I want to protect my EC2 instance from DDos. And I found AWS has a service to protect instance called AWS Sheild
On AWS's official website, it says All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge... When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53, you receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
It says All AWS customers benefit from, but it also says When you use When you use AWS Shield Standard with Amazon CloudFront and Amazon Route 53. So is an EC2 instance only have AWS shield when using CloudFront, or it will have AWS shield even if not using Cloudfront?
From this link (emphasis added):
While AWS Shield Standard helps protect all AWS customers, you get particular benefit if you are using Amazon CloudFront and Amazon Route 53. These services receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
I read that to mean AWS Shield Standard provides some protection for all AWS services (including EC2). You get an expanded or enhanced benefit if you are using CloudFront and Route53. Given the nature of DDoS attacks it makes sense that Amazon would be able to provide additional protection when you are using their CDN and DNS services.
From this link (emphasis added):
AWS Shield Standard
For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture.
Automatically available on all AWS services.
From that link you can see that basic Traffic Monitoring and Attack Mitigations are provided across all services if you are using AWS Shield Standard, and additional features of AWS Shield Standard are available if you use an AWS Web Application Firewall (WAF). Additional features such as DDoS Cost Protection for Route 53, CloudFront, ELB, and EC2, are only available when you subscribe to AWS Shield Advanced.