AWS Shield Advanced with Route 53

Question

Hi, when enabling AWS Shield Advanced I was unsure if I should enable only for Route 53 or is needed for other services as well. I ask because my infrastructure has CloudFront, Classic Load Balancers and some Elastic IPS which are all behind a Route 53 Hosted Zone. In this scenario enabling AWS Shield Advanced only for Route53 is enough or I need to enable for each of the resources that I have (CF, ELBs, etc)?

Answer

I think it'd be worth reaching out to your local AWS Solutions Architect and/or account team to discuss your requirements here.

However, to answer your question: Shield Advanced [covers all of the services](https://aws.amazon.com/shield/features/) you mention. If you're going to enable it, you wouldn't just enable it for Route 53 (and that's not quite how it works in any case). it covers your entire workload.

Answer

Just because the authoritative DNS for an AWS resource is on Route53,  does not mean the resource is 'behind a Route 53 Hosted Zone'.  That's not how DNS works.

You need to enable Shield Advanced Protection for **each resource** that you want enhanced detection,  mitigation or cost protection for.

AWS Shield Advanced with Route 53

관련 콘텐츠