AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection.


Use Amazon Shield Advanced to protect your AWS-powered web applications from Distributed Denial of Service (DDoS) attacks that can affect the application's availability and response time by overwhelming (flooding) them with traffic from multiple sources. Shield works in conjunction with Elastic Load Balancing (ELB), Cloud Front and AWS Route 53 to protect your applications from different types of DDoS attack


AWS Shield Advanced provides intelligent attack detection, mitigation for DDoS attacks initiated at application/network layer and additional mitigation capability for volumetric attacks. Once the Advanced tier is activated, you will get 24/7 access to Amazon DDoS Response Team (DRT) for custom mitigation during attacks, detailed visibility into DDoS events with advanced real time metrics and reports, and cost protection to guard against bill spikes in the aftermath of a Distributed Denial of Service (DDoS) attack. service is also included at no additional cost within the AWS Shield Advanced plan

Default Value:

Shield service is implemented by default on all AWS edge locations to mitigate DDoS attacks and provides two tiers of service - Standard and Advanced


Test Plan:

To Verifying  if AWS Shield Advanced plan is enabled within your AWS account, perform the following:

  1. Sign in to the AWS Management Console 

  2.  open the AWS WAF & Shield console at

  3. Click Go to AWS Shield to access the service dashboard. 

  4. If you are being redirected to the AWS Shield subscription page where the Status value for the AWS Shield Advanced, plan is set to "Not activated"

  5. To enable AWS Shield Advanced tier for your AWS account in order to benefit from advanced DDoS detection and mitigation protection for network layer, transport layer, and application layer attacks, you need to perform the following actions:

Using AWS CLI: 

  aws shield describe-drt-access

If it gives the nothing then DRT is not enabled 

Implementation Steps:

  1. Sign in to the AWS Management Console 

  2.  open the AWS WAF & Shield console at

  3. Click Go to AWS Shield to access the service dashboard.

  4. On the AWS Shield subscription page, click Activate AWS Shield Advanced button to subscribe to the Advanced tier and initiate the configuration process.

  5. Choose the AWS resource type and the resource to protect, e.g. an Amazon Cloud Front CDN distribution.

  6. For Name, provide a unique name for the AWS resource that you want to protect, e.g. DDoS-protected Cloud front CDN distribution.

  7.  For Web DDoS attack option, select Enable. You will be notified to associate an existing AWS WAF web ACL with the specified resource, or create a new web ACL if you don't have one yet.

  8. Click Proactive engagement  to enable advanced DDoS protection for the specified AWS resource.

  9. To protect additional AWS resources (ELBs, Route 53 DNS zone, etc) currently available within your AWS account, select Protected resources from the left navigation panel and repeat steps no. 5 – 8.

Using AWS CLI: 

aws shield create-protection
  --name ddos-protected-cloudfront-web-distribution
  --resource-arn arn:aws:cloudfront::123456789012:distribution/CDOXVBD32B7DS

Backout Plan:

If you want disable or if want  didactive then go to implementation step   up to 7step choose disable 


(Optional) Configure AWS SRT support - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced 

Getting started with AWS Shield Advanced - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced