Is there any visibility into if a DDoS attack occurs on an API Gateway using WAF & Shield Standard?

Question

Hi,

We are looking to see if there is any visibility into if a DDoS attack occurs on our API Gateway service should it occur. The API Gateway will be protected directly by WAF rules at the L7 application layer. While we can monitor AWS/WAFV2 metrics like BlockedRequests, we also want to know if we could do something similar for L3/L4 attacks.

I see that Shield Advanced has DDoS metrics: https://docs.aws.amazon.com/waf/latest/developerguide/ddos-cloudwatch-metrics.html

We aren't necessarily looking for this level of granularity, but would like to have data on how many times a DDoS attack occurs so we can decide if we want to upgrade to Shield Advanced for greater insight.

Also, we are not fronting the API Gateway with CloudFront. The APIGW endpoints are also regional.

Accepted Answer

Hi,

All customers can access a summary of the events for their account over the prior year. You can see this information under the Getting Started page of the AWS Shield console. For more information, see [AWS Shield global and account activity](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-standard-event-visibility.html).

To get detailed [visibility into DDoS attacks](https://aws.amazon.com/shield/features/#AWS_Shield_Advanced), you will need AWS Shield Advanced.

Best regards

Ricardo Makino

Answer

If you are looking for L3/L4 DDoS Visibility with AWS WAF & Shield Standard, it's not possible. As you know, AWS WAF is working at application layer so AWS WAF can't provide any L3/L4 DDoS metric for you. Shield Standard can detect/mitigate L3/L4 DDoS for free but it's not provide data you want. 
If you need data related to DDoS prior to subscribe Shield Advanced, I'd like to suggest you to contact AWS Account Manager to check if you can have a chance to demo Shield Advanced for specific period.

Is there any visibility into if a DDoS attack occurs on an API Gateway using WAF & Shield Standard?

関連するコンテンツ