Amazon Shield Advanced events - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Shield Advanced events

When you subscribe to Shield Advanced, and protect your resources, you gain access to additional visibility features for the resources. These include near real-time notification of events that are detected by Shield Advanced and additional information about detected events and mitigations.


Your event information in the Shield Advanced console is based on Shield Advanced metrics. For information about Shield Advanced metrics, see Amazon Shield Advanced metrics

Amazon Shield evaluates traffic to your protected resource along multiple dimensions. When an anomaly is detected, Shield Advanced creates a separate event for each resource that's affected.

You can access event summaries and details through the Events page of the Shield console. The top level Events page provides an overview of current and past events.

The following screenshot shows an example Events page with a single ongoing event. This active event is also flagged in the left navigation pane.

The Amazon Shield console left navigation pane has the Events selection highlighted in red, with a numeral 1 beside it, inside a red circle. The Events page is open, and shows a single row in the events list. The row lists an Amazon resource of type CloudFront distribution. The Current status field contains a triangular red icon next to the words Mitigation in progress. The Attack vectors status field contains UDP traffic. The Start time field contains Sep 16th 2020, 2:43:00 pm SAST. The Duration field contains 6 minutes.

Shield Advanced might also automatically place mitigations against attacks, depending on the traffic type and on your configured protections. These mitigations can protect your resource from receiving excess traffic or traffic that matches a known DDoS attack signature.

The following screenshot shows an example Events listing where all events have been mitigated by Shield Advanced or have subsided on their own.

A Amazon Shield console page titled Events lists events that have been detected recently and their current status.
Protect your resources before an event

Improve the accuracy of event detection by protecting resources with Shield Advanced while they are receiving the normal expected traffic, before they are subject to a DDoS attack.

In order to accurately report events for a protected resource, Shield Advanced must first establish a baseline of expected traffic patterns for it.

  • Shield Advanced reports infrastructure layer events for resources after they've been protected for at least 15 minutes.

  • Shield Advanced reports web application layer events for resources after they've been protected for at least 24 hours. The accuracy of detection for application layer events is best after Shield Advanced has observed expected traffic for 30 days.

To access events information in the Amazon Shield console
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF & Shield console at

  2. In the Amazon Shield navigation pane, choose Events. The console shows the Events page.

  3. From the Events page, you can select any event in the list to see additional summary information and details for the event.