Frame 19229
CDT white 1
GET OFFER NOW

How to Set Up AWS Shield Advanced

Posted by Nanda Larasati

May 27, 2026

How To How to Set Up AWS Shield Advanced

Before using AWS Shield Advanced, it is important to fully configure the service before a DDoS event occurs. Completing the configuration beforehand helps ensure that applications are protected and ready to respond effectively when an attack happens. 

 

Understanding AWS Shield Advanced 

AWS Shield Advanced provides additional DDoS protection capabilities beyond the default AWS Shield Standard service. It delivers advanced detection and mitigation mechanisms to protect applications against threats across: 

  • Layer 3 (Network Layer)  
  • Layer 4 (Transport Layer)  
  • Layer 7 (Application Layer)  

In addition to attack mitigation, Shield Advanced offers: 

  • Automatic DDoS detection and response  
  • Visibility into attack metrics and traffic patterns  
  • Integration with AWS WAF  
  • Health-based detection using Route 53  
  • Access to the Shield Response Team (SRT)  

 

How AWS Shield Advanced Improves DDoS Resiliency 

DDoS Resilient Architecture for Web Applications 

For web applications, AWS recommends placing Amazon Route 53, Amazon CloudFront, and AWS WAF in front of backend application resources. This architecture helps hide the application’s origin, deliver content closer to users, and filter malicious traffic before it reaches backend resources. 

With Shield Advanced enabled, applications can benefit from: 

  • Protection against Layer 3 and Layer 4 DDoS attacks  
  • TCP SYN flood mitigation  
  • DNS attack protection through Route 53  
  • Protection against request flood attacks using AWS WAF rate-based rules  
  • Optional automatic application-layer mitigation and proactive engagement with the Shield Response Team (SRT)  

Screenshot 2026 05 27 at 22.42.31

DDoS Resilient Architecture for TCP and UDP Applications 

For TCP- and UDP-based applications such as gaming platforms, IoT systems, or services requiring static IP addresses, AWS recommends using Route 53 and AWS Global Accelerator. 

This architecture provides: 

  • Protection against large-scale infrastructure attacks  
  • Better application availability  
  • Improved network performance and lower latency  
  • Optional web application protection through AWS WAF integration  

 

Screenshot 2026 05 27 at 22.43.59

 

Combining Shield Advanced with Other AWS Services 

AWS Shield Advanced can provide stronger protection when integrated with additional AWS services depending on workload requirements. For example, web applications commonly integrate with CloudFront and Application Load Balancer, while TCP-based workloads can benefit from AWS Global Accelerator and Elastic IP addresses. 

This combination enables broader security coverage and allows traffic filtering closer to AWS network boundaries during attack events. 

Screenshot 2026 05 27 at 22.46.14

 

How to Set Up AWS Shield Advanced 

Step 1: Subscribe to AWS Shield Advanced 

AWS Shield Advanced requires a paid subscription, unlike AWS Shield Standard which is automatically included for all AWS customers. 

To subscribe: 

  1. Sign in to the AWS Management Console.  
  2. Open the AWS WAF & Shield console at https://console.aws.amazon.com/wafv2/  
  3. In the AWS Shield navigation menu, select Getting Started 
  4. Click Subscribe to Shield Advanced 
  5. Read and accept all subscription terms.  
  6. Click Subscribe to Shield Advanced to activate the service.  

Important notes: 

  • Each AWS account that requires protection must be subscribed separately.  
  • For accounts under AWS Organizations, billing can be consolidated.  
  • Shield Advanced subscriptions do not automatically protect resources after activation.  

 

Step 2: Add Resources to Protect 

After subscribing, the next step is selecting the AWS resources that should be protected. 

To add resources: 

  1. Open the Protected Resources page.  
  2. Select Add Resources to Protect 
  3. Choose:  
  4. AWS Region  
  5. Resource types  
  6. Click Load Resources 
  7. Select the resources that need protection.  
  8. Optionally add tags for easier management.  
  9. Click Protect with Shield Advanced 

You can protect resources across multiple regions or select global resources depending on your architecture. 

 

Step 3: Configure Layer 7 DDoS Protection Using AWS WAF 

AWS Shield Advanced relies on AWS WAF to protect against application-layer attacks. 

To configure Layer 7 protection: 

  1. On the Configure Layer 7 DDoS Protection page, associate each resource with:  
  2. an existing AWS WAF Web ACL, or  
  3. create a new Web ACL  
  4. Add a rate-based rule if one does not exist.  
  5. Configure:  
  6. request threshold  
  7. desired action (Count or Block 

Rate-based rules help prevent request floods by limiting requests from suspicious IP addresses. 

Optional: Enable Automatic Application Layer DDoS Mitigation. 

When enabled, Shield Advanced: 

  • Monitors traffic behavior  
  • Compares current traffic with historical patterns  
  • Detects anomalies automatically  
  • Creates custom mitigation rules when attacks occur  

Note: This feature only works with AWS WAF v2. 

