**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Visibility into DDoS events with Shield Advanced
AWS Shield provides visibility into the following categories of events and event activities:
+ **Global** – All customers can access an aggregated view of global threat activity over the last two weeks. You can see this information under the **Getting Started** and **Global threat dashboard** pages of the AWS Shield console. For more information, see [Viewing AWS Shield global and account activity](ddos-standard-event-visibility.md).
+ **Account** – All customers can access a summary of the events for their account over the prior year. You can see this information under the **Getting Started** page of the AWS Shield console. For more information, see [Viewing AWS Shield global and account activity](ddos-standard-event-visibility.md).
When you subscribe to Shield Advanced and add protections to your resources, you gain access to additional information about the events and DDoS attacks on the protected resources:
+ **Events on protected resources** – Shield Advanced provides detailed information for each event through the **Events** page of the AWS Shield console. For more information, see [Viewing AWS Shield Advanced events](ddos-events.md).
+ **Event metrics for protected resources** – Shield Advanced publishes detection, mitigation, and top contributor Amazon CloudWatch metrics for all resources that it protects. You can use these metrics to configure CloudWatch dashboards and alarms. For more information, see [AWS Shield Advanced metrics](shield-metrics.md).
+ **Cross-account event visibility for protected resources** – If you use AWS Firewall Manager to manage your Shield Advanced protections, you can enable visibility into protections across multiple accounts by using Firewall Manager combined with AWS Security Hub CSPM. For more information, see [Viewing Shield Advanced events across multiple AWS accounts with AWS Firewall Manager and AWS Security Hub CSPM](ddos-viewing-multiple-accounts.md).
If you enable automatic application layer DDoS mitigation for an application layer protection, Shield Advanced adds a rule group to your protection pack (web ACL) that it uses to manage automated protections. This rule group generates AWS WAF metrics, but they are not available to view. This is the same as for any other rule groups that you use in your protection pack (web ACL) but do not own, such as AWS Managed Rules rule groups. For more information about AWS WAF metrics, see [AWS WAF metrics and dimensions](waf-metrics.md). For information about this Shield Advanced protection option, see [Automating application layer DDoS mitigation with Shield Advanced](ddos-automatic-app-layer-response.md).
**Topics**
+ [Viewing AWS Shield global and account activity](ddos-standard-event-visibility.md)
+ [Viewing AWS Shield Advanced events](ddos-events.md)
+ [Viewing Shield Advanced events across multiple AWS accounts with AWS Firewall Manager and AWS Security Hub CSPM](ddos-viewing-multiple-accounts.md)
# Viewing AWS Shield global and account activity
This page provides instructions for accessing an aggregated view of global threat activity and a per-account event summary in the AWS Shield console **Getting Started** and **Global threat dashboard** pages.
The following screenshot shows an example **Getting Started** page.
![\[The AWS Shield console shows the Getting started page, containing the global threat and account event summary panes.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-global-account.png)
**To access the AWS Shield console**
+ Sign in to the AWS Management Console and open the AWS WAF & Shield console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
You don't need a subscription to Shield Advanced to access global activity and account event summary information.
**Global activity**
This information is available through the AWS Shield console **Global threat dashboard** and **Getting Started** pages. The following screenshot shows an example of the global activity pane.
![\[A AWS Shield console pane titled Global activity detected by Shield shows a world map superimposed by heatmap markings for areas where global threats have been detected in the last two weeks.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-global-activity.png)
Global activity describes DDoS events observed across all AWS customers. Once per hour, AWS updates the information for the prior two weeks. In the console pane, you can see the results, partitioned by AWS Region and displayed on a world heat map. Next to the map, Shield displays summary information such as the largest packet attack, largest bit rate, most common vector, total number of attacks, and threat level. The threat level is an assessment of the current global activity compared to what AWS typically observes. The default threat level value is **Normal**. AWS automatically updates the value to **High** for elevated DDoS activity.
The **Global threat dashboard** also provides time-series metrics and gives you the ability to change between time durations. To view the history of significant DDoS attacks, you can customize the dashboard for views from the last day to the last two weeks. Time-series metrics provide a view of the largest bit rate, packet rate, or request rate for all events detected by AWS Shield for applications running on AWS during the time window that you select.
