Subscribing and Using The AWS Shield Advanced For Higher Levels Of Protection Against Attacks Targeting The Apps

In this article, we’ll examine AWS Shield Advanced, which provides us with more customized protection against sophisticated (Layer 3 to 7) threats targeting our applications. We will learn to subscribe to, configure, and use it.

Cumhur Akkaya
10 min readFeb 5, 2024

Topics we will cover:

1. What is WAF?
2. AWS WAF & Shield
4. AWS Shield
4.1. AWS Shield Standard
4.2. AWS Shield Advanced
5. Subscribing and Using The AWS Shield Advanced
6. As a result
7. Next post: “AWS Best Practices for DDoS Mitigation and Security Techniques
8. References

1. What is WAF?

When a website is online, it can become the target of many different types of attacks aimed at causing trouble and taking the site offline. DDoS (Distributed Denial of Service) attacks are a very common problem. Protection against DDoS attacks is of primary importance for your internet-facing applications. It overloads IT resources with malicious traffic where they cannot function properly. (1)

While creating an environment for the application, it’s equally important to secure the application and protect the data. Otherwise, If not properly secured, the application data might get into the wrong hands as in the case of the Capital One incident. Capital One hosted a Web Application on EC2 and it was not secured properly. An ex-AWS employee was able to exploit this vulnerability and download reams of customer data from S3. Later it was found that the data from 30 other organizations were also downloaded from AWS (2). Capital One used AWS WAF (Web Application Firewall) to protect the Web Application, but it was not configured properly and the hacker was able to get the access to the data in S3 and download it. If you want to learn more about the case of the Capital One incident, you can check out this article;

Figure 1 — Working of a Web Application Firewall (WAF).

WAF is one of the protection methods in cases like the above. By deploying a WAF for a web application, a shield is placed between the web application and the internet. This shield helps protect web applications from malicious attacks, and unwanted internet traffic, including bots, injection, and application-layer denial of service. It responds to requests either with the requested content or with an HTTP status code: “403 Forbidden” (see Figure 1).

2. AWS WAF & Shield

Figure 2- AWS WAF & Shield.

AWS WAF & Shield is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, an AWS AppSync GraphQL API, or an Amazon Cognito user pool (3). You do this by defining a web access control list (ACL) and then associating it with one or more web application resources that you want to protect.

AWS WAF and AWS Shield (Standart) are part of the AWS Edge Services ecosystem. The difference between both is that AWS WAF (Web Application Firewall) protects the application layer, whereas AWS Shield protects the OSI model’s infrastructure layers (Figure 3) (4). AWS Shield is a managed Distributed Denial of Service (DDoS) protection service, whereas AWS WAF is an application-layer firewall that controls access via Web ACL’s.

Figure 3 — Difference between AWS WAF / AWS Shield and Levels at which they operate in the OSI model.


AWS WAF is a managed web application firewall service that helps you protect your web applications at the application layer (layer 7) from common web exploits that could affect application availability, compromise security, and/or consume excessive resources, via Web ACL’s. It lets you control access to your content by configuring rules that allow, block, or monitor (count) web requests (HTTP and HTTPS) based on web security rules that you specify, such as the IP addresses that the requests originate from. (5)

AWS WAF protects the following resource types: Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AWS AppSync GraphQL API, and Amazon Cognito user pool.

AWS WAF can help you mitigate; (6)

Distributed denial of service (DDoS) attacks: Try to exhaust your application resources so that they are not available to your customers. At Layer 7, DDoS attacks are typically well-formed HTTP requests that attempt to exhaust your application servers and resources.

Web application attacks: Try to exploit a weakness in your application code or its underlying software to steal web content, gain control over web servers, or alter databases; these can involve HTTP requests with deliberately malformed arguments.

Bots: Generate a large portion of the internet’s website traffic. Some good bots associated with search engines, crawl websites for indexing. However, bad bots may scan applications, looking for vulnerabilities and scraping content, poison backend systems, or disrupt analytics.

For example, you can use AWS WAF to protect against attacks such as cross-site request forgery, cross-site scripting (XSS), file inclusion, and SQL injection, among other threats in the OWASP Top 10 (Open Web Application Security Project). (7)


AWS Shield Standard is automatically enabled when you use AWS services like Elastic Load Balancing (ELB), Application Load Balancer, Amazon CloudFront, and Amazon Route 53. You don’t pay fees for AWS Shield Standard protection. If you enable AWS WAF protections in addition to AWS Shield Standard, you pay the standard AWS WAF fees. (8)

AWS WAF charges are based on the number of web access control lists (Web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive, see Figure 4–5. There are no upfront commitments.

Figure 4
Figure 5

Web ACL: $5.00 per month (prorated hourly), Rule: $1.00 per month, Request: $0.60 per 1 million requests.

AWS WAF Bot Control: Bot Control AMR subscription is $10 per month per WebACL.

Request Fee: $1.00 per Million requests inspected.

Captcha: $0.40 per 1k captcha attempts analyzed.

Challenge: $0.40 per 10k challenge responses served.

AWS WAF Fraud Control: Account Takeover Prevention subscription is $10.00 per month. $1.00 per thousand login attempts analyzed.

Free tiers:

Bot Control: first 10 million requests inspected per month.

Targeted Bot Control: first 1 million requests inspected per month.