 

Step 4: Configure Health-Based Detection 

Health checks help Shield Advanced improve detection accuracy and mitigation response. 

To configure health-based detection: 

  1. Create a health check in Amazon Route 53 if one does not already exist.  
  2. Under Associated Health Check, select the health check ID.  
  3. Verify that the health check accurately represents application health.  
  4. Click Next 
  5. Health checks are also required if you want to use proactive engagement with the Shield Response Team (SRT). 

 

Step 5: Configure Notifications and Alerts 

AWS Shield Advanced allows integration with Amazon SNS to notify teams when attacks or abnormal activity occur. 

To configure notifications: 

  1. Select Amazon SNS topics for alerts.  
  2. Decide whether:  
  3. one SNS topic will be shared across all resources  
  4. separate SNS topics will be used for different teams  
  5. Continue to the next page.  

This setup allows organizations to receive alerts immediately when suspicious activity is detected. 

 

Step 6: Review and Finish Configuration 

Before completing setup: 

  1. Review all configuration settings.  
  2. Modify settings if necessary using Edit 
  3. Click Finish Configuration 

After completion, the protected resources will appear in the Shield Advanced dashboard. 

 

Step 7 (Optional): Configure Shield Response Team (SRT) 

Organizations with Business Support or Enterprise Support plans can enable Shield Response Team assistance. 

To enable SRT: 

  1. Open the AWS Shield console.  
  2. Navigate to Configure AWS SRT Support 
  3. Grant SRT access permissions.  
  4. Add contact information.  
  5. Enable proactive engagement.  

With proactive engagement enabled, AWS can contact security teams directly if an attack impacts application health. 

Category Post

Video
Use Case
Uncategorized

Recent Post

whatsapp icon.png
Start a Conversation

Privacy & Policy

PT Central Data Technology (“CDT” or “us”) is strongly committed to ensuring that your privacy is protected as utmost importance to us. https://centraldatatech.com/ , we shall govern your use of this website, including all pages within this website (collectively referred to herein below as this “Website”), we want to contribute to providing a safe and secure environment for visitors.

The following are terms of privacy policy (“Privacy Policy”) between you (“you” or “your”) and CDT. By accessing the website, you acknowledge that you have read, understood and agree to be bound by this Privacy Policy

Use of The Subscription Service by CDT and Our Customers

When you request information from CDT and supply information that personally identifies you or allows us to contact you, you agree to disclose that information with us. CDT may disclose such information for marketing, promotional and activity only for the purpose of CDT and the Website.

Collecting Information

You are free to explore the Website without providing any personal information about yourself. When you visit the Website or register for the subscription service, we provide some navigational information for you to fill out your personal information to access some content we offered.

CDT may collect your personal data such as your name, email address, company name, phone number and other information about yourself or your business. We are collecting your data in some ways, online and offline. CDT collects your data online using features of social media, email marketing, website, and cookies technology. We may collect your data offline in events like conference, gathering, workshop, etc. However, we will not use or disclose those informations with third party or send unsolicited email to any of the addresses we collect, without your express permission. We ensure that your personal identities will only be used in accordance with this Privacy Policy.

How CDT Use the Collected Information

CDT use the information that is collected only in compliance with this privacy policy. Customers who subscribe to our subscription services are obligated through our agreements with them to comply with this Privacy Policy.

In addition to the uses of your information, we may use your personal information to:

  • Improve your browsing experience by personalizing the websites and to improve the subscription services.
  • Send information about CDT.
  • Promote our services to you and share promotional and informational content with you in accordance with your communication preferences.
  • Send information to you regarding changes to our customers’ terms of service, Privacy Policy (including the cookie policy), or other legal agreements

Cookies Technology

Cookies are small pieces of data that the site transfers to the user’s computer hard drive when the user visits the website. Cookies can record your preferences when visiting a particular site and give the advantage of identifying the interest of our visitor for statistical analysis of our site. This information can enable us to improve the content, modifying and making our site more user friendly.

Cookies were used for some reasons such as technical reasons for our website to operate. Cookies also enable us to track and target the interest of our users to enhance the experience of our website and subscription service. This data is used to deliver customized content and promotions within the Helios to customers who have an interest on particular subjects.

You have the right to decide whether to accept or refuse cookies. You can edit your cookies preferences on browser setup. If you choose to refuse the cookies, you may still use our website though your access to some functionality and areas of our website may be restricted.

This Website may also display advertisements from third parties containing links to other websites of interest. Once you have used these links to leave our site, please note that we do not have any control over the website. CDT cannot be responsible for the protection and privacy of any information that you provide while visiting such websites and this Privacy Policy does not govern such websites.

Control Your Personal Data

CDT give control to you to manage your personal data. You can request access, correction, updates or deletion of your personal information. You may unsubscribe from our marketing activity by clicking unsubscribe us from the bottom of our email or contacting us directly to remove you from our subscription list.

We will keep your personal information accurate, and we allow you to correct or change your personal identifiable information through marketing@centraldatatech.com