Back to Security Cards
    AWS Shield

    AWS Shield Security

    DDoS PROTECTION

    AWS Shield provides DDoS protection at two tiers. Shield Standard defends against Layer 3/4 attacks automatically. Shield Advanced extends protection with enhanced detection, SRT access, cost protection, and application-layer (Layer 7) mitigation.

    HIGH
    Risk Level
    Global+Regional
    Scope
    Std/Adv/SRT
    Key Components
    $3,000/mo
    Advanced Pricing

    📋Service Overview

    Shield Standard vs Advanced

    Shield Standard is free and automatic for all AWS customers, covering Layer 3/4 for CloudFront, Route 53, and Global Accelerator. Shield Advanced ($3,000/month, 1-year commitment) extends to EC2, ELB with Layer 7 mitigation, SRT access, and cost protection.

    Attack note: Shield Standard only covers Layer 3/4. Attackers target Layer 7 specifically against Standard-only customers.

    DDoS Attack Vectors Shield Addresses

    Protects against UDP reflection, SYN floods, DNS amplification, HTTP request floods, and HTTP/2 rapid reset attacks. An attacker with account access can disable protections, remove health checks, or disassociate SRT access.

    Attack note: An attacker with account access can disable Shield Advanced protections, turning an account compromise into a DDoS amplifier.

    Security Risk Assessment

    LowMediumHighCritical
    7.0
    Risk Score

    Shield Standard is automatic and free, reducing baseline risk. However, organizations without Shield Advanced lack application-layer DDoS protection, cost protection, and SRT access. The $3,000/month cost leads many to skip it, leaving them exposed to sophisticated DDoS attacks.

    ⚔️Attack Vectors

    External DDoS Attack Types

    • UDP reflection/amplification (DNS, NTP, SSDP, memcached)
    • SYN flood to exhaust TCP connection state tables
    • HTTP request flood (requires Shield Advanced)
    • DNS query flood against Route 53 hosted zones
    • HTTP/2 rapid reset attack via stream multiplexing

    Account-Level Attack Vectors (Post-Compromise)

    • shield:DeleteProtection removes DDoS protection
    • shield:DisassociateHealthCheck blinds detection
    • shield:DisableProactiveEngagement prevents SRT contact
    • shield:DisassociateDRTRole revokes SRT access
    • shield:UpdateSubscription with AutoRenew=DISABLED

    ⚠️Misconfigurations

    Protection Coverage Gaps

    • Internet-facing resources not added to Shield Advanced
    • No health checks associated with protections
    • Proactive engagement not enabled
    • Emergency contacts not configured
    • Protection groups not defined

    Operational Misconfigurations

    • No WAF web ACL on application-layer resources
    • DRT role not granted for SRT assistance
    • DRT log bucket not associated
    • Using Shield Advanced without Business/Enterprise Support
    • Not using Firewall Manager for multi-account deployment

    🔍Enumeration

    Check Subscription Status
    aws shield get-subscription-state
    Describe Subscription Details
    aws shield describe-subscription
    List All Protected Resources
    aws shield list-protections
    Describe Protection for a Specific Resource
    aws shield describe-protection \
      --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890123456
    List Recent DDoS Attacks
    aws shield list-attacks \
      --start-time FromInclusive=2026-01-01T00:00:00Z,ToExclusive=2026-03-30T00:00:00Z
    Describe a Specific Attack
    aws shield describe-attack \
      --attack-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
    Describe Attack Statistics
    aws shield describe-attack-statistics
    List Protection Groups
    aws shield list-protection-groups
    Check DRT Access Configuration
    aws shield describe-drt-access
    Check Emergency Contact Settings
    aws shield describe-emergency-contact-settings

    📈Privilege Escalation

    Direct Escalation Paths

    • CreateSubscription + CreateProtection causes $3,000/mo charges
    • AssociateDRTRole grants SRT overly broad account access
    • AssociateDRTLogBucket grants SRT read to sensitive buckets
    • iam:PassRole + AssociateDRTRole passes privileged role to SRT

    Indirect Escalation Paths

    • DeleteProtection + external DDoS causes financial damage
    • UpdateEmergencyContactSettings redirects SRT notifications
    • EnableApplicationLayerAutomaticResponse with bad WAF rules

    📜Shield Policy Examples

    Dangerous - Overly Permissive Shield Access
    {
      "Effect": "Allow",
      "Action": "shield:*",
      "Resource": "*"
    }

    Allows creating/deleting subscriptions, removing protections, revoking DRT access, and disabling proactive engagement. An attacker can fully dismantle DDoS defenses.

