# AWS Shield Advanced buyer decision matrix (2026)

Fixed cost anchor: **$3,000/month per organization** (consolidated billing payer) + **data transfer out** usage fees on protected resources ([Shield pricing](https://aws.amazon.com/shield/pricing/)). **1-year subscription commitment.**

| Signal | Shield Standard (free) | Shield Advanced |
|--------|------------------------|-----------------|
| Internet-facing CloudFront / ALB / Route 53 | Included L3/L4 | **+** L7 AMR, cost protection, SRT |
| Prior DDoS &gt;$10k scaling bill | — | **Strong yes** if resources pre-protected |
| Internal-only ALB (no public edge) | Usually enough | **No** — not eligible / no ROI |
| Third-party scrubbing center already | Standard + WAF | **Maybe no** — duplicate spend |
| Need SRT proactive engagement | — | Requires **Business or Enterprise Support** |
| WAF spend &gt;$2k/mo on same resources | Pay WAF à la carte | Advanced **includes** standard WAF on protected resources + **50B requests/mo** per payer |

## Cost protection prerequisites (credit eligibility)

Before attack ([AWS docs](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-request-service-credit.html)):

1. Shield Advanced protection **on each resource** before attack (not just account subscription)
2. CloudFront / ALB: WAF web ACL with **rate-based rule in Block mode**
3. Follow [AWS DDoS Resiliency whitepaper](https://docs.aws.amazon.com/whitepapers/latest/aws-best-practices-ddos-resiliency/welcome.html)
4. Submit credit request within **15 days** after billing month of attack

## Application layer automatic mitigation

Shield Advanced includes **L7 Anti-DDoS managed rule group** — adds **~150 WCUs** to web ACL. DDoS-detected requests do not count toward **50 billion** monthly WAF request allowance (per AWS Shield features page).

## When NOT to buy

- Single-region internal APIs behind VPN only
- Pre-revenue startup with &lt;$5k/mo AWS spend and no attack history
- Team cannot maintain WAF rate rules (prerequisite for cost protection)