**Account activity**
This information is available in the AWS Shield console **Getting Started** page.
The following screenshot shows an example account activity pane.
![\[A AWS Shield console pane titled Account activity detected by Shield lists a summary of events for the past year, with information like the total number of events and the largest packet rate and request rate.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-account-activity.png)
Account activity describes DDoS events that Shield detected for your resources that are eligible for protection by Shield Advanced. Each day, Shield creates summary metrics for the year ending at 00:00 UTC the prior day, and then displays total events, largest bit rate, largest packet rate, and largest request rate.
+ The total events metric reflects every time that Shield observed suspicious attributes in traffic that was destined to your application. Suspicious attributes can include traffic that is at a higher than normal volume, traffic that does not match your application’s historical profile, or traffic that does not match heuristics that are defined by Shield for valid application traffic.
+ Largest bit rate and largest packet rate statistics are available for every resource.
+ The largest request rate statistic is available only for Amazon CloudFront distributions and Application Load Balancers that have an associated AWS WAF web ACL.
**Note**
You can also access the account level event summary through the AWS Shield API operation [DescribeAttackStatistics](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeAttack.html).
# Viewing AWS Shield Advanced events
This page provides instructions for accessing information about events in Shield Advanced.
When you subscribe to Shield Advanced, and protect your resources, you gain access to additional visibility features for the resources. These include near real-time notification of events that are detected by Shield Advanced and additional information about detected events and mitigations.
**Note**
Your event information in the Shield Advanced console is based on Shield Advanced metrics. For information about Shield Advanced metrics, see [AWS Shield Advanced metrics](shield-metrics.md)
AWS Shield evaluates traffic to your protected resource along multiple dimensions. When an anomaly is detected, Shield Advanced creates a separate event for each resource that's affected.
You can access event summaries and details through the **Events** page of the Shield console. The top level **Events** page provides an overview of current and past events.
The following screenshot shows an example **Events** page with a single ongoing event. This active event is also flagged in the left navigation pane.
![\[The AWS Shield console left navigation pane has the Events selection highlighted in red, with a numeral 1 beside it, inside a red circle. The Events page is open, and shows a single row in the events list. The row lists an AWS resource of type CloudFront distribution. The Current status field contains a triangular red icon next to the words Mitigation in progress. The Attack vectors status field contains UDP traffic. The Start time field contains Sep 16th 2020, 2:43:00 pm SAST. The Duration field contains 6 minutes.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-event-summary1.png)
Shield Advanced might also automatically place mitigations against attacks, depending on the traffic type and on your configured protections. These mitigations can protect your resource from receiving excess traffic or traffic that matches a known DDoS attack signature.
The following screenshot shows an example **Events** listing where all events have been mitigated by Shield Advanced or have subsided on their own.
![\[A AWS Shield console page titled Events lists events that have been detected recently and their current status.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-events.png)
**Protect your resources before an event**
Improve the accuracy of event detection by protecting resources with Shield Advanced while they are receiving the normal expected traffic, before they are subject to a DDoS attack.
In order to accurately report events for a protected resource, Shield Advanced must first establish a baseline of expected traffic patterns for it.
+ Shield Advanced reports infrastructure layer events for resources after they've been protected for at least 15 minutes.
+ Shield Advanced reports web application layer events for resources after they've been protected for at least 24 hours. The accuracy of detection for application layer events is best after Shield Advanced has observed expected traffic for 30 days.
**To access events information in the AWS Shield console**
1. Sign in to the AWS Management Console and open the AWS WAF & Shield console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
1. In the AWS Shield navigation pane, choose **Events**. The console shows the **Events** page.
1. From the **Events** page, you can select any event in the list to see additional summary information and details for the event.
**Topics**
+ [List of fields in AWS Shield Advanced event summaries](ddos-event-summaries.md)
+ [Viewing AWS Shield Advanced event details](ddos-event-details.md)
# List of fields in AWS Shield Advanced event summaries
This page lists and defines the fields in Shield Advanced event summaries.
You can view summary and detail information for an event in the event's console page. To open the page for an event, select its AWS resource name from the **Events** page list.
The following screenshot shows an example event summary for a network layer event.
