AWSGlossary

AWS Shield: What It Is and When to Use It

Definition

AWS Shield is AWS's managed Distributed Denial-of-Service (DDoS) protection service. It comes in two tiers: Shield Standard, which is enabled automatically and free for every AWS customer and protects against common network- and transport-layer (Layer 3 and 4) attacks; and Shield Advanced, a paid subscription that adds more sophisticated DDoS mitigation, real-time visibility, access to the AWS Shield Response Team (SRT), cost protection against scale-out charges during attacks, and a bundled AWS WAF entitlement.

Shield Standard silently defends every CloudFront, Route 53, and AWS Global Accelerator endpoint (and by extension, anything behind them) from the bulk of commodity DDoS traffic. Shield Advanced extends that protection with enterprise-grade features for regulated industries, high-profile workloads, and anyone who considers DDoS attacks a tier-1 business risk.

How It Works

Shield Standard

  • Always on, no configuration needed, no charge.
  • Protects against the most common L3/L4 attacks: SYN floods, UDP reflection (NTP, memcached, DNS), and similar volumetric attacks.
  • Deployed at the AWS edge — traffic hitting CloudFront or Route 53 is filtered before it reaches your origin.
  • Offers "best effort" mitigation via AWS's global network capacity (measured in Tbps).

Shield Advanced

  • Paid subscription at $3,000 per month per organization (AWS Organizations-wide flat fee), with a 12-month commitment, plus data transfer out (DTO) usage fees on protected resources at lower tiered prices than standard DTO.
  • Extends Standard's L3/L4 protection with sophisticated mitigation against large, complex DDoS attacks — including application-layer (L7) protection when attached to CloudFront, ALB, API Gateway, or AWS Global Accelerator.
  • 24/7 access to the Shield Response Team (SRT) for attack triage, custom mitigations, and post-incident reviews.
  • Cost protection — automatic service credits for scale-out charges (EC2, ALB, CloudFront, Route 53) caused by an active DDoS event, protecting your bill from attack-driven autoscaling.
  • AWS WAF included at no extra charge on all protected resources — the $5/web-ACL, $1/rule, and $0.60/million-request WAF fees are waived on Shield-Advanced-associated resources.
  • Real-time attack diagnostics via Global Threat Dashboard and the shield:DescribeAttackStatistics APIs.
  • Health-based detection — hooks into Route 53 health checks and CloudWatch metrics for application-health-aware mitigation decisions.
  • Proactive engagement — SRT can proactively contact you via a pre-registered phone number when they detect an attack on a protected resource.

Protected Resource Types

Shield Advanced can be associated with: CloudFront distributions, Route 53 hosted zones, AWS Global Accelerator standard accelerators, Application Load Balancers, Classic Load Balancers, Network Load Balancers, Elastic IPs (for EC2, NAT gateways, etc.), and many Regional endpoints via AWS Global Accelerator front-ending.

Key Features and Limits

  • Shield Standard — automatic on CloudFront, Route 53, and Global Accelerator for all AWS customers; no subscription required.
  • Shield Advanced — $3,000/month/organization flat fee + protected-resource DTO at lower tiered rates.
  • Commitment — Shield Advanced has a 1-year subscription commitment.
  • SRT engagement — included as part of the subscription; SRT can be authorized to access and modify WAF rules during active attacks via the AWSShieldDRTAccessPolicy.
  • Cost protection — service credits cover EC2, ELB, CloudFront, Route 53, and AWS Global Accelerator scale-out charges during a documented DDoS incident.
  • Bundled WAF — full AWS WAF feature set at no additional rule/ACL/request charge on associated resources; add-on rule groups (Bot Control, ATP, ACFP) still billed separately.
  • Firewall Manager integration — centrally enforce Shield Advanced coverage across an AWS Organization.
  • Proactive Engagement — opt-in so SRT can call or page you during attacks.
  • Attack reports — post-incident forensics including attack vectors, peak bps/pps, and mitigation actions.

Common Use Cases

  1. Compliance-driven workloads — financial services, gaming, healthcare, and public sector workloads with formal DDoS-protection requirements often mandate Shield Advanced.
  2. High-value public APIs — customer-facing endpoints where downtime during an attack directly costs revenue or breaches SLAs.
  3. Online gaming and streaming — latency-sensitive, high-visibility workloads that are historically top DDoS targets.
  4. Political or high-profile sites — campaign sites, news, advocacy, and any content that attracts ideologically motivated attacks.
  5. Cost-risk management — organizations that can't absorb a surprise scale-out bill during a sustained attack; Shield Advanced cost protection is often the decisive feature.
  6. Enterprises standardizing on AWS WAF — once you're paying $3,000/month, the bundled WAF entitlement on protected resources can offset a meaningful portion of the subscription for high-traffic sites.

Pricing Model

  • Shield Standard — free, always on, no configuration. No Free Tier concept needed because it is free for every customer.
  • Shield Advanced — $3,000/month flat fee per AWS Organization (not per account), billed monthly with a 12-month subscription commitment. On top of the flat fee, you pay tiered data transfer out usage fees on protected resources (CloudFront, ALB, NLB, Elastic IPs, Global Accelerator), at lower rates than standard DTO.
  • Cost protection credits automatically offset scale-out charges on protected resources during a verified DDoS event — EC2 scale-out under an ASG, ALB/ELB throughput, CloudFront requests/data transfer, and Route 53 queries are all eligible.
  • Bundled WAF — the web ACL ($5/month), rule ($1/rule/month), and request ($0.60/million) fees are waived on Shield-Advanced-protected resources. Add-on managed rule groups like Bot Control still follow their normal per-request pricing.

