic to pass. The company uses the DRT to create custom mitigations for the specific game protocol. Without Shield Advanced, the NLB would have scaled up and incurred significant costs, which are now covered by cost protection.
Common Misconfigurations
Not enabling Shield Advanced on all resources: If only the ALB is protected but not the CloudFront distribution in front of it, the CloudFront distribution may still be vulnerable.
Relying solely on Shield Advanced without WAF: For Layer 7 attacks, WAF rules are essential. Shield Advanced alone cannot block complex application-layer attacks.
Forgetting to subscribe to cost protection: By default, cost protection is enabled, but if you disable it, you will not receive credits for scaling charges.
What SAA-C03 Tests on Shield Advanced
The SAA-C03 exam (Objective 1.3: Design secure architectures) expects you to know:
The difference between Shield Standard (free, automatic) and Shield Advanced (paid, enhanced).
Features unique to Shield Advanced: 24/7 DRT access, cost protection, attack diagnostics, and integration with WAF.
Supported resources: Elastic IP, CloudFront, Route 53, ALB, Global Accelerator, EC2.
Cost: $3,000/month per organization (not per account).
Cost protection covers scaling charges incurred during an attack.
Common Wrong Answers and Why
"Shield Advanced protects all resources in the account automatically." Wrong: You must explicitly enable it on each resource. It is not automatic.
"Shield Advanced is cheaper than Shield Standard." Wrong: Shield Standard is free; Shield Advanced costs $3,000/month.
"Shield Advanced can be used to protect on-premises servers." Wrong: It only protects AWS resources. On-premises resources must be fronted by AWS services like CloudFront.
"Cost protection covers all AWS charges during an attack." Wrong: It only covers scaling charges (e.g., EC2, ALB, CloudFront) directly attributable to the attack, not all charges.
Numbers and Terms That Appear on the Exam
$3,000/month per organization.
24/7 access to DDoS Response Team (DRT).
Supported resources: CloudFront, Route 53, ALB, Global Accelerator, Elastic IP, EC2.
Integration with AWS WAF for Layer 7 protection.
Cost protection for scaling charges.
Attack metrics: DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond.
Edge Cases and Exceptions
If you have multiple AWS accounts, you pay $3,000/month total for the organization, not per account.
Shield Advanced does not protect against all DDoS attacks; it is designed for common vectors.
You can engage the DRT only if you have Shield Advanced; Shield Standard does not include this.
Cost protection requires that you have Shield Advanced enabled on the resource at the time of the attack.
How to Eliminate Wrong Answers
If the question mentions "automatic protection for all resources" without explicit enablement, it's likely describing Shield Standard.
If the question asks about "cost savings" or "financial protection," look for Shield Advanced's cost protection feature.
If the question involves "human support" or "24/7 team," that's Shield Advanced's DRT.
If the question mentions Layer 7 attacks, the answer likely involves integrating Shield Advanced with AWS WAF.
Shield Advanced costs $3,000 per month per organization, not per account.
Must be explicitly enabled on each resource; supported resources include CloudFront, Route 53, ALB, Global Accelerator, Elastic IP, and EC2.
Provides 24/7 access to the AWS DDoS Response Team (DRT).
Cost protection covers scaling charges (e.g., EC2, ALB, CloudFront) caused by a DDoS attack.
Integrates with AWS WAF for Layer 7 attack mitigation.
Attack metrics are published to CloudWatch with 1-minute resolution.
Not a replacement for AWS WAF; both are needed for comprehensive protection.
These come up on the exam all the time. Here's how to tell them apart.
AWS Shield Standard
Free for all AWS customers.
Automatic protection against common Layer 3/4 DDoS attacks.
No access to DDoS Response Team (DRT).
No cost protection for scaling charges.
Limited visibility into attack metrics.
AWS Shield Advanced
Costs $3,000/month per organization.
Enhanced detection and mitigation for Layer 3/4 and Layer 7 attacks.
24/7 access to DRT for manual intervention.
Cost protection for scaling charges incurred during an attack.
Detailed attack diagnostics via CloudWatch and WAF logs.
Mistake
Shield Advanced automatically protects all AWS resources in the account.
Correct
Shield Advanced must be explicitly enabled on each resource you want to protect. It does not automatically apply to all resources.
Mistake
Shield Advanced is free with AWS Shield Standard.
Correct
Shield Standard is free. Shield Advanced costs $3,000 per month per organization.
Mistake
Shield Advanced protects on-premises servers directly.
Correct
Shield Advanced only protects AWS resources. To protect on-premises servers, you must front them with AWS services like CloudFront or Global Accelerator.
Mistake
Cost protection covers all AWS charges during a DDoS attack.
Correct
Cost protection only covers scaling charges (e.g., EC2, ALB, CloudFront) that are directly attributable to the attack, not all charges.
Mistake
Shield Advanced eliminates the need for AWS WAF.
Correct
Shield Advanced handles Layer 3/4 attacks, but for Layer 7 attacks, you need AWS WAF. They are complementary.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS Shield Advanced costs $3,000 per month per organization (consolidated billing family). This fee covers all accounts in the organization. There is an additional charge for data transfer out of Shield Advanced ($0.025/GB for first 10 TB, then tiered). You can also commit to 1-year or 3-year terms for a discount.
Shield Advanced can protect Elastic IP addresses, CloudFront distributions, Route 53 hosted zones, Application Load Balancers, Global Accelerator accelerators, and EC2 instances. You must enable protection on each resource individually.
Yes, but it requires integration with AWS WAF. Shield Advanced can automatically create rate-based WAF rules to mitigate HTTP floods. For custom Layer 7 protections, you need to configure WAF rules manually or via the DRT.
Cost protection is a feature that credits you for scaling charges incurred by protected resources due to a DDoS attack. For example, if an ALB scales up additional capacity during an attack, AWS will issue a credit for those costs. You must have Shield Advanced enabled on the resource at the time of the attack.
You can contact the DRT by opening a support case in the AWS Support Center. The DRT is available 24/7 for Shield Advanced customers. They can assist with attack mitigation, create WAF rules, and provide guidance.
No, Shield Advanced only protects AWS resources. To protect on-premises resources, you must front them with AWS services like CloudFront, Global Accelerator, or AWS WAF for application-layer protection.
No, you must explicitly enable it on each resource. You can use the AWS Management Console, CLI, or API to create protections. There is no global toggle.
You've just covered AWS Shield Advanced — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?