Setting up Amazon Shield Advanced
This tutorial walks you through getting started with Amazon Shield Advanced using the Shield Advanced console.
Note
Shield Advanced requires a subscription, while Amazon Shield Standard does not. The protections provided by Shield Standard are available free of charge to all Amazon customers.
Shield Advanced provides advanced DDoS detection and mitigation protection for network layer (layer 3), transport layer (layer 4), and application layer (layer 7) attacks. For more information about Shield Advanced, see Amazon Shield Advanced overview.
The Amazon technical community has published an example of an automated process for configuring Shield Advanced using the infrastructure as code (IaC) tools, Amazon CloudFormation and Terraform. You can use Amazon Firewall Manager with this solution if your accounts are part of an organization in Amazon Organizations and if you're protecting any resource types except for Amazon Route 53 or Amazon Global Accelerator.
To explore this option, see the code repository at aws-samples
/ aws-shield-advanced-one-click-deployment
Note
It's important that you fully configure Shield Advanced prior to a Distributed Denial of Service (DDoS) event. Complete the configuration to help ensure that your application is protected and that you are ready to respond if your application is affected by a DDoS attack.
Perform the following steps in sequence to get started using Shield Advanced.
Contents
- Subscribing to Amazon Shield Advanced
- Adding and configuring resource protections with Shield Advanced
- Configuring application layer (layer 7) DDoS protections with Amazon WAF
- Configuring health-based detection for your protections with Shield Advanced and Route 53
- Configuring alarms and notifications with Shield Advanced and Amazon SNS
- Reviewing and finishing your protection configuration in Shield Advanced
- Setting up Amazon Shield Response Team (SRT) support for DDoS event response
- Creating a DDoS dashboard in CloudWatch and setting CloudWatch alarms