Amazon Shield Advanced capabilities and options - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Shield Advanced capabilities and options

Amazon Shield Advanced subscription includes the following capabilities and options. These supplement the DDoS detection and mitigation capabilities that you already receive with Amazon.

  • Amazon WAF integration – Shield Advanced uses Amazon WAF web ACLs, rules, and rule groups as part of its application layer protections. For more information about Amazon WAF, see How Amazon WAF works.

    Note

    Your Shield Advanced subscription covers the costs of using standard Amazon WAF capabilities for resources that you protect with Shield Advanced. The standard Amazon WAF fees that are covered by your Shield Advanced protections are the cost per web ACL, the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

    Enabling Shield Advanced automatic application layer DDoS mitigation adds a rule group to your web ACL that uses 150 web ACL capacity units (WCUs). These WCUs count against the WCU usage in your web ACL. For more information, see Automating application layer DDoS mitigation with Shield Advanced , Protecting the application layer with the Shield Advanced rule group, and Web ACL capacity units (WCUs) in Amazon WAF.

    Your subscription to Shield Advanced does not cover the use of Amazon WAF for resources that you do not protect using Shield Advanced. It also does not cover any additional non-standard Amazon WAF costs for protected resources. Examples of non-standard Amazon WAF costs are those for Bot Control, for the CAPTCHA rule action, for web ACLs that use more than 1,500 WCUs, and for inspecting the request body beyond the default body size. The full list is provided on the Amazon WAF pricing page.

    For full information and pricing examples, see Shield Pricing and Amazon WAF Pricing.

  • Automatic application layer DDoS mitigation – You can configure Shield Advanced to respond automatically to mitigate application layer (layer 7) attacks against your protected resources. With automatic mitigation, Shield Advanced enforces Amazon WAF rate limiting on requests from known DDoS sources, and it automatically adds and manages custom Amazon WAF protections in response to detected DDoS attacks. You can configure automatic mitigation to count or block the web requests that are part of an attack.

    For more information, see Automating application layer DDoS mitigation with Shield Advanced .

  • Health-based detection – You can use Amazon Route 53 health checks with Shield Advanced to inform event detection and mitigation. Health checks monitor your application according to your specifications, reporting healthy when your specifications are met and unhealthy when they aren't. Using health checks with Shield Advanced helps prevent false positives and provides faster detection and mitigation when a protected resource is unhealthy. You can use health-based detection for any resource type except Route 53 hosted zones. Shield Advanced proactive engagement is available only for resources that have health-based detection enabled.

    For more information, see Health-based detection using health checks with Shield Advanced and Route 53.

  • Protection groups – You can use protection groups to create logical groupings of your protected resources, for enhanced detection and mitigation of the group as a whole. You can define the criteria for membership in a protection group so that newly protected resources are automatically included. A protected resource can belong to multiple protection groups.

    For more information, see Grouping your Amazon Shield Advanced protections.

  • Enhanced visibility into DDoS events and attacks – Shield Advanced gives you access to advanced, real-time metrics and reports for extensive visibility into events and attacks on your protected Amazon resources. You can access this information through the Shield Advanced API and console, and through Amazon CloudWatch metrics.

    For more information, see Visibility into DDoS events with Shield Advanced.

  • Centralized management of Shield Advanced protections by Amazon Firewall Manager – You can use Firewall Manager to automatically apply Shield Advanced protections to your new accounts and resources and to deploy Amazon WAF rules to your web ACLs. Firewall Manager Shield Advanced protection policies are included at no additional charge for Shield Advanced customers. You can also centralize your Shield Advanced monitoring activities for your accounts by using Firewall Manager with an Amazon Simple Notification Service (SNS) topic or Amazon Security Hub.

    For more information about using Firewall Manager to manage Shield Advanced protections, see Amazon Firewall Manager and Using Amazon Shield Advanced policies in Firewall Manager. For information about Firewall Manager pricing, see Amazon Firewall Manager Pricing.

  • Amazon Shield Response Team (SRT) – The SRT has deep experience in protecting Amazon, Amazon.com, and its subsidiaries. As an Amazon Shield Advanced customer, you can contact the SRT at any time for assistance during a DDoS attack that affects the availability of your application. You can also work with the SRT to create and manage custom mitigations for your resources. To use the services of the SRT, you must also be subscribed to the Business Support plan or the Enterprise Support plan.

    For more information, see Managed DDoS event response with Shield Response Team (SRT) support.

  • Proactive engagement – With proactive engagement, the Shield Response Team (SRT) contacts you directly if the Amazon Route 53 health check that you have associated with your protected resource becomes unhealthy during an event that's detected by Shield Advanced. This gives you quicker engagement with experts when the availability of your application might be affected by a suspected attack.

    For more information, see Setting up proactive engagement for the SRT to contact you directly.

  • Cost protection opportunities – Shield Advanced offers some cost protection against spikes in your Amazon bill that might result from a DDoS attack against your protected resources. This can include coverage for spikes in Shield Advanced data transfer out (DTO) usage fees. Shield Advanced provides any cost protection in the form of Shield Advanced service credits.

    For more information, see Requesting a credit in Amazon Shield Advanced after an attack.