![\[The summary pane of the AWS Shield console event page lists information for an event and includes the affected AWS resource, attack vectors, start and end times, and mitigation and status information.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-event-summary2.png)
The event page summary information includes the following.
+ **Current status** – Values that indicate the state of the event and the actions that Shield Advanced has taken on the event. Status values apply to infrastructure layer (layer 3 or 4) and application layer (layer 7) events.
+ **Identified (ongoing)** and **Identified (subsided)** – These indicate that Shield Advanced detected an event, but has taken no action on it so far. **Identified (subsided)** indicates that the suspicious traffic that Shield detected has stopped without intervention.
+ **Mitigation in progress** and **Mitigated** – These indicate that Shield Advanced detected an event and has taken action on it. **Mitigated** is also used when the targeted resource is an Amazon CloudFront distribution or Amazon Route 53 hosted zone, which have their own automatic inline mitigations.
+ **Attack vectors** – DDoS attack vectors like TCP SYN floods and Shield Advanced detection heuristics like request flood. These can be indicators of a DDoS attack.
+ **Start time** – The date and time that the first anomalous traffic data point was detected.
+ **Duration or end time** – Indicates the time elapsed between the event start time and the last observed anomalous data point that Shield Advanced observed. While an event is ongoing, these values will continue to increase.
+ **Protection** – Names the Shield Advanced protection that's in associated with the resource, and provides a link to its protection page. This is available in the individual event's page.
+ **Automatic application layer DDoS mitigation** – Used for application layer protections, to indicate whether the Shield Advanced automatic application layer DDoS mitigation is enabled for the resource. If it is enabled, this provides a link to access and manage the configuration. This is available in the individual event's page.
+ **Network layer automatic mitigation** – Indicates whether the resource has automatic mitigation at the network layer. If a resource has a network layer component, it will have this enabled. This information is available in the individual event's page.
For resources that are frequently targeted, Shield may leave mitigations in place after excess traffic has subsided, to prevent further recurring events.
**Note**
You can also access event summaries for protected resources through the AWS Shield API operation [ListAttacks](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_ListAttacks.html).
# Viewing AWS Shield Advanced event details
You can see details about an event's detection, mitigation, and top contributors in the bottom section of the console page for the event. This section can include a mix of legitimate and potentially unwanted traffic, and may represent both traffic that was passed to your protected resource and traffic that was blocked by Shield mitigations.
+ **Detection and mitigation** – Provides information about the observed event and any applied mitigations against it. For information about event mitigation, see [Responding to DDoS events in AWS](ddos-responding.md).
+ **Top contributors** – Categorizes the traffic that's involved in the event, and lists the primary sources of traffic that Shield has identified for each category. For application layer events, use the top contributors information to get a general idea of the nature of an event, but use the AWS WAF logs for your security decisions. For more information, see the sections that follow.
Your event information in the Shield Advanced console is based on Shield Advanced metrics. For information about Shield Advanced metrics, see [AWS Shield Advanced metrics](shield-metrics.md)
Mitigation metrics aren't included for Amazon CloudFront or Amazon Route 53 resources, because these services are protected by a mitigation system that's always enabled and doesn't require mitigations for individual resources.
The details sections vary according to whether the information is for an infrastructure layer or application layer event.
**Topics**
+ [Viewing application layer (layer 7) event details in Shield Advanced](ddos-event-details-application-layer.md)
+ [Viewing infrastructure layer (layer 3 or 4) event details in Shield Advanced](ddos-event-details-infrastructure-layer.md)
# Viewing application layer (layer 7) event details in Shield Advanced
You can see details about an application layer event's detection, mitigation, and top contributors in the bottom section of the console page for the event. This section can include a mix of legitimate and potentially unwanted traffic, and may represent both traffic that was passed to your protected resource and traffic that was blocked by Shield Advanced mitigations.
The mitigation details are for any rules in the web ACL that's associated with the resource, including rules that are deployed specifically in response to an attack and rate-based rules that are defined in the web ACL. If you enable automatic application layer DDoS mitigation for an application, the mitigation metrics include metrics for those additional rules. For information about these application layer protections, see [Protecting the application layer (layer 7) with AWS Shield Advanced and AWS WAF](ddos-app-layer-protections.md).
