By using AWS re:Post, you agree to the Terms of Use
/Is CloudFront providing enough DDoS protection to S3 Buckets?/

Is CloudFront providing enough DDoS protection to S3 Buckets?



I have a S3 bucket with images that should be accessible to an email template which will be sent via AWS Pinpoint.

The public access to this S3 bucket is blocked ON. I have created an OAI with CloudFront with which I can access the S3 bucket images on the Pinpoint email template.

In the AWS documentation, I see that AWS provides DDoS protection with AWS Shield. Now, there are two options AWS Shield Standards and AWS Shield Advanced. Standard is free of charge for everybody and it says tht it is by default availale to everybody.

My question is, does the fact that AWS Shield Standard is free and by default used by everybody, mean that I won't get any DDoS attacks by people trying to access the images from the S3 bucket hidden behind CloudFront distribution? Do I need to explicitly do something with AWS Shield Standard of the protection comes by itself?

Thanks you in advance.

1 Answers

First, I'm not sure the answer is yes or no, as there are various considerations. According to Amazon if you are distributing from behind CloudFront and Route 53 then Shield standard provides comprehensive coverage on layer 3 and 4 DDoS attacks.

AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. AWS Shield

AWS Shield standard is automatically enabled and included with various AWS services. However, to benefit from that protection you should consider the architecture of your application (which it sounds like you are). The AWS Shield FAQ says:

Q. How many resources can I enable for AWS Shield Standard protection? There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.

I highly recommend reviewing the full Shield documentation or at a minimum the AWS Best Practices for DDoS Resiliency whitepaper documentation.

Finally, Amazon provides additional guidance for making the decision whether you may need Shield Advanced.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions