How can I defend against DDoS attacks with Shield Standard?

4 minute read

I want to protect my application from Distributed Denial of Service (DDoS) attacks with AWS Shield Standard.

Short description

AWS Shield Standard is a managed threat protection service that protects the perimeter of your application. Shield Standard provides automatic threat protection at no additional charge. You can use Shield Standard to protect your application at the edge of the AWS network using Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. These AWS services receive protection against all known network and transport layer attacks. To defend against layer 7 DDoS attacks, you can use AWS WAF.

To protect your application from DDoS attacks with Shield Standard, it's a best practice to follow these guidelines for your application architecture:

  • Reduce the attack area surface
  • Be ready to scale and absorb the attack
  • Safeguard exposed resources
  • Monitor application behavior
  • Create a plan for attacks


Reduce the attack area surface

For more information, see Attack surface reduction.

Be ready to scale and absorb the DDoS attack

For more information, see Mitigation techniques.

Safeguard exposed resources

  • Configure AWS WAF with a rate-based rule in block mode to defend against request flood attacks.
    Note: You must have CloudFront, Amazon API Gateway, Application Load Balancer, or AWS AppSync configured to use AWS WAF.
  • Use CloudFront geographic restrictions to prevent users originating from countries that you don't want to access your content.
  • Use burst limits for each method with your Amazon API Gateway REST APIs to protect your API endpoint from being overwhelmed by requests .
  • Use origin access identity (OAI) with your Amazon Simple Storage Service (Amazon S3) buckets.
  • Set up the API key as the X-API-Key header of each incoming request to protect your Amazon API Gateway against direct access.

Monitor application behavior

For more information, see AWS Application Auto Scaling monitoring.

Create a plan for DDoS attacks

  • Develop a runbook in advance so that you can respond to DDoS attacks in an efficient and timely manner. For guidance on creating a runbook see the AWS security incident response guide. You can also review this example runbook.
  • Use the aws-lambda-shield-engagement script to quickly log a ticket to AWS Support during an impacting DDoS attack.
  • Shield Standard offers protection against infrastructure-based DDoS attacks occurring at layers 3 and 4 of the OSI model. To defend against layer 7 DDoS attacks, you can use AWS WAF.

For more information on how to protect your application from DDoS attacks, see AWS best practices for DDoS resiliency.

Related information

How to help protect dynamic web applications against DDoS attacks by using CloudFront and Route 53

How to protect your web application against DDoS attacks by using Route 53 and an external content delivery network

How to protect a self-managed DNS service against DDoS attacks using AWS Global Accelerator and AWS Shield Advanced

Testing and tuning your AWS WAF protections

How can I simulate a DDoS attack to test Shield Advanced?

AWS OFFICIALUpdated a year ago