Compare Tiers
Whether you are running multiple mission-critical web applications on AWS and want visibility and protection from larger and more sophisticated attacks, or you are running a single web application on AWS and looking to get started with protection against common DDoS attacks, AWS Shield provides built-in protection, and access to tools, services and expertise to help you protect your applications on AWS.
AWS Shield Standard
For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture.
Automatically available on all AWS services.
AWS Shield Advanced
For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases. See the AWS Shield Advanced Service Level Agreement.
Available on:
- HAQM Route 53
- HAQM CloudFront
- Elastic Load Balancing
- AWS Global Accelerator
- Elastic IP (HAQM Elastic Compute Cloud and Network Load Balancer)
| Feature | AWS Shield Standard |
AWS Shield Advanced* |
| Active Traffic Monitoring |
||
| Network flow monitoring |
Yes | Yes |
| Automatic always-on detection | Yes | Yes |
| Application traffic monitoring |
x | Yes |
| Attack Mitigations | ||
| Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks) |
Yes | Yes |
| Automatic inline mitigation |
Yes |
Yes |
| Additional DDoS mitigation capacity for large attacks |
x | Yes |
| Automatic application layer (L7) DDoS mitigations | x | Yes |
| Self-service application layer (Layer 7) mitigations |
Yes, using AWS WAF |
Yes, using AWS WAF |
| SRT-driven application layer (Layer 7) mitigations |
x | Yes, with Shield Response Team |
| Instant rule updates | Yes, using AWS WAF |
Yes, using AWS WAF |
| AWS WAF for app vulnerability protection |
Yes, using AWS WAF |
Yes, using AWS WAF |
| Visibility and Reporting | ||
| Layer 3/Layer 4 attack notification | x | Yes |
| Layer 7 attack notification | x | Yes |
| Layer 3/Layer 4/ Layer 7 attack historical report | x | Yes |
| Shield Response Team and Support |
||
| DDoS protection best practices/architecture review |
Yes, self-service |
Yes |
| Custom mitigations during attacks |
x | Yes, with Enterprise or Business support |
| Post attack analysis | x | Yes, with Enterprise or Business support |
| DDoS Cost Protection (Service credits for DDoS scaling charges) |
||
| HAQM Route 53 | x | Yes |
| HAQM CloudFront | x | Yes |
| Elastic Load Balancing (ELB) |
x | Yes |
| HAQM Elastic Compute Cloud (EC2) |
x | Yes |
| Note: AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment. |
||
| Web Application Firewall (WAF) |
||
| Self-service | Yes | Yes |
| API access/integration | Yes | Yes |
| Flexible rules engine |
Yes | Yes |
| Fast rule propagation |
Yes | Yes |
| Pricing | See Pricing | Included at no additional charge with AWS Shield Advanced for resources protected in AWS Shield Advanced |
| Cost | ||
| Monthly | x | Yes, see Pricing (Subject to 1-year subscription) |
| Usage based | x | Yes, see Pricing |
| SLA |
x | Yes |
AWS Shield Standard
For protection against most common DDoS attacks, and access to tools and best practices to build a DDoS resilient architecture.
Automatically available on all AWS services.
AWS Shield Advanced
For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases. See the AWS Shield Advanced Service Level Agreement.
Available on:
- HAQM Route 53
- HAQM CloudFront
- Elastic Load Balancing
- AWS Global Accelerator
- Elastic IP (HAQM Elastic Compute Cloud and Network Load Balancer)
| Feature | AWS Shield Standard |
AWS Shield Advanced* |
| Active Traffic Monitoring |
||
| Network flow monitoring |
Yes | Yes |
| Automatic always-on detection | Yes | Yes |
| Application traffic monitoring |
x | Yes |
| Attack Mitigations | ||
| Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks) |
Yes | Yes |
| Automatic inline mitigation |
Yes |
Yes |
| Additional DDoS mitigation capacity for large attacks |
x | Yes |
| Automatic application layer (L7) DDoS mitigations | x | Yes |
| Self-service application layer (Layer 7) mitigations |
Yes, using AWS WAF |
Yes, using AWS WAF |
| SRT-driven application layer (Layer 7) mitigations |
x | Yes, with Shield Response Team |
| Instant rule updates | Yes, using AWS WAF |
Yes, using AWS WAF |
| AWS WAF for app vulnerability protection |
Yes, using AWS WAF |
Yes, using AWS WAF |
| Visibility and Reporting | ||
| Layer 3/Layer 4 attack notification | x | Yes |
| Layer 7 attack notification | x | Yes |
| Layer 3/Layer 4/ Layer 7 attack historical report | x | Yes |
| Shield Response Team and Support |
||
| DDoS protection best practices/architecture review |
Yes, self-service |
Yes |
| Custom mitigations during attacks |
x | Yes, with Enterprise or Business support |
| Post attack analysis | x | Yes, with Enterprise or Business support |
| DDoS Cost Protection (Service credits for DDoS scaling charges) |
||
| HAQM Route 53 | x | Yes |
| HAQM CloudFront | x | Yes |
| Elastic Load Balancing (ELB) |
x | Yes |
| HAQM Elastic Compute Cloud (EC2) |
x | Yes |
| Note: AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment. |
||
| Web Application Firewall (WAF) |
||
| Self-service | Yes | Yes |
| API access/integration | Yes | Yes |
| Flexible rules engine |
Yes | Yes |
| Fast rule propagation |
Yes | Yes |
| Pricing | See Pricing | Included at no additional charge with AWS Shield Advanced for resources protected in AWS Shield Advanced |
| Cost | ||
| Monthly | x | Yes, see Pricing (Subject to 1-year subscription) |
| Usage based | x | Yes, see Pricing |
| SLA |
x | Yes |