This article explains how AWS Shield Advanced attack flow logs provide visibility into DDoS attacks by capturing traffic metadata during incidents.

• Flow logs capture source/destination IPs, ports, protocols, packet counts, and Shield actions taken
• Logs publish to Amazon S3, CloudWatch Logs, or Data Firehose for analysis and integration
• Includes srccountry and location fields to identify attack origins and AWS ingress points
• Supports JSON, plain text, W3C, and Parquet formats with 5-minute aggregation intervals
• Configuration requires three objects: DeliverySource, DeliveryDestination, and Delivery connection
• Currently available for EIP protections; support for other resource types coming soon
• Enables querying with Athena, CloudWatch Logs Insights, or routing to third-party SIEM platforms

Shield Advanced attack flow logs integrate with existing AWS observability tools to help organizations reconstruct attack patterns, identify sources, and verify mitigation effectiveness without additional infrastructure.