There is no Shield Advanced Free Tier. Shield Standard is the "free tier" equivalent and applies to everyone.

Pros and Cons

Pros

  • Shield Standard is free, always on, and protects the overwhelming majority of commodity DDoS traffic with zero configuration.
  • Shield Advanced's cost protection removes the "your autoscaling bill ballooned during an attack" risk.
  • Bundled WAF materially offsets the subscription for high-traffic sites.
  • 24/7 SRT access provides a human escalation path that no vendor-self-service WAF can match.

Cons

  • $3,000/month minimum makes Shield Advanced impractical for small workloads.
  • 12-month commitment limits experimentation; you can't subscribe for one month during a specific threat window.
  • Only specific resource types are "protected resources" — EC2 instances without an Elastic IP or Global Accelerator in front are not directly eligible.
  • For purely L7 threats (OWASP, bots), Shield Advanced is overkill; WAF alone may be the right tool.

Comparison with Alternatives

| Feature | Shield Standard | Shield Advanced | AWS WAF | | --- | --- | --- | --- | | Layer | L3 / L4 | L3 / L4 + L7 via bundled WAF | L7 only | | Cost | Free | $3,000/month/org + protected DTO | $5/ACL + $1/rule + $0.60/M req | | SRT access | No | 24/7 | No | | Cost protection | No | Yes | No | | Best for | Baseline DDoS defense | Enterprise, compliance, high-value | App-layer rules, OWASP, bots |

Exam Relevance

Shield is tested on:

  • Cloud Practitioner (CLF-C02) — basic differentiation between Shield Standard (free, everyone) and Shield Advanced (paid enterprise tier).
  • Solutions Architect Associate (SAA-C03) — when to pair Shield Advanced with CloudFront / ALB / Global Accelerator; bundled WAF implications.
  • Security Specialty (SCS-C02) — SRT engagement, DDoS response playbooks, Firewall Manager Shield policies, cost protection mechanics.
  • Advanced Networking Specialty (ANS-C01) — placement across CloudFront, Global Accelerator, Route 53, and Elastic IP protected resources.

Classic exam trap: confusing Shield (L3/L4 DDoS, with L7 bundled only in Advanced) with AWS WAF (L7 application firewall). If a question mentions SQL injection, XSS, rate limiting per IP, or OWASP, the answer is WAF (possibly included in Shield Advanced). If a question mentions SYN flood, UDP reflection, volumetric attack, 24/7 response team, or cost protection, the answer is Shield Advanced. A second trap: Shield Advanced's 12-month commitment — candidates sometimes expect on-demand monthly cancellation.

Frequently Asked Questions

Q: What is the difference between Shield Standard and Shield Advanced?

A: Shield Standard is free and automatically enabled for all AWS customers. It protects CloudFront, Route 53, and Global Accelerator endpoints from the most common L3/L4 DDoS attacks (SYN floods, UDP reflection, etc.) using AWS's global edge capacity. Shield Advanced is a paid subscription ($3,000/month/organization with a 12-month commitment, plus tiered DTO) that adds 24/7 access to the Shield Response Team, cost protection against DDoS-driven scale-out charges, enhanced L3/L4/L7 mitigations, bundled AWS WAF at no extra charge on protected resources, and real-time attack diagnostics.

Q: Does Shield Advanced protect against application-layer (L7) attacks?

A: Yes, through its bundled AWS WAF entitlement and Shield-Advanced-specific L7 mitigations. When you associate Shield Advanced with a CloudFront distribution, ALB, API Gateway, or AppSync endpoint, the web ACL and rule fees from WAF are waived on that resource, and the SRT can author custom WAF rules in real time during an attack. For Global Accelerator and Route 53 endpoints, Shield Advanced still focuses on L3/L4, since those endpoints don't expose HTTP semantics directly.

Q: When is Shield Advanced worth the $3,000/month cost?

A: When one or more of the following applies: (1) you run high-value public endpoints where downtime during a DDoS event has material revenue or reputational cost; (2) regulatory/contractual requirements mandate a named 24/7 DDoS response team; (3) the cost-protection credits would materially reduce your exposure to attack-driven scale-out bills; (4) the bundled WAF entitlement offsets a large existing WAF bill on protected resources. Smaller workloads typically do fine with Shield Standard plus standalone AWS WAF.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS Shield documentation before making production decisions.

Published: 4/17/2026 / Updated: 4/17/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Security

AWS WAF: Rules, Managed Rule Groups & Pricing Explained

AWS WAF is a Layer 7 web application firewall for CloudFront, ALB, API Gateway, and AppSync. Learn rule groups, rate-based rules, CAPTCHA, logs, and pricing.

AWS Secrets Manager: Rotation, Pricing & RDS Integration

AWS Secrets Manager stores and rotates passwords, API keys, and DB credentials. Learn Lambda rotation, RDS integration, versioning, cross-account sharing, pricing.

AWS KMS: Key Types, Envelope Encryption & Pricing Guide

AWS KMS is a managed service for cryptographic keys. Learn customer-managed vs AWS-managed vs AWS-owned keys, key policies, envelope encryption, and pricing.

AWS IAM: Users, Roles, Policies & How It Works

AWS IAM controls who can access what in AWS. Learn users, groups, roles, identity vs resource-based policies, evaluation logic, MFA, and least-privilege best practices.

AWS IAM Role: Temporary Credentials, Trust Policies, Uses

An IAM role is an AWS identity with temporary STS credentials assumed by services, users, or federated principals. Learn trust vs permissions policies and uses.

View all Securityterms →