The AWS Shield slide implies you need to be using CloudFront, ELB, and/or Route53 in order to receive protection; however, the DDoS whitepaper states the following:
"AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. This is offered on all AWS services and in every AWS Region, at no additional cost."
Does the slide need to be updated to clarify that all AWS services in all regions are protected by Shield, or am I missing something?
Source: https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf (page 7)
3 Answers
AWS Shield has two options. basic one which is free for all AWS services and it’s enabled by default and the business one which protects ALB/Cloudfront/Route53 and its cost is USD 3000 per month
Great question, Goki – reading the white paper, it seems a little inconsistent. On page 9:
"Another way that you can improve your readiness to respond to and mitigate DDoS attacks is by subscribing to AWS Shield Advanced. This optional DDoS mitigation service helps you protect an application hosted on any AWS Region or hosted outside of AWS. The service is available globally for Amazon CloudFront and Amazon Route 53. It’s also available in select AWS Regions for Classic Load Balancer (CLB), Application Load Balancer (ALB), and Elastic IP Addresses (EIPs). Using AWS Shield Advanced with EIPs allows you to protect Network Load Balancer (NLBs) or Amazon EC2 instances."
It appears to emphasize those services despite previously stating that Shield Standard "is offered on all AWS services and in every AWS Region, at no additional cost."
I agree with you. The whitepaper and the docs are ambiguous. AWS should update them to clarify what protection you get and how.