AWS Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts. For higher levels of protection against attacks, you can subscribe to AWS Shield Advanced.

When you subscribe to Shield Advanced and add protection to your resources, Shield Advanced provides expanded DDoS attack protection for those resources. The protections that you receive from Shield Advanced can vary depending on your architecture and configuration choices. Use the information in this guide to build and protect resilient applications using Shield Advanced, and to escalate when you need expert help.

Covered AWS WAF costs

Your Shield Advanced subscription covers your use of the standard AWS WAF capabilities at no additional cost. The standard AWS WAF fees that are covered by your Shield Advanced subscription are the cost per web ACL, the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

Your subscription to Shield Advanced does not cover any additional AWS WAF costs. Examples of costs that the Shield Advanced subscription does not cover are the optional intelligent threat mitigation capabilities of Bot Control, the use of the Challenge rule action, the use of more than 1,500 WCUs in a web ACL, and request body inspection beyond the default body size. The full list is available on the AWS WAF pricing page.

For more information and pricing examples, see Shield Pricing and AWS WAF Pricing.

Shield Advanced subscription billing

If you’re an AWS Channel Reseller, talk to your account team for information and guidance. This billing information is for customers that are not AWS Channel Resellers.

How AWS Shield works

AWS Shield Standard and AWS Shield Advanced provide protections against Distributed Denial of Service (DDoS) attacks for AWS resources at the network and transport layers (layer 3 and 4) and the application layer (layer 7). A DDoS attack is an attack in which multiple compromised systems try to flood a target with traffic. A DDoS attack can prevent legitimate end users from accessing the target services and can cause the target to crash due to overwhelming traffic volume.

AWS Shield provides protection against a wide range of known DDoS attack vectors and zero-day attack vectors. Shield detection and mitigation is designed to provide coverage against threats even if they are not explicitly known to the service at the time of detection.

Classes of attacks that Shield detects include the following:

• Network volumetric attacks (layer 3) – This is a sub category of infrastructure layer attack vectors. These vectors attempt to saturate the capacity of the targeted network or resource, to deny service to legitimate users.

• Network protocol attacks (layer 4) – This is a sub category of infrastructure layer attack vectors. These vectors abuse a protocol to deny service to the targeted resource. A common example of a network protocol attack is a TCP SYN flood, which can exhaust connection state on resources like servers, load balancers, or firewalls. A network protocol attack can also be volumetric. For example, a larger TCP SYN flood may intend to saturate the capacity of a network while also exhausting the state of the targeted resource or intermediate resources.

• Application layer attacks (layer 7) – This category of attack vector attempts to deny service to legitimate users by flooding an application with queries that are valid for the target, such as web request floods.