AWS Shield FAQs

AWS Shield protects networks and applications by identifying network security configuration issues and defending applications against active web exploitation and distributed denial of service (DDoS) events.

AWS Shield network security director (preview) performs network security analysis to visualize your network topology, identify configuration issues, and receive actionable remediation recommendations.

For managed DDoS protection, the AWS Shield Advanced tier offers always-on automatic mitigation of sophisticated DDoS events to minimize application downtime and latency. You can customize your DDoS protection strategy using application-specific security controls and expert guidance from the Shield Response Team during active DDoS incidents.

AWS Shield network security director is a capability of AWS Shield that helps you visualize network resources and address configuration issues from known threats like SQL injections and DDoS events. This capability identifies and analyzes your network resources, connections, and configurations against AWS best practicesand threat intelligence to build a complete network topology that provides visibility into your network. Network security findings are aggregated into a comprehensive dashboard by severity along with step-by-step instructions so you can respond to issues quickly. Gain a clear understanding of your security posture and turn complex network security analysis into simple conversations with the AWS generative AI–powered assistant, Amazon Q Developer.

AWS Shield Standard provides protection for all AWS customers against common and most frequently occurring infrastructure (layer 3 and 4) events like SYN/UDP floods, reflection events, and others to support high availability of your applications on AWS.

AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of suspected DDoS incidents. AWS Shield Advanced customers can enable application layer (L7) DDoS protection at no additional cost for up to 50 billion AWS WAF requests per month. If an AWS Shield Advanced customer exceeds this inclusion, there will be an additional charge. AWS Shield Advanced also employs advanced attack mitigation and routing techniques for automatically mitigating attacks. Customers with Business or Enterprise support can also engage the Shield Response Team (SRT) 24x7 to manage and mitigate their application layer DDoS events. The DDoS cost protection for scaling protects your AWS bill against higher fees due to usage spikes from protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 during a DDoS attack.

As threats continue to evolve beyond DDoS events, AWS Shield has expanded its capabilities to enhance network and application protection beyond DDoS defense. Currently in preview, AWS Shield network security director represents a commitment to providing comprehensive security solutions.

AWS Shield Advanced continues to provide detection and mitigation against large and sophisticated DDoS events, near real-time visibility into events, and integration with AWS WAF, a web application firewall. AWS Shield Advanced also gives you 24/7 access to the AWS Shield Response Team (SRT) and protection against DDoS-related spikes.

When you open the network security director console for the first time, choose Start Network Analysis. You will then be asked to give permission to scan your account. Once accepted, analysis of your network resources will begin. When complete, you will receive a notification in the network security director console.

AWS Shield will only analyze resources you have access to based on your IAM permissions.

To start a network security analysis, launch Amazon Q Developer from anywhere in the AWS Management Console. Enter a network security–related prompt, such as “What are my most critical network security configuration issues?” Amazon Q Developer will direct you to the AWS Shield network security director console to initiate a network analysis. Once the analysis is complete, you will receive a console notification.

You can then query Amazon Q Developer about the network security posture of the resources in your account, such as “Are my web applications protected from bot events?” or “Do any of my EC2 instances allow overly permissive access?”

AWS Shield helps you easily understand your network security using natural language with Amazon Q Developer. It also allows you to receive recommendations for how to protect internet-facing resources, enforce network boundaries, and restrict human access to resources based on port, protocol, or IP address range.

Amazon Q Developer is available in select AWS Regions.

Currently in preview, this capability of AWS Shield does not support continuous analysis or automated monitoring over time. Each analysis needs to be manually triggered to capture a snapshot of current resources and their configurations. For the most up-to-date visibility into your network security configuration issues, initiate additional analyses as needed. Each analysis informs findings and remediation recommendations for 90 days after it completes.

Currently in preview, AWS Shield analyzes common network security issues, such as controlling human access to resources and protecting applications against threats like DDoS.

