Shield Standard - Is it enough for L3/L4?

My personal view on that: The fundamental difference is this, Shield Standard is designed to protect the AWS infrastructure, while Shield Advanced is designed to protect your specific application. To address your specific setup with NLBs and Firewall NVAs, here is why Shield Standard might fall short:

1. "Static Threshold"

Shield Standard uses static thresholds based on what is critical for the AWS network. A 5 Gbit/s SYN Flood is "small" for AWS, so Shield Standard likely won't trigger any automated mitigation. However, 5 Gbit/s of malicious traffic hitting your Firewall NVAs could easily exhaust their CPU or connection tables, causing a "self-inflicted" DoS before AWS infrastructure even notices an event.

2. Shield Advanced: It’s NOT just for Layer 7!

There is a common misconception that Advanced is mostly for L7. For your L3/L4 use case, it offers three critical advantages:

• Custom Application Baselines: Advanced learns the "normal" traffic patterns of your specific NLBs. It mitigates a 5 Gbit/s flood faster because it recognizes it as an anomaly for your stack.
• Health-Check Based Detection: By linking Route 53 Health Checks, Shield Advanced triggers mitigation the moment your NVAs start struggling, even if the attack volume is low.
• EIP Protection: For NLBs, you specifically register the Elastic IPs (EIPs) as protected resources. This allows Shield Advanced to scrub traffic at the AWS network edge, before it even reaches your NVAs.

3. Visibility and Support (SRT)

With Shield Standard, you are essentially "blind." Shield Advanced provides real-time CloudWatch metrics and a dedicated dashboard. Furthermore, you gain access to the Shield Response Team (SRT). They provide 24/7 support and can proactively apply custom mitigations for complex TCP/UDP floods that might bypass automated filters.

4. Strategic Value: AWS Organizations & WAF

Beyond the technical protection, Shield Advanced is a strategic choice for an entire Organization:

• One Subscription, Many Accounts: You pay the $3,000 monthly fee only once at the AWS Management/Payer account level. It covers all linked accounts in your AWS Organization.
• Included AWS WAF Costs: The standard fees for AWS WAF (Web ACLs, rules, and requests) are included at "no extra cost" for any resource protected by Shield Advanced. However, you still have the standard limit of 1,500 WCUs per Web ACL (though this can be increased via a service quota increase request). You can fill these 1,500 units with as many rules as the capacity allows at no extra cost. + NO charge for the first 50 billion requests per month (across your entire organization).
• DDoS Cost Protection: If a flood causes your NVA Auto Scaling Group to scale out, AWS provides credits to cover those resulting scaling costs.

If the cost of downtime for your NVAs or the manual effort of responding to a "small" attack exceeds the subscription value, Shield Advanced is the right choice - NOT just for L7, but for professional L3/L4 resilience.... !

Official AWS Resources for Evidence:

• https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.html
• https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-summary.html