What Does AWS Shield Standard Provide?

AWS Shield Standard is a built-in DDoS protection for AWS workloads. This automated defense system operates at the AWS edge, inspecting network traffic before it reaches your cloud resources.

AWS Shield Standard protects against DDoS attacks at Layer 3 (Network) and Layer 4 (Transport) of the OSI model.

At Layer 3, the service blocks IP-based volumetric attacks:

• ICMP floods

• IP fragment floods

• Malformed IP packets

At Layer 4, Shield Standard mitigates protocol attacks:

• TCP SYN floods: Detects and blocks incomplete TCP handshakes that drain server connection tables

• UDP reflection/amplification: Filters traffic from exploited UDP services like DNS, NTP, SSDP, and Chargen

• TCP reflection attacks: Stops spoofed RST or SYN-ACK packets

• Connection floods: Prevents resource exhaustion from too many simultaneous connections

AWS Shield Standard is automatically enabled for AWS CloudFront distributions, Route 53 hosted zones, Elastic Load Balancers (Classic & ALB), and EC2 instances. No configuration or activation steps are required.

However, Shield Standard focuses solely on network and transport layer attacks. Application layer (Layer 7) protection requires additional services like AWS Shield Advanced or AWS WAF.

This baseline DDoS protection forms a fundamental component of AWS security architecture. It operates continuously and at no additional cost.