For example, you can determine if your EC2 instances are allowing unrestricted access to all ports by asking “Are any of my EC2 instances allowing unrestricted access?” To protect applications from web-based threats, you can ask “Are any of my resources vulnerable to common web threats?”

Currently in preview, AWS Shield supports analysis of AWS WAF, VPC security groups, and VPC network access control lists (network ACLs).

Currently in preview, this AWS Shield capability discovers Amazon CloudFront distributions, Amazon Application Load Balancers, Amazon API Gateways, Amazon Virtual Private Clouds (VPCs), VPC Elastic Network Interfaces, VPC subnets, and Amazon EC2 instances in a single account. AWS Shield determines how these resources are tagged and connected to each other by identifying routable paths between them and to the internet.

You can use Amazon Q Developer, the generative AI–powered assistant for AWS, to help you identify network security configuration issues in your AWS account. Amazon Q Developer network security analysis can understand natural language queries and works with AWS Shield to provide relevant responses. Easily inspect your network security data, gain deeper understanding of issues, and obtain actionable insights—all through conversational dialogue.

AWS Shield network analysis references publicly documented definitions of network security controls for WAF, security groups, and network ACLs. AWS Shield supplements these definitions by recommending when and how certain network security services should be enabled based on a resource's network context, such as whether it is internet-facing or has other connected resources.

AWS Shield specifically identifies network security risks based on AWS best practices and threat intelligence to recommend remediations consisting of the right services and rule sets to secure your environment or applications.

Currently in preview, this AWS Shield capability does not support third-party network security services from AWS security partners.

AWS Shield Advanced includes DDoS cost protection, a safeguard from scaling charges as a result of a DDoS attack that causes usage spikes on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, or Amazon Route 53. If any of the AWS Shield Advanced protected resources scale up in response to a DDoS attack, you can request credits via the regular AWS Support channel.

Yes, AWS Shield is integrated with Amazon CloudFront, which supports custom origins outside of AWS.

AWS Shield Advance detection and mitigations work with IPv6 and IPv4 without any discernable changes to performance, scalability, or availability of the service. Currently in preview, AWS Shield network security director does not support IPv6.

AWS Acceptable Use Policy describes permitted and prohibited behavior on AWS, and it includes descriptions of prohibited security violations and network abuse. However, because DDoS simulation testing, penetration testing, and other simulated events are frequently indistinguishable from these activities, we have established policies for customers to request permission to conduct DDoS tests, penetration tests and vulnerability scans. Visit our Penetration testing page and DDoS Simulation Testing policy for more details.

During the preview period, AWS Shield network security director is available at no additional cost in select AWS Regions: US East (N. Virginia) and Europe (Stockholm).

AWS Shield Standard is available on all AWS services in every AWS Region and AWS edge location worldwide.

Please refer to Regional Products and Services for details of AWS Shield Standard availability by region.

AWS Shield Advanced is available globally on all Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 edge locations worldwide. You can protect your web applications hosted anywhere in the world by deploying Amazon CloudFront in front of your application. Your origin servers can be Amazon Simple Storage Service (S3), Amazon EC2, Elastic Load Balancing, or a custom server outside of AWS. You can also enable AWS Shield Advanced directly on Elastic Load Balancing or Amazon EC2 in the following AWS Regions - Northern Virginia, Ohio, Oregon, Northern California, Montreal, São Paulo, Ireland, Frankfurt, London, Paris, Stockholm, Singapore, Tokyo, Sydney, Seoul, Mumbai, Milan, Cape Town, Hong Kong, Bahrain, Malaysia, and UAE.

Please refer to Regional Products and Services for up-to-date details of AWS Shield Advanced availability by region.

Yes, AWS has expanded its HIPAA compliance program to include AWS Shield as a HIPAA eligible service. If you have an executed Business Associate Agreement (BAA) with AWS, you can use AWS Shield to safeguard your web applications running on AWS from Distributed Denial of Service (DDoS) attacks. For more information, see HIPAA Compliance.

