In this demo-driven session, you will learn how to enable standard protection for your applications within minutes in 5 simple steps. You will learn about how to enable AWS WAF, deploy best practice WAF rulesets, and finally, use Firewall Manager to consistently protect all applications across your organization.

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shawn Marck, AWS Perimeter Protection
March, 2019
Getting Started
Protect your applications in under 30 minutes

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
AWS Shield Standard
Automatically protects all
AWS services against
common DDoS attacks
AWS Shield Advanced
Managed DDoS protection for
additional protection, visibility
and access to 24X7 DRT

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
Classic Load
Balancer
Amazon
Route 53
Application Load
Balancer
Amazon
CloudFront
Network Load
Balancer
Elastic IPAddress

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.
2. Protect web applications with Amazon CloudFront and
Amazon Route 53.

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.
2. Protect web applications with Amazon CloudFront and
Amazon Route 53.

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.
2. Protect web applications with Amazon CloudFront and
Amazon Route 53.
3. Use AWS WAF and Rate-Based Rules to mitigate
application layer attacks.

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DDoS Resilient Architecture
Amazon
Route 53
ALB Security Group
Amazon
EC2
Instances
Application
Load Balancer
Amazon
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
AWS WAF
Amazon
API Gateway
DDoS
Attack
Users

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.
2. Protect web applications with Amazon CloudFront and
Amazon Route 53.
3. Use AWS WAF and Rate-Based Rules to mitigate
application layer attacks.
4. Monitor relevant CloudWatch metrics.

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
CloudWatch metrics

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.
2. Protect web applications with Amazon CloudFront and
Amazon Route 53.
3. Use AWS WAF and Rate-Based Rules to mitigate
application layer attacks.
4. Monitor relevant CloudWatch metrics.

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Five simple steps
1. Ensure all internet-facing resources are registered as
Protected Resources in AWS Shield Advanced.
2. Protect web applications with Amazon CloudFront and
Amazon Route 53.
3. Use AWS WAF and Rate-Based Rules to mitigate
application layer attacks.
4. Monitor relevant CloudWatch metrics.
5. Prepare to engage with the AWS DDoS Response
Team (DRT).

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Simple Demo

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Additional Resources
Item link
AWS Shield – service page https://aws.amazon.com/shield/
Documentation https://aws.amazon.com/documentation/shield/
AWS Re:Invent 2017: Automating
DDoS Response in the Cloud
https://www.youtube.com/watch?v=6pQ3j4IcpY8
AWS Security Blog Tag: DDoS https://aws.amazon.com/blogs/security/tag/ddos/
AWS WAF – service page https://aws.amazon.com/waf/
AWS Firewall Manager – service page https://aws.amazon.com/firewall-manager/
AWS WAF partner for managed rules https://aws.amazon.com/mp/security/WAFManagedRules/

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!
https://aws.amazon.com/shield/