Support - AWS Best Practices for DDoS Resiliency


It is important to create a response plan for DDoS attacks before an actual event. The best practices outlined in this paper are intended to be proactive measures that you implement before you launch an application, but DDoS attacks against your application might still occur. Review the options in this section to determine the support resources that are best suited for your scenario. Your account team can evaluate your use case and application, and assist with specific questions or challenges that you have.

If you’re running production workloads on AWS, consider subscribing to Business Support which provides you with 24 x 7 access to Cloud Support Engineers who can assist with DDoS attack issues. If you’re running mission critical workloads, consider Enterprise Support which provides the ability to open critical cases and receive the fastest response from a Senior Cloud Support Engineer.

If you’re subscribed to AWS Shield Advanced and are also subscribed to either Business Support or Enterprise Support, you can escalate to the AWS DDoS Response Team (DRT) if you have a DDoS-related event that impacts your application’s availability. If your application’s responsiveness is degraded because of a DDoS attack, you can connect with a live AWS Support representative. Another option is to use the AWS Shield Engagement Lambda function to more quickly initiate contact with the DRT. For example, you can use an AWS IoT button to trigger the AWS Lambda function if you have an emergency situation. When you press the button, a case is automatically opened with AWS Support and DRT is notified immediately. You receive a direct reply for your case that includes an Amazon Chime conference bridge that you can join to interact with AWS Support and DRT. The AWS Shield Engagement Lambda can be used with any trigger supported by AWS Lambda.

To learn more about rapid DRT engagement by using an AWS Lambda function, see AWS Shield Engagement Lambda.

DRT does not typically have access to your AWS account or AWS WAF Sampled Requests. You can authorize DRT to access AWS WAF, AWS Shield, and related API operations on your account from the AWS Shield console or API. For example, you may want to allow DRT to view your Sampled Requests or place rules to assist with the mitigation of an application layer DDoS attack. You can also authorize DRT to access Amazon S3 buckets that you specify. For example, you may have a bucket where you store web request logs and would like DRT to have access to them for analysis during an attack. DRT will only access your account or make changes during an escalated event and any changes will be subject to your consent. To learn more about granting limited account access to DRT, see Authorize the DDoS Response Team.

In some cases, DRT may learn about a DDoS attack and engage you proactively. If there are specific points of contact who should be engaged during DRT-driven escalation, you can add them in the AWS Shield console by accessing the Additional contacts section and selecting Summary followed by Edit.