    Secure - Read-Only Shield Monitoring
    {
      "Effect": "Allow",
      "Action": [
        "shield:Describe*",
        "shield:List*",
        "shield:GetSubscriptionState"
      ],
      "Resource": "*"
    }

    Grants visibility into Shield protections, attack events, and protected resource status without the ability to modify DDoS defenses.

    Secure - SCP to Prevent Disabling Shield
    {
      "Sid": "PreventShieldDisable",
      "Effect": "Deny",
      "Action": [
        "shield:DeleteProtection",
        "shield:DeleteSubscription",
        "shield:DisableProactiveEngagement",
        "shield:DisassociateDRTRole",
        "shield:DisassociateHealthCheck",
        "shield:DisableApplicationLayerAutomaticResponse"
      ],
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalArn": "arn:aws:iam::*:role/ShieldAdmin"
        }
      }
    }

    Prevents anyone except a dedicated ShieldAdmin role from disabling protections. Deploy as an SCP in AWS Organizations.

    🛡️Defense Recommendations

    🛡️

    Enable Shield Advanced on All Internet-Facing Resources

    Add explicit protections to every CloudFront distribution, ALB, Elastic IP, Global Accelerator, and Route 53 hosted zone.

    aws shield create-protection \
      --name "prod-alb-protection" \
      --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/1234567890123456
    ❤️

    Associate Route 53 Health Checks

    Health checks enable faster, more accurate detection and are required for proactive engagement.

    aws shield associate-health-check \
      --protection-id abc123-def456 \
      --health-check-arn arn:aws:route53:::healthcheck/12345678-abcd-efgh-ijkl-123456789012
    📞

    Enable Proactive Engagement & Emergency Contacts

    Allow the SRT to contact you proactively during detected events. Configure security team contacts.

    aws shield enable-proactive-engagement
    🔐

    Grant DRT Access with Scoped IAM Role

    Give the SRT access to help during attacks without over-privileging. Associate WAF log buckets.

    aws shield associate-drt-role \
      --role-arn arn:aws:iam::123456789012:role/AWSSRTAccessRole
    🤖

    Enable Automatic Application-Layer Mitigation

    Requires an AWS WAF web ACL associated with the protected resource. Blocks Layer 7 attacks automatically.

    aws shield enable-application-layer-automatic-response \
      --resource-arn RESOURCE_ARN \
      --action Block={}
    📊

    Create Protection Groups

    Group related resources so Shield Advanced can detect distributed attacks across multiple endpoints.

    aws shield create-protection-group \
      --protection-group-id "prod-web-tier" \
      --aggregation SUM \
      --pattern ARBITRARY \
      --members RESOURCE_ARN
    🏢

    Use Firewall Manager for Multi-Account Deployment

    In AWS Organizations, use Firewall Manager Shield Advanced policies to automatically protect resources across all accounts.

    🚫

    Deploy SCP to Prevent Disabling Protections

    Use SCPs in AWS Organizations to prevent unauthorized removal of DDoS protections, health checks, and SRT access.

    📈

    Monitor Shield Metrics in CloudWatch

    Key metrics to alarm on: DDoSDetected, DDoSAttackBitsPerSecond, DDoSAttackPacketsPerSecond, DDoSAttackRequestsPerSecond in the AWS/DDoSProtection namespace.

    AWS Shield / Shield Advanced Security Card • Toc Consulting

    Always obtain proper authorization before testing. DDoS testing requires prior AWS approval.

    Toc Consulting: AWS Security & Cloud Architecture

    Securing your AWS estate?

    Our team helps engineering teams secure and architect AWS the right way: assessment in week one, a prioritized action plan in week two.