Introduction to AWS Shield Advance
Going a step further than the standard AWS Shield protection
AWS Shield (Standard) vs Shield Advance
AWS Shield is a standard DDoS (Distributed Denial of Service) attack protection service offered to all AWS Users by default. You do not need to pay or do any changes to have this as it protects the AWS Services in general. Shield configures static limits and inline protection for AWS publicly opened services such EC2, RDS. EIP, ELB, etc. This will only check the network traffic to their services and will not individually check and protect the customer resources based on the customer traffic patterns. Also, Shield will not protect the customer resources against cost escalations due to DDoS attacks on the individual customer resources. AWS Shield only provides DDoS attacks on the layer 3 and 4 of the OSI Model.
This is where AWS Shield Advance comes into play against DDoS protection. Shield Advance will provide customized DDoS protection against your individual AWS resources/applications deployed in the AWS Cloud depending on your traffic patterns.
There can be various situations in which the AWS Service as a whole will not be under DDoS attack, but your application is under DDoS attack. In such kinds of scenarios, Shield Advance is capable of identifying it isolated to traffic as a whole AWS resource and engage with you to mitigate the attacks. Shield advance deploys protection at the AWS perimeter network level. Shield Advance will use both your NACLs and their own one in mitigating the attacks on the resources. While Shield itself only provides protection against attacks on the layer 3 and 4 of the OSI model, Shield Advance provide protection on layers 3,4 and 7. To do this Shield Advance uses AWS WAF underneath with Route 53 Health checks.
While AWS Shield (standard) is completely free, enabling AWS Shield Advance will cost you $3000 per month. With this, you will get both reactive and proactive protection against DDoS attacks on your Shield Advance Protected resources, Route 53 Cost escalation protection, and support of the AWS Shield Response Team (SRT) support.
Pricing and Features of Shield Advance
- As mentioned above, enabling Shield Advance will charge you $3000 for the account. But if you have a multi-Account architecture under an AWS Organization with consolidated billing enabled, this will be charged for your AWS Organization, and you will be able to enable Shield Advance in each AWS Account under your organization separately. In this scenario you will not be charged per account as the charge will be done for the AWS Organization and the amount of $3000 will appear on your billing account’s dashboard. In addition to this subscription fee, there will be network transfer costs that will be involved with your selected protected resources.
- Enabling Shield Advance will be subjected to a one-year commitment. This means that you will not be able to remove/disable Shield Advance before 1 year is completed and to disable Shield Advance, you’ll need AWS Support teams’ assistance. Please refer to the AWS pricing documentation here for the latest price and condition changes.
- If you have AWS Business Support or Enterprise Support enabled, you will get access to AWS Shield Response Team (SRT) which is a dedicated support team that will engage you when there is a DDoS attack on your resources to mitigate the attack at the earliest.
- As mentioned above AWS SA (Shield Advance) provides layers 3,4 and 7 protection. For Layer 3 and 4 protection, SA will use their own Network Access Control Lists and Customer implemented Network ACLs. When there is an attack SA team will move your Network ACLs from your account endpoint to the AWS perimeter network so that the attack surface on your resources will be reduced and the load will be heavy lifted at the AWS perimeter network level. But to modify your Network ACLs and move them, the SRT will need your consent thus requiring you to have Business or Enterprise support enabled.
- For later 7 protection SA will use your AWS WAF rules and Route 53 health checks. When there is a layer 7 DDoS attack, the SRT team will engage you through the contacts which you have provided and upon your consent will fine-tune AWS WAF rules as needed to mitigate the ongoing attacks on your resources. For this, you will have to provide access to your AWS WAF logs to the SRT, in order for them to find the optimal solutions. SA will you configured Route 53 DNS health checks to quickly identify the layer 7 attacks, thus it needs you to configure DNS health checks through AWS Route 53 appropriately.