AWS Shield Standard automatically provides protection for web applications running on AWS against the most common, frequently occurring Infrastructure layer attacks like UDP floods, and State exhaustion attacks like TCP SYN floods. Customers can also use AWS WAF to protect against Application layer attacks like HTTP POST or GET floods. Find more details on how to deploy application layer protections in the AWS WAF and AWS Shield Advanced Developer Guide.

There is no limit on the number of resources subject to AWS Shield Standard protection. You can get the full benefits of AWS Shield Standard protections by following the best practices of DDoS resiliency on AWS.

You can enable up to 1000 AWS resources of each supported resource type (Classic / Application Load Balancers, Amazon CloudFront distributions, Amazon Route 53 hosting zones, Elastic IPs, AWS Global Accelerator accelerators) for AWS Shield Advanced protection. If you want to enable more than 1000, you can request a limit increase by creating an AWS Support case.

Yes. AWS Shield Advanced can be activated via APIs. You can also add or remove AWS resources from AWS Shield Advanced protection via APIs.

For application layer events, AWS Managed Rule group, application layer (L7) DDoS protection, automatically detects and mitigates DDoS events within seconds.

Learn more about AWS WAF application layer (L7) DDoS protection.

Yes, a number of our customers choose to use AWS endpoints in front of their backend instances. Most commonly, these endpoints are our globally distributed services of CloudFront and Route 53. These services are also our best practice suggestions for DDoS resiliency. Customers can then protect these CloudFront distributions and Route 53 hosted zones with Shield Advanced. Please note that you need to lock down their backend resources to only accept traffic from these AWS endpoints.

AWS Shield Standard automatically protects your web applications running on AWS against the most common, frequently occurring DDoS events. You can get the full benefits of AWS Shield Standard by following the best practices of DDoS resiliency on AWS.

Enhanced application layer DDoS protection is available for AWS Shield Standard and Shield Advanced customers in addition to current fees. Learn more about AWS WAF application layer (L7) DDoS protection to further protect your applications. 

For managed DDoS protection, the AWS Shield Advanced tier offers always-on automatic mitigation of sophisticated DDoS events to minimize application downtime and latency. You can customize your DDoS protection strategy using application-specific security controls and expert guidance from the Shield Response Team during active DDoS incidents. 

AWS Shield Advanced includes DDoS protection for layers 3, 4, and 7; 24/7 support from the Shield Response Team (SRT); and cost protection against events spikes. AWS Shield Advanced customers can enable application layer (L7) DDoS protection at no additional cost for up to 50 billion AWS WAF requests per month. If an AWS Shield Advanced customer exceeds this inclusion, there will be an additional charge.

Yes, you need a Business or Enterprise support plan in order to escalate to or engage the AWS Shield Response Team (SRT). See the AWS Support website for more details about AWS Support plans.

You can engage the AWS Shield Response Team (SRT) via regular AWS support, or contact AWS Support.

Response times for SRT depends on the AWS Support plan you are subscribed to. We will make every reasonable effort to respond to your initial request within the corresponding timeframes. See the AWS Support website for more details about AWS Support plans.

No. Network security analysis serves two critical purposes: identifying potential configuration issues before a security event occurs and strengthening your security posture on an ongoing basis. This approach helps strengthen your overall security posture while also enabling continuous improvement.

AWS Shield network security director takes the challenge out of identifying and analyzing AWS resources, configurations, and connections in your account to discover resources that need protection. It does this by analyzing the resources in your environment and aggregating findings in a single network topology view. These findings are prioritized by severity level so you can respond to critical issues first. AWS Shield also provides instructions on implementing the correct services and rule sets to help you respond to issues quickly.

During the preview period, AWS Shield network security director will be available at no additional cost.

Yes. With AWS Shield Advanced, you will get notification of DDoS events through CloudWatch metrics.

