Resilience and availability

Several forms of DDoS mitigation are included automatically with AWS services. All AWS customers benefit from the automatic protections of AWS Shield Standard at no additional charge. AWS Shield Standard defends against most common, frequently occurring network and transport layer (Layer 3 and Layer 4) Distributed Denial-of-Service (DDoS) attacks that target your website or applications. DDoS attacks are detected by a system that automatically baselines traffic, identifies anomalies, and, as necessary, implements mitigations. Use AWS Shield Standard as part of a DDoS-resilient architecture to protect both web and non-web applications. For more information about how to architect for DDoS resiliency, see the AWS Best Practices for DDoS Resiliency whitepaper.

Using services like CloudFront, which are part of the Amazon Global Edge Network, can further improve the DDoS resilience of your application by applying Shield Standard DDoS protection inline when you serve web application traffic from edge locations distributed around the world. The scale of the Amazon Global Edge Network spans hundreds of PoPs, across dozens of cities and countries, adding new PoPs frequently. This scale offers resiliency and global presence, and provides protection against localized availability problems.

The benefits of using CloudFront include:

AWS Shield DDoS mitigation systems that are directly integrated with AWS edge services, reducing time-to-mitigate from minutes to sub-seconds.
Stateless SYN flood mitigation techniques that proxy and verify incoming connections before passing them to the protected service.
Automatic traffic engineering systems that can disperse or isolate the impact of large volumetric DDoS attacks.
Application layer defense, when combined with AWS Web Application Firewall (AWS WAF), that does not require changing your current application architecture (for example, in an AWS Region or on-premises datacenter).
CloudFront enables you to cache static content and serve it from AWS edge locations, which can help reduce the load on your origin server. It can also help reduce server load by preventing non-web traffic from reaching your origin server.
CloudFront can automatically close connections from slow reading or slow writing attackers (for example, a Slowloris attack).
Protection from HTTP desync attacks, by integration with HTTP Desync Guardian.
Built-in application layer (L7) attack mitigations
There is no charge for data transfer out from AWS services to CloudFront.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Securing HTTPS delivery

How CloudFront Can Help You Ensure Security in the Cloud