AWS Shield Standard provides protection for all AWS customers from common, most frequently occurring network and transport layer DDoS attacks that target your web site or application at no additional charge.
AWS Shield Advanced is a paid service that provides additional protections for internet-facing applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. AWS Shield Advanced is available to all customers; however, to contact the AWS Shield Response Team customers will need the Enterprise or Business Support levels of AWS Premium Support. It requires a 1-year subscription commitment and charges a monthly fee, plus a usage fee based on data transfer out from Amazon CloudFront, Elastic Load Balancing (ELB), Amazon Elastic Compute (EC2), and AWS Global Accelerator.
- This fee applies per organization subscribed to AWS Shield Advanced. If your organization has multiple AWS accounts, you will pay the monthly fee once as long as your organization owns all the AWS accounts and resources in those accounts, except that AWS Channel Resellers will pay a separate monthly fee for each member account. AWS Channel Resellers who resell AWS Shield Advanced to customers with more than one member account may contact us for additional billing support and, with respect to such AWS Channel Resellers, AWS reserves the right to modify the monthly fee for AWS Shield Advanced.
- In addition to standard fees on Elastic Load Balancing (ELB), Amazon CloudFront, Amazon Route 53, AWS Global Accelerator, and Amazon Elastic Compute Cloud (EC2).
- Shield Advanced subscription includes certain AWS WAF usage for Shield protected resources at no additional cost. This includes the monthly fees for Web ACL and Rules as well as request fees for Web ACLs with default limits. All other WAF features such as Intelligent Threat Mitigation (e.g., Bot and Fraud Control) or request fees for Web ACLs with WCUs greater than the default will still incur WAF charges. See AWS WAF Pricing for more details.
In order for WAF fees to be waived, a customer must subscribe to all relevant accounts to Shield Advanced. Next, customer must enable Shield Advanced protection on each resource within these accounts where WAF will be used. Shield Advanced provides application (L7) protection for CloudFront (CF) distributions and Application Load Balancers (ALB). Any L7 resources (e.g., API Gateway) that are not protected by Shield Advanced, but still use WAF, will be billed according to WAF usage charges.
AWS Shield Advanced Data Transfer Out Usage Fees (per GB)
- If you have deployed Amazon CloudFront in front of ELB, you only need to enable protection for Amazon CloudFront.
- AWS Shield Advanced is offered only for the protection of eligible AWS resources directly owned and managed by the subscribing AWS Account holder.
- AWS Shield Advanced subscriptions auto-renew annually. You will be notified at least 30 days prior to your renewal date of the upcoming annual renewal cycle. At any time within 30 days prior and 5 days prior to your renewal date, you may contact us at the AWS Support Center to cancel your upcoming subscription renewal. If you elect to cancel your subscription prior to your renewal date, you agree to pay any subscription fees up to and including the effective date of termination of the subscription. Please note we may ask for feedback to improve the product before processing your unsubscribe request.
- Fees associated with managed rules including managed rules from the AWS Marketplace are not waived for AWS Shield Advanced customers.
*All AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment.
Example 1: AWS Shield Standard
AWS Shield Standard is automatically enabled when you use AWS services like Elastic Load Balancing (ELB), Application Load Balancer, Amazon CloudFront and Amazon Route 53. You pay only the standard fees described in the pricing pages for these AWS services.
Let’s assume you enable AWS WAF protections in addition to AWS Shield Standard.
Under this scenario, you pay the standard AWS WAF fees as described in the AWS WAF Pricing page.
Example 3: AWS Shield Advanced For Application Load Balancer
Let’s assume that you have Application Load Balancer with Regional Data Transfer out usage of 1,000 GB per month. You subscribe to AWS Shield Advanced for your AWS account and enable protection for your Application Load Balancer.
Under this scenario, at the end of the month, you will pay the AWS Shield Advanced monthly fee of $3,000. In addition to the monthly fee you will be charged $50 on the 1,000 GB of Regional Data Transfer out at $0.050 per GB (as AWS Shield Data Transfer Out usage fees). Your total AWS Shield charges for the month will be $3,000 + $50 = $3,050.
In addition, you will pay standard Application Load Balancer fees as described in the Application Load Balancer Pricing page.
Example 4: AWS Shield Advanced For Amazon CloudFront
Let’s assume that you deploy an Amazon CloudFront Distribution in front of the Application Load Balancer from Example 3. You then enable AWS Shield Advanced protection for your Amazon CloudFront Distribution, and remove it from your Application Load Balancer. (If you have deployed Amazon CloudFront in front of Application Load Balancer, you only need to enable protection for Amazon CloudFront.)
Under this scenario, at the end of the month, you will pay the AWS Shield Advanced monthly fee of $3,000. In addition to the monthly fee, you will be charged the AWS Shield Advanced usage based fee of $25 for the 1,000 GB of Regional Data Transfer out at $0.025 per GB. Your total AWS Shield charges for the month will be $3,000 + $25 = $3,025.
Example 5: AWS Shield Advanced For Amazon CloudFront With AWS WAF
Let’s assume that you enable AWS WAF on the Amazon CloudFront Distribution from Example 4. Because the Amazon CloudFront Distribution is already protected under AWS Shield Advanced, there are no additional charges for AWS WAF web ACL, rule or request fees. Your total AWS Shield charges for the month remain at $3,025.
Example 6: AWS Shield Advanced with AWS WAF on unprotected resource
Let’s assume you disable AWS Shield Advanced protection on the Amazon CloudFront distribution from Example 5 but still have AWS WAF protections in place.
Under this scenario, at the end of the month, you will pay the AWS Shield Advanced monthly fee of $3,000 and no AWS Shield Advanced Data Transfer Out Usage Fees.
However, you will pay the standard AWS WAF fees as described in the AWS WAF Pricing page.