## Detection and mitigation
For an application layer (layer 7) event, the **Detection and mitigation** tab shows detection metrics that are based on information obtained from the AWS WAF logs. Mitigation metrics are based on AWS WAF rules in the associated web ACL that are configured to block the unwanted traffic.
For Amazon CloudFront distributions, you can configure Shield Advanced to apply automatic mitigations for you. With any application layer resources, you can choose to define your own mitigating rules in your web ACL and you can request help from the Shield Response Team (SRT). For information about these options, see [Responding to DDoS events in AWS](ddos-responding.md).
The following screenshot shows an example of the detection metrics for an application layer event that subsided after a number of hours.
![\[A detection metrics graph shows detection of request flood traffic from 11:30 until it subsides at 16:00.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-app-detection-metrics.png)
Event traffic that subsides before a mitigating rule takes effect isn't represented in mitigation metrics. This can result in a difference between the web request traffic shown in the detection graphs and the allow and block metrics shown in the mitigation graphs.
## Top contributors
The **Top contributors** tab for application layer events displays the top 5 contributors that Shield has identified for the event, based on the AWS WAF logs that it has retrieved. Shield categorizes the top contributors information by dimensions such as source IP, source country, and destination URL.
**Note**
For the most accurate information about the traffic that's contributing to an application layer event, use the AWS WAF logs.
Use the Shield application layer top contributors information only to get a general idea of the nature of an attack, and do not base your security decisions on it. For application layer events, the AWS WAF logs are the best source of information for understanding the contributors to an attack and for devising your mitigation strategies.
The Shield top contributors information doesn't always completely reflect the data in the AWS WAF logs. When it ingests the logs, Shield prioritizes reducing the impact to system performance over retrieving the complete set of data from the logs. This can result in a loss of granularity in the data that's available to Shield for analysis. In most cases, the majority of the information is available, but it's possible for the top contributor data to be skewed to some degree for any attack.
The following screenshot shows an example **Top contributors** tab for an application layer event.
![\[The top contributors tab for an application layer event describes the top 5 contributors for a number of web request characteristics. The screen shows the top 5 source IP addresses, top 5 destination URLs, top 5 source countries, and top 5 user agents.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-app-event-top-contributors.png)
Contributor information is based on requests for both legitimate and potentially unwanted traffic. Larger volume events and events where the request sources aren't highly distributed are more likely to have identifiable top contributors. A significantly distributed attack could have any number of sources, making it hard to identify top contributors to the attack. If Shield Advanced doesn't identify significant contributors for a specific category, it displays the data as unavailable.
# Viewing infrastructure layer (layer 3 or 4) event details in Shield Advanced
You can see details about an infrastructure layer event's detection, mitigation, and top contributors in the bottom section of the console page for the event. This section can include a mix of legitimate and potentially unwanted traffic, and may represent both traffic that was passed to your protected resource and traffic that was blocked by Shield mitigations.
## Detection and mitigation
For an infrastructure layer (layer 3 or 4) event, the **Detection and mitigation** tab shows detection metrics that are based on sampled network flows and mitigation metrics that are based on traffic observed by the mitigation systems. Mitigation metrics are a more precise measurement of the traffic into your resource.
Shield automatically creates a mitigation for the protected resource types Elastic IP (EIP), Classic Load Balancer (CLB), Application Load Balancer (ALB), and AWS Global Accelerator standard accelerator. Mitigation metrics for EIP addresses and AWS Global Accelerator standard accelerators indicate the number of passed and dropped packets.
The following screenshot shows an example **Detection and mitigation** tab for an infrastructure layer event.
![\[The detection and mitigation graphs for a network event show increasing SYN flood and packet flood traffic in the detection metrics, matched by a an increase in mitigations that drop traffic a few seconds later, in the mitigation metrics. After about thirty seconds of increased mitigations, the traffic floods stop.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-network-event-detection-mitigation.png)
Event traffic that subsides before Shield places a mitigation isn't represented in the mitigation metrics. This can result in a difference between the traffic shown in the detection graphs and the pass and drop metrics shown in the mitigation graphs.
## Top contributors
The **Top contributors** tab for infrastructure layer events lists metrics for up to 100 top contributors on several traffic dimensions. The details include network layer properties for any dimension where at least five significant sources of traffic could be identified. Examples of sources of traffic are source IP and source ASN.
