AWS Shield Advanced (2026): DDoS Response, Cost Protection, and Buyer Guide
Quick summary: Shield Advanced is $3,000/mo per org plus DTO fees — for a consumer marketplace (~180M req/mo CloudFront), cost protection credited $41k in scaling charges after a 38-minute L7 event when WAF rate rules were pre-configured.
Key Takeaways
- It is not a replacement for WAF production setup or API protection beyond basics
- Benchmark pattern (not a cited client) — Consumer marketplace, ~180M CloudFront req/mo, prior L7 event 38 min, unprotected scaling bill $41k (DTO + LCUs)
- After Advanced + WAF rate Block rules: Shield cost protection credit approved $41k (eligibility met — protections pre-applied, credit requested within 15-day window)
- Subscription $3k/mo + DTO still applies monthly
- Cost protection — prerequisites checklist Before any attack (AWS docs): 1

Table of Contents
AWS Shield Advanced charges a $3,000/month fee per organization (consolidated billing payer) plus data transfer out usage fees on protected resources, with a 1-year subscription commitment (Shield pricing, Security Blog reference). Subscriptions include the L7 Anti-DDoS AWS managed rule group, automatic application-layer detection on protected CloudFront/ALB/Route 53 resources, and up to 50 billion AWS WAF requests per calendar month per payer — DDoS-detected requests excluded from that cap (Shield features).
This post is the Shield Advanced buyer guide — economics, SRT, and cost protection. It is not a replacement for WAF production setup or API protection beyond basics.
Artifacts: decision matrix, DDoS runbook template.
Benchmark pattern (not a cited client) — Consumer marketplace, ~180M CloudFront req/mo, prior L7 event 38 min, unprotected scaling bill $41k (DTO + LCUs). After Advanced + WAF rate Block rules: Shield cost protection credit approved $41k (eligibility met — protections pre-applied, credit requested within 15-day window). Subscription $3k/mo + DTO still applies monthly.
Shield Standard vs Advanced — decision frame
| Layer | Shield Standard (free) | Shield Advanced (paid) |
|---|---|---|
| L3/L4 network/transport | Yes — all customers | Enhanced automatic mitigation |
| L7 application | No | L7 AMR + optional SRT custom rules |
| Cost protection credits | No | Yes — with prerequisites |
| SRT proactive engagement | No | Business/Enterprise Support required |
| WAF on protected resources | Pay separately | Standard WAF fees included |
Opinionated take: Buy Advanced when DDoS scaling cost or reputational outage exceeds ~$36k/year (12 × $3k) and you will actually enable per-resource protection + WAF rate rules before the next event. Otherwise invest in WAF tuning and incident runbooks first.
What Advanced includes (2026)
Per AWS WAF developer guide — deciding on Advanced:
- Automatic application layer DDoS mitigation adds ~150 WCUs via managed rule group
- 50 billion WAF requests/month/payer on Shield-protected resources; overage billed per Shield pricing
- DDoS cost protection — request credits for eligible scaling charges after documented attacks (credit process)
Eligible credit charge types include Shield Advanced DTO, CloudFront requests/data transfer, Route 53 queries, Global Accelerator transfer, ALB LCUs, and EC2 instances launched by ASG during attack.
SRT — Shield Response Team
From Shield features:
- Business or Enterprise Support required to contact SRT
- SRT can apply custom WAF rules with your permission during complex L7 attacks
- Automatic mitigations deploy for many L3/L4 events without ticket
Run ddos-runbook-template.md in tabletop before purchase — confirm support tier and escalation phone tree.
Cost protection — prerequisites checklist
Before any attack (AWS docs):
- Shield Advanced protection enabled on each resource — account subscription alone is insufficient
- CloudFront / ALB: WAF web ACL with rate-based rule in Block mode
- Implement DDoS resiliency best practices
- File credit request within 15 days after the billing month containing the attack
What broke — Post-subscription audit. Team paid $3k/mo but two CloudFront distributions lacked Advanced protection flags — only WAF attached. Symptom:
DDoSDetectedon unprotected distro, no credit path. Fix: enable Advanced per distribution, verify in Shield console Protected resources list. Lesson: subscription ≠ protected resources.
WAF relationship — do not double-pay blindly
Advanced covers standard WAF on Shield-protected resources (web ACL, rules, base request inspection up to 1,500 WCUs). It does not cover:
- Bot Control, CAPTCHA actions, >1,500 WCUs
- WAF on resources not Shield-protected
Pair with rate limiting patterns and cost-based attack protection.
When NOT to buy
| Situation | Recommendation |
|---|---|
| Internal ALB only (corp VPN) | Shield Standard + security groups |
| Already on dedicated scrubbing CDN | Compare TCO; avoid duplicate |
| Developer Support only | Upgrade support before Advanced if SRT is the value |
| No ops owner for WAF rate rules | Fix WAF first — credits require Block mode |
What to Do This Week
- Run shield-advanced-decision-matrix.md with FinOps + security.
- Inventory internet-facing CloudFront, ALB, Route 53, Global Accelerator — mark Shield protection status per resource.
- Verify WAF rate-based rules are Block, not Count, on public edges.
- Confirm Business/Enterprise Support if SRT is in the business case.
- Schedule DDoS tabletop using ddos-runbook-template.md.
Reproduce this — Export Shield console Protected resources list. Any internet-facing resource without Advanced protection = gap. Cross-check against matrix “When NOT to buy” before subscribing.
What This Post Doesn’t Cover
- AWS Firewall Manager org-wide WAF policy design — see WAF guide
- GuardDuty threat detection — complementary, not substitute
- Third-party CDN DDoS (non-CloudFront) — vendor-specific
- Legal/regulatory breach notification — incident response runbooks
We have not validated cost protection credit approval rates — AWS evaluates each request; prerequisites above are necessary, not sufficient.
Related: Cloud security services · Managed SOC/MDR · Penetration testing
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.




