Amazon Shield Advanced capabilities and options - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Shield Advanced capabilities and options

Amazon Shield Advanced subscription includes the following capabilities and options. These supplement the DDoS detection and mitigation capabilities that you already receive with Amazon.

  • Amazon WAF integration – Shield Advanced uses Amazon WAF web ACLs, rules, and rule groups as part of its application layer protections. For more information about Amazon WAF, see How Amazon WAF works.


    Your Shield Advanced subscription covers the costs of using standard Amazon WAF capabilities for resources that you protect with Shield Advanced. The standard Amazon WAF fees that are covered by your Shield Advanced protections are the cost per web ACL, the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

    Enabling Shield Advanced automatic application layer DDoS mitigation adds a rule group to your web ACL that uses 150 web ACL capacity units (WCUs). These WCUs count against the WCU usage in your web ACL. For more information, see Shield Advanced automatic application layer DDoS mitigation, The Shield Advanced rule group, and Amazon WAF web ACL capacity units (WCUs).

    Your subscription to Shield Advanced does not cover the use of Amazon WAF for resources that you do not protect using Shield Advanced. It also does not cover any additional non-standard Amazon WAF costs for protected resources. Examples of non-standard Amazon WAF costs are those for Bot Control, for the CAPTCHA rule action, for web ACLs that use more than 1,500 WCUs, and for inspecting the request body beyond the default body size. The full list is provided on the Amazon WAF pricing page.

    For full information and pricing examples, see Shield Pricing and Amazon WAF Pricing.

  • Automatic application layer DDoS mitigation – You can configure Shield Advanced to respond automatically to mitigate application layer (layer 7) attacks against your protected resources. With automatic mitigation, Shield Advanced enforces Amazon WAF rate limiting on requests from known DDoS sources, and it automatically adds and manages custom Amazon WAF protections in response to detected DDoS attacks. You can configure automatic mitigation to count or block the web requests that are part of an attack.

    For more information, see Shield Advanced automatic application layer DDoS mitigation.

  • Health-based detection – You can use Amazon Route 53 health checks with Shield Advanced to inform event detection and mitigation. Health checks monitor your application according to your specifications, reporting healthy when your specifications are met and unhealthy when they aren't. Using health checks with Shield Advanced helps prevent false positives and provides faster detection and mitigation when a protected resource is unhealthy. You can use health-based detection for any resource type except Route 53 hosted zones. Shield Advanced proactive engagement is available only for resources that have health-based detection enabled.

    For more information, see Health-based detection using health checks.

  • Protection groups – You can use protection groups to create logical groupings of your protected resources, for enhanced detection and mitigation of the group as a whole. You can define the criteria for membership in a protection group so that newly protected resources are automatically included. A protected resource can belong to multiple protection groups.

    For more information, see Amazon Shield Advanced protection groups.

  • Enhanced visibility into DDoS events and attacks – Shield Advanced gives you access to advanced, real-time metrics and reports for extensive visibility into events and attacks on your protected Amazon resources. You can access this information through the Shield Advanced API and console, and through Amazon CloudWatch metrics.

    For more information, see Visibility into DDoS events.

  • Centralized management of Shield Advanced protections by Amazon Firewall Manager – You can use Firewall Manager to automatically apply Shield Advanced protections to your new accounts and resources and to deploy Amazon WAF rules to your web ACLs. Firewall Manager Shield Advanced protection policies are included at no additional charge for Shield Advanced customers. You can also centralize your Shield Advanced monitoring activities for your accounts by using Firewall Manager with an Amazon Simple Notification Service (SNS) topic or Amazon Security Hub.

    For more information about using Firewall Manager to manage Shield Advanced protections, see Amazon Firewall Manager and Amazon Shield Advanced policies. For information about Firewall Manager pricing, see Amazon Firewall Manager Pricing.

  • Amazon Shield Response Team (SRT) – The SRT has deep experience in protecting Amazon,, and its subsidiaries. As an Amazon Shield Advanced customer, you can contact the SRT at any time for assistance during a DDoS attack that affects the availability of your application. You can also work with the SRT to create and manage custom mitigations for your resources. To use the services of the SRT, you must also be subscribed to the Business Support plan or the Enterprise Support plan.

    For more information, see Shield Response Team (SRT) support.

  • Proactive engagement – With proactive engagement, the Shield Response Team (SRT) contacts you directly if the Amazon Route 53 health check that you have associated with your protected resource becomes unhealthy during an event that's detected by Shield Advanced. This gives you quicker engagement with experts when the availability of your application might be affected by a suspected attack.

    For more information, see Configuring proactive engagement.

  • Cost protection opportunities – Shield Advanced offers some cost protection against spikes in your Amazon bill that might result from a DDoS attack against your protected resources. This can include coverage for spikes in Shield Advanced data transfer out (DTO) usage fees. Shield Advanced provides any cost protection in the form of Shield Advanced service credits.

    For more information, see Requesting a credit in Amazon Shield Advanced.