Detection metrics Mitigation metrics Top contributors metrics

AWS Shield Advanced metrics

Shield Advanced publishes Amazon CloudWatch detection, mitigation, and top contributor metrics for all resources that it protects. These metrics improve your ability to monitor your resources by making it possible to create and configure CloudWatch dashboards and alarms for them.

The Shield Advanced console presents summaries of many of the metrics that it records. For information, see Visibility into DDoS events.

If you enable automatic application layer DDoS mitigation for an application layer protection,

Metric reporting locations

Shield Advanced reports metrics in the US East (N. Virginia) Region, us-east-1 for the following:

The global services Amazon CloudFront and Amazon Route 53.
Protection groups. For information about protection groups, see AWS Shield Advanced protection groups.

For other resource types, Shield Advanced reports metrics in the resource's Region.

Timing of metric reporting

Shield Advanced reports metrics to Amazon CloudWatch on an AWS resource more frequently during DDoS events than while no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends.

While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in custom CloudWatch alarms and dashboards.

Alarm recommendations

We recommend that you create alarms to notify you of circumstances that require attention. As a starting point, you could create an alarm for each protected resource that reports when the DDoSDetected detection metric is non zero. A non-zero value in this metric doesn't necessarily imply that a DDoS attack is underway, but we recommend looking closer at the resource status when the metric is in this state.

For request floods, we recommend that you create alarms for composite checks that also consider factors such as application health and web request volume. You may choose to alarm on the other three metrics that report on the volume of traffic for various attack vector dimensions. By considering the capacity of your application and alarming when traffic is approaching your application limitations, you can create a set of rules that notify you as needed, without too much unwanted noise.

Detection metrics

Shield Advanced provides the metrics and dimensions in the AWS/DDoSProtection namespace.

Detection metrics
Metric	Description
`DDoSDetected`	Indicates whether a DDoS event is underway for a particular Amazon Resource Name (ARN). This metric has a non-zero value during an event.
`DDoSAttackBitsPerSecond`	The number of bits observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for network and transport layer (layer 3 and layer 4) DDoS events. This metric has a non-zero value during an event. Units: Bits
`DDoSAttackPacketsPerSecond`	The number of packets observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for network and transport layer (layer 3 and layer 4) DDoS events. This metric has a non-zero value during an event. Units: Packets
`DDoSAttackRequestsPerSecond`	The number of requests observed during a DDoS event for a particular Amazon Resource Name (ARN). This metric is available only for layer 7 DDoS events. The metric is reported only for the most significant layer 7 events. This metric has a non-zero value during an event. Units: Requests

Shield Advanced posts the DDoSDetected metric with no other dimensions. The remaining detection metrics include the AttackVector dimensions that correspond to the type of attack, from the following list:

ACKFlood
ChargenReflection
DNSReflection
GenericUDPReflection
MemcachedReflection
MSSQLReflection
NetBIOSReflection
NTPReflection
PortMapper
RequestFlood
RIPReflection
SNMPReflection
SSDPReflection
SYNFlood
UDPFragment
UDPTraffic
UDPReflection

Mitigation metrics

Shield Advanced provides metrics and dimensions in the AWS/DDoSProtection namespace.

Mitigation metrics
Metric	Description
`VolumePacketsPerSecond`	The number of packets per second that were dropped or passed by a mitigation that was deployed in response to a detected event. Units: packets

Mitigation dimensions
Dimension	Description
`ResourceArn`	Amazon Resource Name (ARN)
`MitigationAction`	The outcome of an applied mitigation. Possible values are `Pass` or `Drop`.

Top contributors metrics

Shield Advanced provides metrics in the AWS/DDoSProtection namespace.

Top contributors metrics
Metric	Description
`VolumePacketsPerSecond`	The number of packets per second for a top contributor. Units: packets
`VolumeBitsPerSecond`	The number of bits per second for a top contributor. Units: bits

Shield Advanced posts top contributors metrics by dimension combinations that characterize the event contributors. You can use any of the following combinations of dimensions for any of the top contributors metrics:

ResourceArn, Protocol
ResourceArn, Protocol, SourcePort
ResourceArn, Protocol, DestinationPort
ResourceArn, Protocol, SourceIp
ResourceArn, Protocol, SourceAsn
ResourceArn, TcpFlags

Top contributors dimensions
Dimension	Description
`ResourceArn`	Amazon Resource Name (ARN).
`Protocol`	IP protocol name, either `TCP` or `UDP`.
`SourcePort`	Source TCP or UDP port.
`DestinationPort`	Destination TCP or UDP port.
`SourceIp`	Source IP address.
`SourceAsn`	Source autonomous system number (ASN).
`TcpFlags`	A combination of flags present in a TCP packet, separated by a dash (`-`). Monitored flags are `ACK`, `FIN`, `RST`, `SYN`. This dimension value always appears sorted alphabetically. For example, `ACK-FIN-RST-SYN`, `ACK-SYN`, and `FIN-RST`.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS WAF metrics and dimensions

AWS Firewall Manager notifications