- When there is a DDoS attack, your auto-scaling resources might scale up in order to accommodate the incoming high load of traffic, thus increasing the AWS costs on those resources. If you have AWS Shield Advance enabled, you will be able to request credits back on costs on your SA-protected resources due to DDoS attacks via regular AWS support cases.
- As mentioned above, the AWS Shield Advance will not add all your resources under its protection by default. You will have to add the resources which you need to be protected by the AWS SA. Currently, SA supports AWS EC2, ELB, CloudFront, Global Accelerator, and Route 53 resources.
- You will be able to use AWS Firewall Manager to manage the AWS Shield Advance through the AWS Firewall manager policies as SA subscription includes AWS Firewall Manager fees. This will include AWS Firewall manager policies for WAF and SA excluding the use and prices for Marketplace rules of third-party rule sets for WAF. This will be highly beneficial if you have a multi-Account architecture with SA and WAF enabled in several different accounts and need to manage them in a central location.
Enable Shield Advance
Let's look at how to enable AWS Shield Advance using AWS Console. Be sure to read through the pricing page and the features page before you enable it, as above mentioned prices and features can get changed overtimes since AWS Services rapidly get changed with new feature requests and services.
Search “Shield” from your AWS unified search bar. This will display the “WAF & Shield” page. AWS WAF, Shield Advance, and the AWS Firewall Manager are integrated with each other in the back-end and thus show on the same page in AWS Console.
Once you click on the “Subscribe to Shield Advance” button, you will be directed to a page where service terms are displayed. As mentioned above the SA is $3000 per month with additional data transfer fees for the protected resources. Also, from that page, you’ll be committing to using Shield Advance (SA) for 1 year and will be auto-renewed if not informed to cancel, 30 days prior to the renewal date. SA will be activated after you check all 4 boxes and click on “Subscribe to Shield Advance” again.
After you enable Shield Advance, you need to complete another two steps in order to completely receive the benefits of SA. The next steps that you need to complete are mentioned in the Overview Section, which is visible from the left side menu.
The next two mentioned steps can be done in order or as you prefer it. Next, you can either go “Protected Resources” section or provide permission to SRT to access your Shield Advance subscription and WAF, in order to support you in attack mitigation. Providing SRT access is straight forward and you will be able to find the necessary steps from here. Kindly refer to the steps in the AWS documentations closely and always refer to them when activating. AWS documentation should be your primary documentation guide when doing the exact steps. As mentioned in the document, if you are using AWS WAF and you need layer 7 protection also, you need to provide access to S3 where your WAF logs are stored. This S3 can be any account under your organization but should have Shield Advance enabled and SSE-S3 encrypted as SSE-KMS encrypted S3s are not supported at the moment. Also, you will have to configure one of your contact details in order for SRT to contact you in case of an ongoing attack if you require the proactive protection provided by Shield Advance.
Once SRT support is configured, you can navigate to the “protected resources” section to add your resources. Select on the “Add resources to protect” and choose your resources from the supported resource types.
After the resources are added for the protection, if needed you can group them according to your preference for manageability. These are logical grouping of the protected resources once you add the resources and should not be confused as a Shield Advance policy group that will automatically start protecting the resources whenever they are created. If you are required to automate the protected resource addition to AWS Shield Advance, you will need to use the AWS Firewall Manager Policies. That will not be discussed under this article as it will require some additional details related to the Firewall Manager.
Under the “Events” section you will be able to see all the attacks on your resources in the past or happening at the moment which is detected by the SA. The last overview of the DDoS attacks happening in the world against AWS Customers can be viewed from the “Global Threat Dashboard”. Summary of your Shield Advance subscription can be viewed through the “Overview” section where you first use to complete the SA setup process.
I hope this has helped you to get an understanding of AWS Shield Advance and get started with the service with ease. Kindly share this with others if you know anyone that will benefit from this and let me know your thoughts on this via the responses below.
More content at plainenglish.io
