Compare Tiers
Whether you are running multiple mission-critical web applications on AWS and want visibility and protection from larger and more sophisticated attacks, or you are running a single web application on AWS and looking to get started with protection against common DDoS attacks, AWS Shield provides built-in protection, and access to tools, services and expertise to help you protect your applications on AWS.
AWS Shield Standard
Automatically available on all AWS services.
To detect and automatically mitigate layer 7 DDoS events, enable the application layer (L7) DDoS protection AWS Managed Rule group.
AWS Shield Advanced
For additional protection against larger and more sophisticated attacks, visibility into attacks, and 24x7 access to DDoS experts for complex cases. See the AWS Shield Advanced Service Level Agreement.
Available on:
HAQM Route 53
HAQM CloudFront
Elastic Load Balancing
AWS Global Accelerator
Elastic IP (HAQM Elastic Compute Cloud and Network Load Balancer)
To detect and automatically mitigate layer 7 DDoS events, enable the application layer (L7) DDoS protection AWS Managed Rule group.
FEATURE |
AWS SHIELD STANDARD |
AWS SHIELD ADVANCED* |
Active Traffic Monitoring |
||
Network flow monitoring |
Yes |
Yes |
Automatic always-on detection |
Yes |
Yes |
Application traffic monitoring |
x |
Yes |
Attack Mitigations |
||
Protection from common DDoS attacks (e.g. SYN floods, ACK floods, UDP floods, Reflection attacks) |
Yes |
Yes |
Automatic inline mitigation |
Yes |
Yes |
Additional DDoS mitigation capacity for large attacks |
x |
Yes |
Automatic application layer (L7) DDoS mitigations |
x |
Yes |
Self-service application layer (Layer 7) mitigations |
Yes, using AWS WAF |
Yes, using AWS WAF |
SRT-driven application layer (Layer 7) mitigations |
x |
Yes, with Shield Response Team |
Instant rule updates |
Yes, using AWS WAF |
Yes, using AWS WAF |
AWS WAF for app vulnerability protection |
Yes, using AWS WAF |
Yes, using AWS WAF |
Visibility and Reporting |
||
Layer 3/Layer 4 attack notification |
x |
Yes |
Layer 7 attack notification |
x |
Yes |
Layer 3/Layer 4/ Layer 7 attack historical report |
x |
Yes |
Shield Response Team and Support |
||
DDoS protection best practices/architecture review |
Yes, self-service |
Yes |
Custom mitigations during attacks |
x |
Yes, with Enterprise or Business support |
Post attack analysis |
x |
Yes, with Enterprise or Business support |
DDoS Cost Protection (Service credits for DDoS scaling charges) |
||
HAQM Route 53 |
x |
Yes |
HAQM CloudFront |
x |
Yes |
Elastic Load Balancing (ELB) |
x |
Yes |
HAQM Elastic Compute Cloud (EC2) |
x |
Yes |
Note: AWS Shield Advanced benefits, including DDoS cost protection, are subject to your fulfillment of the 1-year subscription commitment. |
||
Web Application Firewall (WAF) |
||
Self-service |
Yes |
Yes |
API access/integration |
Yes |
Yes |
Flexible rules engine |
Yes |
Yes |
Fast rule propagation |
Yes |
Yes |
Pricing |
See Pricing |
Included at no additional charge with AWS Shield Advanced for resources protected in AWS Shield Advanced |
Cost |
||
Monthly |
x |
Yes, see Pricing (Subject to 1-year subscription) |
Usage based |
x |
Yes, see Pricing |
SLA |
x |
Yes |
Next steps
Read AWS Shield FAQs