Is CloudFront providing enough DDoS protection to S3 Buckets?
I have a S3 bucket with images that should be accessible to an email template which will be sent via AWS Pinpoint.
The public access to this S3 bucket is blocked ON. I have created an OAI with CloudFront with which I can access the S3 bucket images on the Pinpoint email template.
In the AWS documentation, I see that AWS provides DDoS protection with AWS Shield. Now, there are two options AWS Shield Standards and AWS Shield Advanced. Standard is free of charge for everybody and it says tht it is by default availale to everybody.
My question is, does the fact that AWS Shield Standard is free and by default used by everybody, mean that I won't get any DDoS attacks by people trying to access the images from the S3 bucket hidden behind CloudFront distribution? Do I need to explicitly do something with AWS Shield Standard of the protection comes by itself?
Thanks you in advance.
First, I'm not sure the answer is yes or no, as there are various considerations. According to Amazon if you are distributing from behind CloudFront and Route 53 then Shield standard provides comprehensive coverage on layer 3 and 4 DDoS attacks.
AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks. AWS Shield
AWS Shield standard is automatically enabled and included with various AWS services. However, to benefit from that protection you should consider the architecture of your application (which it sounds like you are). The AWS Shield FAQ says:
Q. How many resources can I enable for AWS Shield Standard protection? There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.
Finally, Amazon provides additional guidance for making the decision whether you may need Shield Advanced.
How can I (use AWS GoLang SDK to) create an io.writer (pipe) that will write buffers to a AWS S3 bucket file?asked a month ago
S3 Individual Bucket Chargesasked 3 months ago
Linking Simple Images results in XML Errorasked 5 months ago
OAI or not OAI for serving a static website in S3 using CloudFrontasked a month ago
Cloudfront with a Lambda@Edge pointing to a private S3asked 2 years ago
How to display images from S3 bucket in AWS Pinpoint email templates?asked 17 days ago
Correct process for configuring S3 bucket so ONLY Cloudfront can access?asked 3 years ago
Lightsail S3 Bucket behind Lightsail Distributionasked a month ago
S3 Block Public Access + Bucket Policy - Access Deniedasked 2 months ago
Is CloudFront providing enough DDoS protection to S3 Buckets?asked a month ago