AWS Shield: Standard vs Advanced, Pricing, and AWS WAF

AWS Shield is the DDoS protection service built into AWS. Every AWS account gets Shield Standard for free. It automatically blocks the most common network-layer floods. Shield Advanced is a paid tier that adds real-time attack visibility, access to AWS DDoS specialists, application-layer protection through AWS WAF integration, and financial protection against attack-driven scaling costs. Most small-to-medium workloads with low DDoS risk do fine on Standard alone. Advanced becomes worth it when downtime or a surprise AWS bill would cost more than the subscription.

The simple explanation

A DDoS attack floods your application with so much junk traffic that real users cannot get through. Picture a restaurant where a thousand fake customers pack the lobby so paying diners can never reach a table. That is what a DDoS attack does to your servers.

AWS Shield is the bouncer at the door. It inspects incoming traffic at the edge of AWS’s network and turns away the obvious fakes before they reach your resources. Shield Standard is the bouncer every restaurant gets for free: it handles the rowdy crowds and obvious troublemakers. Shield Advanced is the premium security team: they monitor cameras in real time, call in specialists during a crisis, and cover the cost if someone trashes the place.

Key distinction

Standard = automatic baseline protection that runs silently in the background. Advanced = paid, active protection with visibility, expert support, and financial coverage.

How AWS Shield works

Shield protection operates at multiple layers of the AWS global network:

  • Edge protection. Traffic entering AWS first passes through edge locations, the same network that powers Route 53 and CloudFront. Shield filters obvious volumetric floods here, before they ever reach your region.
  • Regional protection. Within an AWS region, Shield monitors traffic to your Application Load Balancers, EC2 instances, and other resources for patterns that indicate an attack.

Layer 3/4 vs Layer 7: what that means

Think of your application as a building. Layer 3/4 attacks try to block the roads leading to it (flooding the network pipes). Layer 7 attacks walk through the front door and waste everyone’s time with fake requests (overloading your application logic).

  • Layer 3/4 (network attacks) try to overwhelm your bandwidth or exhaust connection limits. Examples: SYN floods, UDP reflection attacks, DNS amplification. Both Shield Standard and Advanced handle these.
  • Layer 7 (application attacks) send requests that look like real traffic but are designed to overload your application. Examples: HTTP floods, slowloris attacks, requests targeting expensive API endpoints. These require AWS WAF rules to detect and block. Shield Advanced integrates directly with WAF for this layer.

AWS Shield Standard vs Shield Advanced

FeatureShield StandardShield Advanced
CostFree (included with every AWS account)$3,000/month per organization + data transfer fees on protected resources
Enabled by defaultYes, automatic, no setupNo, requires subscription and per-resource enrollment
Layer 3/4 DDoS protectionYes, common volumetric attacksYes, enhanced detection with traffic baselining
Layer 7 (application) protectionNoYes, through AWS WAF integration (WAF included at no extra cost on protected resources)
Attack visibility and reportingNoneReal-time metrics, attack notifications, historical reports
DDoS Response Team (DRT) accessNoYes, 24/7 during active attacks
Proactive engagementNoOptional. DRT contacts you when health checks degrade
Financial protection (cost credits)NoYes, credits for attack-driven scaling charges
Best fitMost workloads with low to moderate DDoS riskHigh-value, internet-facing apps where downtime or bill spikes are unacceptable

AWS Shield vs AWS WAF

This is one of the most common points of confusion for beginners. Shield and WAF are complementary, not interchangeable.

Think of it this way: Shield is the flood barrier that keeps the river from washing away your building. WAF is the security checkpoint at the front door that inspects every person walking in. You would not replace one with the other.

  • Shield protects against volumetric and protocol-level DDoS attacks, the kind that try to overwhelm your network capacity or exhaust connection state. Think floods of raw packets.
  • WAF (Web Application Firewall) inspects HTTP/HTTPS requests and blocks malicious patterns: SQL injection, cross-site scripting, HTTP floods, bot traffic, and custom rules you define.
When you need both

Any internet-facing application behind a load balancer or CloudFront benefits from both. Shield handles the network-layer floods automatically. WAF handles the application-layer threats you define rules for. Shield Advanced subscribers get WAF at no additional cost on protected resources, and the DDoS Response Team can write emergency WAF rules during an active attack.

For a broader view of how these services fit into your overall AWS security posture, see AWS Security Hub.

