Deciding whether to subscribe to Amazon Shield Advanced and apply additional protections - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Deciding whether to subscribe to Amazon Shield Advanced and apply additional protections

Review the scenarios in this section for help deciding which accounts to subscribe to Amazon Shield Advanced and where to apply additional protections. With Shield Advanced, you pay one monthly subscription fee for all accounts created under a consolidated billing account, plus usage fees based on GB of data transferred out. For information about Shield Advanced pricing, see Amazon Shield Advanced Pricing.

To protect an application and its resources with Shield Advanced, you subscribe the accounts that manage the application to Shield Advanced and then you add protections to the application's resources. For information about subscribing accounts and protecting resources, see Getting started with Amazon Shield Advanced.

Shield Advanced subscriptions and Amazon WAF costs

Your Shield Advanced subscription covers the costs of using standard Amazon WAF capabilities for resources that you protect with Shield Advanced. The standard Amazon WAF fees that are covered by your Shield Advanced protections are the cost per web ACL, the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

Enabling Shield Advanced automatic application layer DDoS mitigation adds a rule group to your web ACL that uses 150 web ACL capacity units (WCUs). These WCUs count against the WCU usage in your web ACL. For more information, see Shield Advanced automatic application layer DDoS mitigation, The Shield Advanced rule group, and Amazon WAF web ACL capacity units (WCUs).

Your subscription to Shield Advanced does not cover the use of Amazon WAF for resources that you do not protect using Shield Advanced. It also does not cover any additional non-standard Amazon WAF costs for protected resources. Examples of non-standard Amazon WAF costs are those for Bot Control, for the CAPTCHA rule action, for web ACLs that use more than 1,500 WCUs, and for inspecting the request body beyond the default body size. The full list is provided on the Amazon WAF pricing page.

For full information and pricing examples, see Shield Pricing and Amazon WAF Pricing.

Shield Advanced subscription billing

If you’re an Amazon Channel Reseller, talk to your account team for information and guidance. This billing information is for customers that are not Amazon Channel Resellers.

For all others, the following subscription and billing guidelines apply:

  • For accounts that are members of an Amazon Organizations organization, Amazon bills the Shield Advanced subscriptions against the payer account for the organization, regardless of whether the payer account itself is subscribed.

  • When you subscribe multiple accounts that are in the same Amazon Organizations consolidated billing account family, one subscription price covers all subscribed accounts in the family. The organization must own all of the Amazon Web Services accounts and all of their resources.

  • When you subscribe multiple accounts for multiple organizations, you can still pay one subscription fee across all of the organizations, accounts, and resources providing you own all of them. Contact your account manager or Amazon support and request a fee waiver on the Amazon Shield Advanced subscription charges for all but one of the organizations.

For detailed pricing information and examples, see Amazon Shield Pricing.

Identifying the applications to protect

Consider implementing Shield Advanced protections for applications where you need any of the following:

  • Guaranteed availability for the users of the application.

  • Rapid access to DDoS mitigation experts if the application is affected by a DDoS attack.

  • Awareness by Amazon that the application might be affected by a DDoS attack and notification of attacks from Amazon and escalation to your security or operations teams.

  • Predictability in your cloud costs, including when a DDoS attack affects your use of Amazon services.

If an application or its resources require any of the above, consider creating subscriptions for the related accounts.

Identifying the resources to protect

For each subscribed account, consider adding a Shield Advanced protection to each resource that has any of the following characteristics:

  • The resource serves external users on the internet.

  • The resource is exposed to the internet and is also part of a critical application. Consider every exposed resource, regardless of whether you intend it to be accessed by users on the internet.

  • The resource is protected by an Amazon WAF web ACL.

To learn more about creating and managing protections for your resources, see Resource protections in Amazon Shield Advanced.

Additionally, follow the recommendations in this guide to help ensure that you architect your application for DDoS resiliency and that you have properly configured the features of Shield Advanced for optimal protections.