Typically, AWS Shield Advanced provides notification of an event within a few minutes of event detection.

Yes. With AWS Shield Advanced you will be able to see the history of all incidents in the trailing 13 months.

Yes, AWS Shield Advanced customers get access to the Global threat environment dashboard, which gives an anonymized and sampled view of all DDoS events seen on AWS within the last 2 weeks.

AWS WAF includes two different ways to see how your website is being protected: one-minute metrics are available in CloudWatch and Sampled Web Requests are available in the AWS WAF API or AWS Management Console. Additionally, you can enable comprehensive logs that are delivered through Amazon Kinesis Firehose to a destination of your choice. These allow you to see which requests were blocked, allowed, or counted and what rule was matched on a given request (i.e., this web request was blocked due to an IP address condition, etc.). For more information see the AWS WAF and AWS Shield Advanced Developer Guide.

Please refer to Penetration testing on AWS. However, this does not include a “DDoS load test”, which is not authorized on AWS. If you'd like to do a live DDoS test, you can request approval for the same by raising a ticket through AWS Support. Approval for the same involves agreement on the conditions of the test between AWS, the customer, and the DDoS test vendor. Please note that we only work with approved DDoS test vendors, and the whole process takes 3-4 weeks.

The AWS WAF application layer (L7) DDoS protection is a AWS Managed Rule group that is designed automatically detect and mitigate DDoS events.

Learn more about AWS WAF application layer (L7) DDoS protection.

AWS Shield Advanced customers can enable this feature at no additional cost for up to 50 billion AWS WAF requests per month. If an AWS Shield Advanced customer exceeds this inclusion, there will be an additional charge.

AWS Shield Advanced responds to DDoS events by creating, evaluating, and deploying custom AWS WAF rules for your protected resources. AWS WAF application layer (L7) DDoS protection can be used in addition to custom AWS WAF rules for application protection.

Learn more about application layer (L7) DDoS protection.

To get started, first navigate to the AWS Console and add the AWS WAF application layer (L7) DDoS protection AWS Managed Rule group to your existing AWS WAF web ACL. Once enabled, continuous application monitoring begins to establish a baseline of your application's normal traffic patterns. This feature will challenge suspicious traffic to verify its legitimacy, only blocking challenge failures. To monitor the performance of rules, gain insights into your traffic patterns, and overall protection, navigate to the AWS WAF security dashboard.

This feature is included in the AWS Shield Advanced subscription. AWS WAF request limits will apply. 

Yes, the pricing is the same for regional and global WAFs.

AWS Shield Advanced customers can enable this feature at no additional cost. However, AWS Shield Advanced customers will now be limited to 50B AWS WAF requests per month.

See the AWS Shield Pricing page for more information.

Yes, for application layer (L7) DDoS protection, AWS Shield Standard customers need to purchase the corresponding AWS Managed Rule group from AWS WAF.

See the AWS Shield Pricing page for more information.

AWS Shield Standard is built into the AWS services that you already use for your web applications. There are no additional costs for AWS Shield Standard.

With AWS Shield Advanced, you pay a monthly fee of $3,000 per month per organization. In addition, you also pay for AWS Shield Advanced Data Transfer usage fees for AWS resources enabled for advanced protection. AWS Shield Advanced charges are in addition to standard fees on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53. Please see the AWS Shield Pricing page for more details.

During the preview period, AWS Shield network security director will be available at no additional cost.

Yes, AWS Shield Advanced allows you the flexibility to choose the resources that you'd like to protect. You will only be charged for AWS Shield Advanced Data Transfer on these protected resources.

If your organization has multiple AWS accounts, you can subscribe multiple AWS Accounts to AWS Shield Advanced by individually enabling it on each account using the AWS Management Console or API. You will pay the monthly fee once as long as the AWS accounts are all under a single consolidated billing, and you own all the AWS accounts and resources in those accounts.