Fraud Control : Account Takeover Prevention free usage tier includes the first 10,000 attempts analyzed per month.

Note: For detailed information and practical use of AWS WAF, you can see my article below. In this article, we will mitigate an application layer DDoS attack on the web server that we build, by defining rules and then by creating rule groups with defined rules and later by associating them to Web ACLs, step by step. Then, we will create a test script and apply it to the web server that we build. Finally, we will examine and analyze the output on AWS WAF dashboard charts and CloudWatch.

4. AWS Shield

AWS Shield, a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. There are two tiers of AWS Shield:

Figure 6: Source:

Running diagram of AWS Shield:


4.1. AWS Shield Standard

All AWS customers benefit from the automatic network layer protections of AWS Shield Standard and at no cost. AWS Shield Standard defends against the most common, frequently occurring network and transport layer (Layer 3 and 4) DDoS attacks to maximize the availability of AWS services (9).

AWS Shield Standard is available to all AWS customers at no extra cost. It protects you from 96% of the most common attacks today, including SYN/ACK floods, Reflection attacks, and HTTP slow reads. This protection is applied automatically and transparently to your Elastic Load Balancers, CloudFront distributions, and Route 53 resources (10).

4.2. AWS Shield Advanced

For higher levels of protection against attacks targeting your applications running on Amazon Elastic Compute Cloud (EC2), Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53 resources, you can subscribe to AWS Shield Advanced.

For customized protection against sophisticated (Layer 3 to 7) threats targeting your applications, you can subscribe to AWS Shield Advanced. AWS Shield Advanced provides more sensitive detection and tailored mitigations against large and complex DDoS attacks, near real-time visibility into attacks, and integration with AWS WAF, a web application firewall for defense against Layer 7 attacks. AWS Shield Advanced also gives you 24-7 access to the AWS Shield Response Team (SRT) and cost protection against scaling costs stemming from DDoS attacks. (9)


AWS Shield Advanced has $3000 / month + additional data transfer fees. AWS WAF is included with AWS Shield Advanced at no additional cost.

5. Subscribing and Using The AWS Shield Advanced

For this, go to AWS WAF & Shield → AWS Shield → Getting started in the left menu.

Then, click on the“Subscribe to Shield Advanced” button as shown in Figure 7.

Figure 7— AWS Shield Advanced page.

Click on “Subscribe to Shield Advanced” as shown in figure 8.

Figure 8 — Subscribe to Shield Advanced pages.

In opening the page in Figure 9; we see a general overview. On this page; We can add our resources to protect with the Shield Advanced page, see “eventsand “global threat dashboard”, and configure AWS SRT Support.

Now, we will click on Add Resource to protect,

Figure 9 — Shield Advanced setup page.

Then choose theregion”, and the resource type” to protect in Figure 10.

Figure 10 — “Choose resource to protect with Shield Advanced” page.

If you want to add a tag, it is useful. Give a name, to the AWS resources that are protected, for example, “My Load Balancer AWS Shield Advanced distributions”. Click on the “Protect with Shield Advanced” button.

In Figure 11, (optional) for Web DDoS attack, you can configure Layer 7 DDoS mitigation for global resources in this menu. For this, select enable” on the “automatic mitigation” option, and go to the dropdown menu that pops up, and choose block (the other option is “count”). Below this, click on the “add limit rule” button to add a rate-based rule. Rate-based rules are considered part of the best practice of the web ACL, in order to mitigate some DDoS attacks. After adding the limit rule, click on next.

Figure 11 — Choose resource to protect with Shield Advanced page.

Go to “Shield > Protected resource” in AWS console. Now, we can see the list of protected resources that gives us more details in Figure 12.

Figure 12 — Protected resource page.

6. As a result

In many cases, AWS Shield Standard protection is suitable for our needs with a cost of $6 / month ($5.00 per web ACL per month + $1.00 per rule per month). However, there is a big difference between Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. As distributed means different IP addresses, AWF WAF will not detect any DDoS if each IP does less than 100 requests per 5-minute period (We determine this number of requests ourselves. For detailed information, you can see my article item 5.1.). AWF offers another service called AWS Shield Advanced to protect you against DDoS attacks for such situations.

In this article, we reviewed AWS Shield Advanced, which provides us with more customized protection against sophisticated (Layer 3 to 7) threats targeting our applications. We learned to subscribe to, configure, and use it briefly.

If you liked the article, I would be happy if you click on the Medium Following button to encourage me to write and not miss future articles.

Your clapping, following, and subscribing help my articles to reach a broader audience. Thank you in advance for them.

For more info and questions, please contact me on Linkedin or Medium.

7. Next post

In the next post, “AWS Best Practices for DDoS Mitigation and Security Techniques”. We will create the necessary environment to mitigate DDoS attacks by using “AWS Best Practices”. Then, we will test it on a web application that we will build. Finally, we will examine and analyze the output on AWS WAF dashboard charts and CloudWatch, step by step.

Happy Clouding…

Don’t forget to follow my LinkedIn or Medium account to be informed about new articles.



Cumhur Akkaya

✦ DevOps/Cloud Engineer, ✦ Believes in learning by doing, ✦ Dedication To Lifelong Learning, ✦ Tea and Coffee Drinker. ✦ Linkedin: