The question AWS Shield Advanced flow logs answer is not "are we under attack" — it is "is this even an attack, or is it the best sales hour of our year." For a D2C brand, those two readings demand opposite responses, and until this launch you were guessing from aggregate graphs while the clock and the AWS bill both ran.
AWS just shipped flow logs for Shield Advanced, giving you packet-level metadata during a traffic event. The security press framed it as DDoS forensics. That is real, but it buries the part that actually moves money for the brands we run AWS architecture for: the same logs are the fastest way to stop over-reacting to traffic you should have just served.
TL;DR: Shield mitigates; flow logs let you finally diagnose. For D2C the win is telling a DDoS from demand before you scale into a huge bill. If you're hardening for a sale, book a 30-minute architecture call — Dev or a practice lead joins, we read your Shield setup live, no SDR layer. You leave with a runbook for the next spike.
What AWS actually shipped
Shield Advanced already detects and mitigates DDoS attacks against CloudFront, Elastic Load Balancing, Route 53, Global Accelerator, and Elastic IP addresses. What it did not give you was the underlying traffic — only rolled-up metrics. Flow logs change that by capturing metadata during an event and delivering it where you can query it.
Each record carries 14 fields, including srcaddr and dstaddr, srcport and dstport, protocol, packets and bytes, tcp_flags, srccountry (a two-letter code), the AWS ingress location, the sampling_rate, and the Shield action taken on the traffic. Logs aggregate on 5-minute intervals, individual files cap at 75 MB, and you can land them in three places depending on what you need:
| Destination | Use it for |
|---|---|
| Amazon S3 | Cheap long-term storage and after-the-fact queries with Amazon Athena (Parquet keeps scan costs down) |
| CloudWatch Logs | Near-real-time triage and alerting with CloudWatch Logs Insights during the event |
| Data Firehose | Streaming into a third-party SIEM if your security team already lives there |
Setup is a short pipeline: create the destination, attach a resource policy for the CloudWatch Logs delivery service, grab your protection ARN with aws shield list-protections, then wire put-delivery-source, put-delivery-destination, and create-delivery, and confirm with describe-deliveries. The IAM principal doing this needs logs:PutDeliverySource, logs:PutDeliveryDestination, and logs:CreateDelivery.
The question that actually costs D2C money
Here is the contrarian take we give every founder. The DDoS that takes you down is rare and loud. The traffic event you misread is common and quiet, and it bleeds money either way you get it wrong. Over-react to real demand and you throttle your own customers on the best hour of the quarter. Under-react to junk traffic and you auto-scale a fleet to serve bots, then open an AWS bill that ruins the sale's margin.
A US supplements brand doing about $11M came to us after a "DDoS" that, on inspection, was a Klaviyo campaign and an influencer post landing in the same ten minutes. Their on-call engineer saw the traffic wall, assumed an attack, and scaled the application tier 6x. There was no attack. They served the demand — and a $9,400 surprise on that day's compute, most of it idle capacity that spun up after the spike had already passed. Flow logs would have shown diverse source IPs from their actual customer states and a Shield action of count, not drop. That is a sale to lean into, not a fire to fight.
We have also seen the mirror image: a brand that blamed "a DDoS" for a checkout outage that was really a database connection-pool exhaustion they triggered themselves. They spent two days chasing attackers who never existed. Packet-level truth ends both arguments in about ten minutes.
This is the part of peak-season prep that nobody budgets for until the worst possible Saturday. We have built this triage runbook for D2C brands heading into Black Friday and Diwali, and we keep the exact Athena queries on hand. If you want yours set up before your next sale, grab 30 minutes with Dev — bring your Shield setup, leave with a written diagnosis runbook inside a week. No deck, fixed-price after discovery.
The five fields that tell a DDoS from a demand spike
You do not need all 14 fields in the heat of the moment. Read these five together and the answer is usually obvious:
srcaddr diversity. Thousands of distinct IPs each making a few requests looks like customers. A few IPs hammering you looks like an attack (or a misbehaving integration).
srccountry distribution. Traffic matching your real sales geographies is demand. A flood from countries you do not ship to is not your customer base.
packets vs bytes. Real browsing has normal payload sizes. Tiny-packet, high-rate floods are a classic volumetric signature.
tcp_flags. A storm of SYNs with no completed handshakes is a SYN flood, not shoppers loading product pages.
action. If Shield is already returning drop, it is mitigating an attack for you. If it is count, that traffic is reaching your origin — and if conversions are up, that is a sale.
The Athena query we run first
With logs landing in S3 as Parquet, this is the first query we point at an event — it ranks source IPs by traffic and shows whether Shield is counting or dropping them. Diversity at the top means demand; concentration means trouble.
SELECT srcaddr,
srccountry,
action,
COUNT(*) AS records,
SUM(packets) AS total_packets,
SUM(bytes) AS total_bytes,
SUM(bytes) / NULLIF(SUM(packets), 0) AS avg_bytes_per_packet
FROM shield_flow_logs
WHERE event_timestamp BETWEEN TIMESTAMP '2026-06-04 18:00:00'
AND TIMESTAMP '2026-06-04 18:30:00'
GROUP BY srcaddr, srccountry, action
ORDER BY total_bytes DESC
LIMIT 50;If the top 50 rows are 50 different IPs from your core countries with a healthy bytes-per-packet ratio and action = count, stand down and serve the traffic. If a few IPs dominate with tiny packets and action = drop, Shield is doing its job and you should not be scaling compute to meet it. The same data exports cleanly to a one-page board summary after the dust settles.
The caveats AWS soft-pedals
We are not knocking the feature — we are already turning it on for clients. But read the fine print before you build alerting on top of it:
Elastic IP only at launch. If your edge is CloudFront or an ALB, flow logs are not there for those resources yet. Plan for the rollout rather than assuming full coverage today.
Sampled, not complete. The sampling_rate field exists for a reason — these are samples, not a full packet capture. Great for shape and direction, wrong tool for exact accounting.
5-minute aggregation. This is near-real-time triage, not a live per-packet stream. Set expectations with whoever is on call.
It is not free. You pay standard CloudWatch vended-log charges plus your destination's storage or processing. Send to S3 as Parquet for the cheapest long-term path. And remember Shield Advanced is managed globally from us-east-1.
What to do before your next sale
Turn flow logs on now, not during the incident. Land them in S3, define the Athena table, and save the query above so it is one click at 2 a.m. Write the two-line decision rule on the runbook: diverse IPs plus count means scale and serve; concentrated IPs plus drop means hold and let Shield work. Decide the threshold for auto-scaling in advance so nobody makes a $9,400 call on adrenaline.
If you already use Shield Advanced for sales protection — our walkthrough of Shield for DDoS protection during flash sales and the Black Friday peak-shield case study are the companion pieces — flow logs are the missing diagnostic layer that turns "we think we survived an attack" into "here is exactly what hit us and what Shield did about it."
Frequently Asked Questions
What do AWS Shield Advanced flow logs actually contain?
Each record carries 14 fields of traffic metadata captured during an event: protection_arn, event_timestamp, srcaddr and dstaddr, srcport and dstport, protocol, packets and bytes, starttime and endtime, the Shield action taken, the AWS ingress location, sampling_rate, tcp_flags, and srccountry (a two-letter source country code). Logs aggregate on 5-minute intervals, files cap at 75 MB, and you can deliver them to Amazon S3, CloudWatch Logs, or Data Firehose in JSON, plain text, W3C, or Parquet.
How do Shield flow logs help tell a DDoS from a real traffic spike?
A genuine flash sale shows diverse source IPs from your real customer geographies, normal packet-to-byte ratios, and a Shield action of count rather than drop. A volumetric DDoS shows a small set of source IPs or countries, abnormal packets-to-bytes ratios, unusual tcp_flags, and Shield actions flipping to drop. Reading srcaddr, srccountry, packets/bytes, tcp_flags, and the action field together tells you in minutes whether to scale up and serve the demand or hold steady and let Shield drop the junk.
Are there limits on Shield Advanced flow logs at launch?
Yes. At launch, flow logs cover Elastic IP protections only, with more resource types to follow. Records are sampled, not a complete packet capture, and they aggregate on 5-minute intervals, so this is forensics and near-real-time triage, not a live per-packet feed. Shield Advanced is managed globally from us-east-1, and you pay standard CloudWatch vended-log charges plus whatever your destination (S3, CloudWatch Logs, or Firehose) costs. Plan around these before you build alerting on top.