Amazon Shield Advanced overview - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Shield Advanced overview

Amazon Shield Advanced is a managed service that helps you protect your application against external threats, like DDoS attacks, volumetric bots, and vulnerability exploitation attempts. For higher levels of protection against attacks, you can subscribe to Amazon Shield Advanced.

When you subscribe to Shield Advanced and add protection to your resources, Shield Advanced provides expanded DDoS attack protection for those resources. The protections that you receive from Shield Advanced can vary depending on your architecture and configuration choices. Use the information in this guide to build and protect resilient applications using Shield Advanced, and to escalate when you need expert help.

Shield Advanced subscriptions and Amazon WAF costs

Your Shield Advanced subscription covers the costs of using standard Amazon WAF capabilities for resources that you protect with Shield Advanced. The standard Amazon WAF fees that are covered by your Shield Advanced protections are the cost per web ACL, the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

Enabling Shield Advanced automatic application layer DDoS mitigation adds a rule group to your web ACL that uses 150 web ACL capacity units (WCUs). These WCUs count against the WCU usage in your web ACL. For more information, see Shield Advanced automatic application layer DDoS mitigation, The Shield Advanced rule group, and Amazon WAF web ACL capacity units (WCUs).

Your subscription to Shield Advanced does not cover the use of Amazon WAF for resources that you do not protect using Shield Advanced. It also does not cover any additional non-standard Amazon WAF costs for protected resources. Examples of non-standard Amazon WAF costs are those for Bot Control, for the CAPTCHA rule action, for web ACLs that use more than 1,500 WCUs, and for inspecting the request body beyond the default body size. The full list is provided on the Amazon WAF pricing page.

For full information and pricing examples, see Shield Pricing and Amazon WAF Pricing.

Shield Advanced subscription billing

If you’re an Amazon Channel Reseller, talk to your account team for information and guidance. This billing information is for customers that are not Amazon Channel Resellers.

For all others, the following subscription and billing guidelines apply:

  • For accounts that are members of an Amazon Organizations organization, Amazon bills the Shield Advanced subscriptions against the payer account for the organization, regardless of whether the payer account itself is subscribed.

  • When you subscribe multiple accounts that are in the same Amazon Organizations consolidated billing account family, one subscription price covers all subscribed accounts in the family. The organization must own all of the Amazon Web Services accounts and all of their resources.

  • When you subscribe multiple accounts for multiple organizations, you can still pay one subscription fee across all of the organizations, accounts, and resources providing you own all of them. Contact your account manager or Amazon support and request a fee waiver on the Amazon Shield Advanced subscription charges for all but one of the organizations.

For detailed pricing information and examples, see Amazon Shield Pricing.