Requesting a credit in Amazon Shield Advanced - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Requesting a credit in Amazon Shield Advanced

If you're subscribed to Amazon Shield Advanced and you experience a DDoS attack that increases utilization of a Shield Advanced protected resource, you can request a Shield Advanced service credit for charges related to the increased utilization, to the extent that it is not mitigated by Shield Advanced.

Note

You can apply any credits received through this process only to Shield Advanced usage. Shield Advanced credits are not available for use with other services.

Credits are available only for the following types of charges:

  • Shield Advanced data transfer out

  • Amazon CloudFront HTTP/HTTPS requests

  • CloudFront data transfer out

  • Amazon Route 53 queries

  • Amazon Global Accelerator standard accelerator data transfer

  • Load balancer capacity units for Application Load Balancer

  • Instance costs for protected Amazon Elastic Compute Cloud (Amazon EC2) instances that were created by an auto-scaling policy in response to the attack

Prerequisites for requesting a credit

To be eligible to receive a credit, before the attack began, you must have done the following:

  • You must have added Shield Advanced protection to the resources for which you want to request a credit. Protected resources added during an attack are not eligible for cost protection.

    Note

    Enabling Shield Advanced on your Amazon Web Services account does not automatically enable Shield Advanced protection for individual resources.

    For more information about how to protect Amazon resources using Shield Advanced, see Adding Amazon Shield Advanced protection to Amazon resources.

  • For applicable CloudFront and Application Load Balancer protected resources, you must have associated an Amazon WAF web ACL and implemented a rate-based rule in the web ACL in Block mode. For information about Amazon WAF rate-based rules, see Rate-based rule statement. For information about how to associate web ACLs with Amazon resources, see Web access control lists (web ACLs).

  • You must have implemented the appropriate best practices in Amazon Best Practices for DDoS Resiliency to configure your application in a way that minimizes cost during a DDoS attack.

How to apply for a credit

To be eligible for a credit, you must submit your credit request within the 15 day period immediately following the billing month in which the attack occurred.

To apply for a credit, submit a billing case through the Amazon Web Services Support Center. Include the following in your request:

  • The words "DDoS Concession" in the subject line

  • The dates and times of each event or availability interruption for which you're requesting a credit

  • The Amazon services and specific resources that were affected

After you submit a request, the Amazon Shield Response Team (SRT) will validate whether a DDoS attack occurred and, if so, whether any protected resources scaled to absorb the DDoS attack. If Amazon determines that protected resources scaled to absorb the DDoS attack, Amazon will issue a credit for that portion of traffic that Amazon determines was caused by the DDoS attack. Credits are valid for 12 months.