Recently, we’ve had a number of customers ask us if they can use our Real Time Events product to detect the creation of new resources and immediately add them to Shield, to which the answer is a resounding yes.
A couple of our users tried this already with the resulting enablement of Distributed Denial of Service (DDoS) protection within seconds of spinning up resources. The user simply uses GorillaStack to detect the CloudTrail event that is triggered by the creation of a new resource. It then triggers a Lambda function to add that resource to AWS Shield. Automating this process is easy and quick and provides consistency in protecting your Cloud environment.
In this article, we explain the difference between AWS Shield and WAF and how it can protect your cloud in different layers.
AWS Shield is a service provided by Amazon Web Services that is constantly monitoring to protect and actively mitigate against DDoS attacks as they take place.
DDoS attacks are designed to make a service unavailable by sending so much traffic to it that it cannot cope. This is usually achieved using multiple compromised machines (collectively known as a botnet) to send huge volumes of requests to the victim’s infrastructure.
All AWS customers are automatically protected by Shield Standard for no additional cost. Shield standard does most of its work protecting against network and transport layer attacks in CloudFront and Amazon Route 53.
Customers can opt into Shield Advanced. It provides deeper DDoS protection for web applications that use Elastic Load Balancers (ELB) and EC2 instances. During DDoS attacks, customers get some protection around costs incurred.
Shield Advanced customers with Business or Enterprise support plans also get access to a 24×7 DDoS Response Team (DRT), advanced visibility, metrics, reports, and better attack detection and mitigation.
AWS WAF is also included to Shield Advanced customers at no extra cost. We explore WAF later part in this post.
AWS Shield observes traffic at the network and transport layers (OSI levels 3 and 4 respectively) to protect AWS resources from DDoS attacks. The protection for Shield Standard is available as a part of the CloudFront and Route 53 products.
Shield Advanced customers register their AWS Resources (Elastic IPs, Load Balancers) with Shield. Then, customers create web ACLs with rate-based rules and WAF rules to protect their resources. In addition, Shield Advanced monitors application layer (layer 7) DDoS attacks like HTTP or DNS flooding. Customers will be notified of attacks through a CloudWatch Alarm.
Optionally, Shield Advanced customers can allow the AWS DDoS Response Team (DRT) access to their account to modify WAF rules and web ACLs in response to attacks.
With Shield Advanced, it is important to continue to register resources that you want protected. At the same time, remain conscious of limits (1000 resource limit for each resource type covered).
Learn how you can register newly created resources with Shield automatically with our Real Time Events product.
AWS Shield Standard is automatically enabled and according to AWS is appropriate for 97% of attacks. That being said, if you’re using Standard or Advanced, Amazon still recommends that you consider using CloudTrail and CloudWatch to closely monitor your services.
Outside of AWS, Akamai and Cloudflare have well-regarded DDoS protection services and could be considered.
AWS WAF is a web application firewall that uses configured rules to allow or block incoming requests. WAF sits in front of an API Gateway API, a CloudFront distribution or an Application Load Balancer. It then allows customers to filter inbound traffic based on IP Address, country, bad headers, or requests that likely contain an XSS or SQL injection attack.
AWS Shield and WAF are closely related in their purpose and how they are presented commercially. A subscription for Shield Advanced even includes AWS WAF at no extra cost.
Below describes the difference between AWS Shield and WAF:
|Purpose||Prevent Distributed Denial of Service (DDoS) attacks||Block malicious or unauthorized requests to your resources|
|Layer||Network (3), Transfer (4) and for Shield Advanced customers Application (7)||Application layer (7)|
|Typical attack types prevented||UDP Reflection, SYN flood, DNS flood, HTTP flood||SQL Injection (SQLi), Cross Site Scripting (XSS), untrusted IPs or geographies|
As mentioned above, if you have Shield Advanced, all resources aren’t necessarily covered automatically. To protect your resources, you will need to opt them in. An effective way is to automate the process of registering all relevant services with Shield as soon as they’re created. With automation, you can ensure consistency in protecting your Cloud environment.
GorillaStack’s Real Time Events product can automatically detect the event that is emitted when a resource is created and trigger the coverage within seconds. Give it a try today or book a demo with us.