Getting started with AWS Shield

AWS Shield provides expanded DDoS attack protection for your AWS resources. Get 24/7 support from our Shield Response Team and detailed visibility into DDoS events.

Compare Tiers

Whether you are running multiple mission-critical web applications on AWS and want visibility and protection from larger and more sophisticated attacks, or you are running a single web application on AWS and looking to get started with protection against common DDoS attacks, AWS Shield provides built-in protection, and access to tools, services and expertise to help you protect your applications on AWS.

AWS Shield Standard

For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture.

Automatically available on all AWS services.

AWS Shield Advanced

For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases. See the AWS Shield Advanced Service Level Agreement.

Available on:

  • Amazon Route 53
  • Amazon CloudFront
  • Elastic Load Balancing
  • AWS Global Accelerator
  • Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)
Feature AWS Shield Standard
AWS Shield Advanced*
Active Traffic Monitoring
Network flow monitoring
Yes Yes
Automatic always-on detection Yes Yes
Application traffic monitoring
x Yes
Attack Mitigations
Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks)
Yes Yes
Automatic inline mitigation
Yes
Yes
Additional DDoS mitigation capacity for large attacks
x Yes
Automatic application layer (L7) DDoS mitigations x Yes
Self-service application layer (Layer 7) mitigations
Yes, using AWS WAF
Yes, using AWS WAF
SRT-driven application layer (Layer 7) mitigations
x Yes, with Shield Response Team
Instant rule updates Yes, using AWS WAF
Yes, using AWS WAF
AWS WAF for app vulnerability protection
Yes, using AWS WAF
Yes, using AWS WAF
Visibility and Reporting
Layer 3/Layer 4 attack notification x Yes
Layer 7 attack notification x Yes
Layer 3/Layer 4/ Layer 7 attack historical report x Yes
Shield Response Team and Support
DDoS protection best practices/architecture review
Yes, self-service
Yes
Custom mitigations during attacks
x Yes, with Enterprise or Business support
Post attack analysis x Yes, with Enterprise or Business support
DDoS Cost Protection (Service credits for DDoS scaling charges)
Amazon Route 53 x Yes
Amazon CloudFront x Yes
Elastic Load Balancing (ELB)
x Yes
Amazon Elastic Compute Cloud (EC2)
x Yes
Note: AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment.
Web Application Firewall (WAF)
Self-service Yes Yes
API access/integration Yes Yes
Flexible rules engine
Yes Yes
Fast rule propagation
Yes Yes
Pricing See Pricing Included at no additional charge with AWS Shield Advanced for resources protected in AWS Shield Advanced
Cost
Monthly x Yes, see Pricing (Subject to 1-year subscription)
Usage based x Yes, see Pricing
SLA
x Yes

AWS Shield Standard


For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture.

 

Automatically available on all AWS services.

AWS Shield Advanced


For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases. See the AWS Shield Advanced Service Level Agreement.

Available on:

  • Amazon Route 53
  • Amazon CloudFront
  • Elastic Load Balancing
  • AWS Global Accelerator
  • Elastic IP (Amazon Elastic Compute Cloud and Network Load Balancer)
Feature AWS Shield Standard
AWS Shield Advanced*
Active Traffic Monitoring
Network flow monitoring
Yes Yes
Automatic always-on detection Yes Yes
Application traffic monitoring
x Yes
Attack Mitigations
Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks)
Yes Yes
Automatic inline mitigation
Yes
Yes
Additional DDoS mitigation capacity for large attacks
x Yes
Automatic application layer (L7) DDoS mitigations x Yes
Self-service application layer (Layer 7) mitigations
Yes, using AWS WAF
Yes, using AWS WAF
SRT-driven application layer (Layer 7) mitigations
x Yes, with Shield Response Team
Instant rule updates Yes, using AWS WAF
Yes, using AWS WAF
AWS WAF for app vulnerability protection
Yes, using AWS WAF
Yes, using AWS WAF
Visibility and Reporting
Layer 3/Layer 4 attack notification x Yes
Layer 7 attack notification x Yes
Layer 3/Layer 4/ Layer 7 attack historical report x Yes
Shield Response Team and Support
DDoS protection best practices/architecture review
Yes, self-service
Yes
Custom mitigations during attacks
x Yes, with Enterprise or Business support
Post attack analysis x Yes, with Enterprise or Business support
DDoS Cost Protection (Service credits for DDoS scaling charges)
Amazon Route 53 x Yes
Amazon CloudFront x Yes
Elastic Load Balancing (ELB)
x Yes
Amazon Elastic Compute Cloud (EC2)
x Yes
Note: AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment.
Web Application Firewall (WAF)
Self-service Yes Yes
API access/integration Yes Yes
Flexible rules engine
Yes Yes
Fast rule propagation
Yes Yes
Pricing See Pricing Included at no additional charge with AWS Shield Advanced for resources protected in AWS Shield Advanced
Cost
Monthly x Yes, see Pricing (Subject to 1-year subscription)
Usage based x Yes, see Pricing
SLA
x Yes