Health-based detection using health checks

You can configure Shield Advanced to use health-based detection for improved responsiveness and accuracy in attack detection and mitigation. You can use this option with any resource type except for Route 53 hosted zones.

To configure health-based detection, you define a health check for your resource in Route 53, verify that it's reporting healthy, and then associate it with your Shield Advanced protection. For information about Route 53 health checks, see How Amazon Route 53 checks the health of your resources and Creating, updating, and deleting health checks in the Amazon Route 53 Developer Guide.

Note

Health checks are required for Shield Response Team (SRT) proactive engagement support. For information about proactive engagement, see Configuring proactive engagement.

Health checks measure the health of your resources based on the requirements that you define. The health check status provides vital input to the Shield Advanced detection mechanisms, giving them greater sensitivity to the current state of your specific applications.

You can enable health-based detection for any resource type except for Route 53 hosted zones.

• Network and transport layer (layer 3/layer 4) resources – Health-based detection improves the accuracy of network-layer and transport-layer event detection and mitigation for Network Load Balancers, Elastic IP addresses, and Global Accelerator standard accelerators. When you protect these resource types with Shield Advanced, Shield Advanced can provide mitigations for smaller attacks and faster mitigation for attacks, even when traffic is within the application’s capacity.

  When you add health-based detection, during periods when the associated health check is unhealthy, Shield Advanced can place mitigations even more quickly and at even lower thresholds.

• Application layer (layer 7) resources – Health-based detection improves the accuracy of web request flood detection for CloudFront distributions and Application Load Balancers. When you protect these resource types with Shield Advanced, you receive web request flood detection alerts when there's a statistically significant deviation in traffic volume that's combined with significant changes in traffic patterns, based on request characteristics.

  With health-based detection, when the associated Route 53 health check is unhealthy, Shield Advanced requires smaller deviations to alert and it reports events more quickly. Conversely, when the associated Route 53 health check is healthy, Shield Advanced requires larger deviations to alert.

Contents

• Best practices for using health checks with Shield Advanced
• Metrics commonly used for health checks
  • Metrics used to monitor application health
  • Amazon CloudWatch metrics for each resource type
• Managing health check associations
  • Associating a health check with your resource
  • Disassociating a health check from your resource
  • The health check association status
• Health check examples
  • Amazon CloudFront distributions
  • Load balancers
  • Amazon EC2 elastic IP address (EIP)