Which resources can Shield protect?

Shield Standard (automatic)

These resource types are protected automatically for every AWS account. No configuration needed:

  • Amazon EC2 instances
  • Elastic Load Balancers (ALB, NLB, CLB)
  • Amazon CloudFront distributions
  • AWS Global Accelerator accelerators
  • Amazon Route 53 hosted zones

Shield Advanced (explicit enrollment required)

The same resource types are eligible, but you must explicitly add each resource to a Shield Advanced protection. Subscribing to Advanced does not automatically protect everything. Resources you do not enroll receive only Standard-level coverage.

  • Amazon EC2 Elastic IP addresses
  • Elastic Load Balancers (Application and Network)
  • Amazon CloudFront distributions
  • AWS Global Accelerator accelerators
  • Amazon Route 53 hosted zones
Easy to miss

Teams regularly subscribe to Shield Advanced, assume everything is covered, then discover during an attack that their critical ALB was never added to a protection. After subscribing, explicitly enroll every resource that matters.

When Shield Standard is enough

For many AWS workloads, Shield Standard combined with good architecture is sufficient:

  • Internal or low-traffic applications. APIs serving a known set of clients, admin dashboards, staging environments.
  • Applications behind CloudFront. CloudFront absorbs a significant amount of volumetric traffic before it reaches your origin. For sites that are not high-value DDoS targets, this is often enough.
  • Workloads with low business impact from brief outages. If a few hours of degraded performance would not cause major financial or reputational damage.
  • Small teams without dedicated security operations. If nobody on your team would use the real-time metrics or DRT access, those Advanced features go unused.
Cost-effective DDoS mitigation

Putting your application behind CloudFront and Route 53 is one of the cheapest and most effective DDoS mitigations available. Both services are highly resilient and handled at AWS edge locations. For many smaller workloads, this is all you need.

When Shield Advanced is worth it

  • High-value internet-facing applications. E-commerce, financial services, gaming, media streaming, or any app where minutes of downtime mean real revenue loss.
  • Revenue-sensitive workloads with SLAs. If downtime triggers SLA penalties or customer churn.
  • Public-facing services likely to be targeted. Government, healthcare, or organizations that attract politically motivated attacks.
  • Teams that need real-time attack visibility. The metrics, dashboards, and attack summaries Advanced provides are valuable for incident response and post-attack analysis.
  • Workloads where attack-driven scaling costs are a risk. A large DDoS attack can cause auto-scaling to spin up resources that generate a massive bill. Shield Advanced’s financial protection covers these costs with credits.
  • Organizations without 24/7 DDoS expertise. The DDoS Response Team provides expert support during attacks without requiring in-house specialists.

Pricing and billing gotchas

Shield Standard is free. No charges, no signup.

Shield Advanced pricing has two components:

  • $3,000 per month per organization. This is the base subscription. It covers all accounts in your AWS Organization under one fee (not per-account or per-resource).
  • Data transfer fees. Shield Advanced charges for data transfer out (DTO) on protected resources beyond what you would normally pay. The exact rates depend on the resource type and region. Check the AWS Shield pricing page for current DTO rates.

The subscription auto-renews and has a one-year commitment. You cannot cancel mid-year without continuing to be billed for the remainder.

Financial protection

During a DDoS attack, auto-scaling and traffic absorption can spike your bill for EC2, ELB, CloudFront, Global Accelerator, and Route 53. Shield Advanced offers cost credits for charges directly caused by a DDoS event. You submit a request through AWS Support, and AWS reviews whether the charges qualify.

Without Shield Advanced

A large DDoS attack can generate an AWS bill far above your normal spend. Auto-scaling responds to attack traffic the same way it responds to legitimate traffic. For applications with significant public exposure, this financial risk is a major part of the Shield Advanced decision.

Operational prerequisites most guides skip

Two details that materially affect how you use Shield Advanced:

DRT access requires a paid Support plan

Shield Advanced gives you the right to contact the DDoS Response Team, but the DRT is reached through AWS Support cases. Without at least a Business-tier Support plan, you cannot open the support cases needed to engage the DRT during an attack. This is a material cost on top of the $3,000/month.

Proactive engagement requires health checks

For the DRT to contact you automatically when your application degrades, you must configure Route 53 health checks on your protected resources and associate them with your Shield protections. Without health checks, proactive engagement does not work. You have to notice the attack yourself and open a support case manually.