The following screenshot shows an example **Top contributors** tab for an infrastructure layer event.
![\[The top contributors tab for a network event shows the categories of traffic that contributed the most to the event. The categories in this case include volume by protocol, volume by protocol and destination port, volume by protocol and source ASN, and volume by TCP flags.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-network-event-top-contributors.png)
Contributor metrics are based on sampled network flows for both legitimate and potentially unwanted traffic. Larger volume events and events where the traffic sources aren't highly distributed are more likely to have identifiable top contributors. A significantly distributed attack could have any number of sources, making it hard to identify top contributors to the attack. If Shield doesn't identify any significant contributors for a specific metric or category, it displays the data as unavailable.
In an infrastructure layer DDoS attack, traffic sources might be spoofed or reflected. A spoofed source is intentionally forged by the attacker. A reflected source is the real source of detected traffic, but it's not a willing participant in the attack. For example, an attacker might generate a large, amplified flood of traffic to a target by reflecting the attack off of services on the internet that are usually legitimate. In this case, the source information might be valid while it's not the actual source of the attack. These factors can limit the viability of mitigation techniques that block sources based on packet headers.
# Viewing Shield Advanced events across multiple AWS accounts with AWS Firewall Manager and AWS Security Hub CSPM
You can use AWS Firewall Manager and AWS Security Hub CSPM to manage and monitor AWS Shield Advanced protected resources across multiple accounts.
With Firewall Manager, you can create a Shield Advanced security policy that reports and enforces DDoS protection compliance across all of your accounts. Firewall Manager monitors your protected resources, including adding protections to new resources that come into scope of the Shield Advanced policy.
You can integrate Firewall Manager with AWS Security Hub CSPM to get a single dashboard that reports DDoS events that are detected by Shield Advanced and Firewall Manager compliance findings, when Firewall Manager identifies a resource that's out of compliance with your Shield Advanced security policy.
The following figure depicts a typical architecture for monitoring Shield Advanced protected resources with Firewall Manager and Security Hub CSPM.
![\[At the top of the figure is an AWS Organizations icon. It has an arrow pointing down that splits to point to two icons that are side by side. The left icon has the title Production OU and the right icon has the title Security OU. Below these icons sit three icons, titled from left to right: AWS Shield Advanced, AWS Firewall Manager, and AWS Security Hub CSPM. The production OU icon has an arrow pointing down to the Shield Advanced icon. The security OU icon has an arrow pointing down that splits to point to the Firewall Manager and Security Hub CSPM icons. The Shield Advanced icon has an arrow pointing down to a rectangle with the title Shield Advanced protected resources. Inside the rectangle are icons for Application Load Balancer, CloudFront distribution, and Elastic IP address. The Firewall Manager icon also has an arrow pointing down to the Shield Advanced protected resources rectangle, and it's labeled Enforces compliance of protected resources. The Shield Advanced icon has a horizontal arrow pointing to the Firewall Manager icon that's labeled DDoS alarm. The Firewall Manager icon has a horizontal arrow pointing to its right, to the Security Hub CSPM icon that's labeled DDoS alarm and compliance findings.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-arch-fms-ash-integration.png)
When you integrate Firewall Manager with Security Hub CSPM, you can view security findings in a single place, alongside other alerts and compliance status information for the applications that you run on AWS.
The following screenshot highlights the information that you can see for a Shield Advanced event inside the Security Hub CSPM console when you have an integration of this type.
![\[The screenshot shows the Security Hub CSPM console Findings page, subtitled A finding is a security issue or a failed security check.. The section has red outlines highlighting the strings: Title EQUALS Shield Advanced detected attack against monitored resource and Product name EQUAL Firewall Manager. The screen shows a set of details about the specific attack and its status.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/shield-console-security-hub-event.png)
To learn how to integrate Firewall Manager and Security Hub CSPM with Shield Advanced to centralize event and compliance monitoring across your protected accounts, see the AWS security blog [Set up centralized monitoring for DDoS events and auto-remediate noncompliant resources](https://aws.amazon.com/blogs/security/set-up-centralized-monitoring-for-ddos-events-and-auto-remediate-noncompliant-resources/).