December 9, 2023

AWS customers can use AWS Shield Advanced to detect and mitigate DDoS attacks that target their applications running on Amazon EC2,  ELB, Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. By using protection groups for Shield Advanced, resources can be protected effectively.

A protection group is a resource that can be created by grouping your Shield Advanced protected resources, considers to be a single protected entity. A protection group can contain many different resources that compose your application, and the resources may be part of multiple protection groups spanning different AWS Regions within an AWS account.


The benefits of protection groups differ for layers and events. For layer 3 and layer 4 events, protection groups can reduce the time it takes for Shield Advanced to begin mitigations. For layer 7 events, protection groups add an additional reporting mechanism. For both group level and individual resource level Amazon CloudWatch metrics to consume for operational use.

  • For infrastructure layer (layer 3 and 4) events, Shield Advanced monitors the traffic volume of protected resource.
  • An abnormal traffic deviation signals the possibility of a DDoS attack, and Shield Advanced then puts mitigations in place.
  • Shield Advanced observes the elevation of traffic to a resource over multiple consecutive time intervals to establish confidence that a layer 3/layer 4 event is under way.
  • In the absence of a protection group, Shield Advanced follows the default behavior of waiting to establish confidence before it puts mitigation in place for each resource.
  • If protection group is present, and if the service detects that one resource in a group is targeted, Shield Advanced uses that confidence for other resources in the group.

Shield Advanced detects application layer events when you associate a web access control list (web ACL) in AWS WAF with it. Shield Advanced consumes request data for the associated web ACL, analyzes it, and builds a traffic baseline for your application that used to detect anomalies.

When you group resources in a protection group, Shield Advanced aggregates the data from individual resources and creates the baseline for the whole group. It then uses this aggregated baseline to detect layer 7 events for the group resource and continous to monitor.


Shield Advanced provides three types of aggregation to choose from (sum, mean, and max)  to aggregate the volume data of individual resources to use as a baseline for the whole group. We’ll look at the three types of aggregation, with a use case for each, in the next section.

A Shield Advanced subscription provides additional capabilities, It provides integration with AWS WAF for level 7 DDoS detection, health-based detection for reducing false positives, enhanced visibility into DDoS events, assistance from the Shield Response team, custom mitigations, and cost-protection safeguards.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.