How to enable Shield Advanced

You can enable Shield Advanced through the AWS console (Shield > Getting started > Subscribe to Shield Advanced) or through the CLI. Here is the CLI workflow:

Subscribe and add protections

# Step 1: Subscribe your account/organization to Shield Advanced.
# This starts the $3,000/month billing and one-year commitment.
aws shield create-subscription

# Step 2: Add a protection for a specific resource.
# Replace the ARN with your actual ALB, CloudFront distribution, EIP, etc.
aws shield create-protection \
  --name "Production ALB Protection" \
  --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/xxxxxxxxxxxxxxxx

# Step 3: Verify your protections are in place.
aws shield list-protections

# Step 4: Inspect a specific protection.
aws shield describe-protection \
  --protection-id protection-id-here

Enable proactive engagement

Proactive engagement lets the DRT contact you automatically when a Route 53 health check detects degradation on a protected resource. You need to associate a health check first, then enable the feature and set emergency contacts.

# Enable proactive engagement (requires health checks on protected resources)
aws shield enable-proactive-engagement

# Share your CloudFront or ALB access logs with the DRT for faster analysis
aws shield associate-drt-log-bucket \
  --log-bucket my-cloudfront-access-logs-bucket

# Set emergency contacts so the DRT can reach your team during an attack
aws shield update-emergency-contact-settings \
  --emergency-contact-list EmailAddress=security@company.com PhoneNumber="+12125551234"

Common mistakes

  1. Assuming Shield Standard handles application-layer attacks. Standard only protects against Layer 3/4 volumetric floods. HTTP floods, slowloris, and other application-layer attacks require AWS WAF rules. If your application is web-facing, you need WAF regardless of your Shield tier.
  2. Subscribing to Shield Advanced but not enrolling resources. The subscription does not auto-protect anything. You must explicitly add each resource (ALB, CloudFront distribution, EIP, etc.) to a Shield protection. Unenrolled resources get Standard-level coverage only.
  3. Not setting up emergency contacts and proactive engagement. During an attack, the DRT needs a way to reach you. Without emergency contacts and Route 53 health checks, the DRT cannot engage proactively. You have to notice the attack yourself and open a support case manually.
  4. Forgetting that DRT access requires a Business or Enterprise Support plan. Shield Advanced includes the right to contact the DRT, but the DRT is reached through AWS Support cases. Without Business or Enterprise support, you cannot open the cases needed to engage them.
  5. Skipping CloudFront as a first line of defense. CloudFront absorbs massive amounts of volumetric traffic before it reaches your origin. Placing your application behind CloudFront is one of the most effective and cheapest DDoS mitigations, even without Shield Advanced. See how this fits into a modern cloud architecture.

Frequently asked questions

Is AWS Shield Standard free?

Yes. Shield Standard is included at no extra charge for every AWS account. It automatically mitigates common Layer 3/4 DDoS attacks against EC2, Elastic Load Balancing, CloudFront, Global Accelerator, and Route 53. No configuration required.

When is Shield Advanced worth the $3,000/month?

Shield Advanced makes sense when your internet-facing application is high-value, revenue-sensitive, or a likely DDoS target, and when a surprise scaling bill or hours of downtime would cost more than the subscription. It also makes sense when you need real-time attack metrics or access to AWS DDoS specialists.

Do I still need AWS WAF if I have Shield?

Yes. Shield handles volumetric network-layer floods (Layer 3/4). AWS WAF handles application-layer attacks like HTTP floods and malicious request patterns (Layer 7). They are complementary. Shield Advanced subscribers get WAF at no extra cost on protected resources.

Which resources does Shield actually protect?

Shield Standard automatically covers EC2, ELB, CloudFront, Global Accelerator, and Route 53. Shield Advanced protects the same resource types but requires you to explicitly add each resource to a protection. It does not auto-enroll everything.

Does putting my app behind CloudFront reduce the need for Shield Advanced?

CloudFront absorbs a large amount of volumetric traffic before it reaches your origin, which significantly raises the bar for attackers. For many smaller workloads, CloudFront plus Shield Standard is enough. But CloudFront alone does not give you real-time attack visibility, DDoS Response Team access, or financial protection against scaling costs. Those require Shield Advanced.

Last verified: 30 March 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.