AWS Shield

It’s enabled by default with no action and free for all customers.

It protects against L3 and L4 attacks, and protection is at the perimeter.

Best protection is achieved using R53, CloudFront and Global Accelerator.

Comes at $3.000/month/ORG with 1 year commitment. You also pay for OUTBOUND data.

It’s not possible to activate it on a single account.

It also covers L7 DDoS attacks and supports:

It’s not automatically enabled: it must be explicitly enabled in Shield Advanced or AWS Firewall Manager Shield Advanced Policies.

It includes Cost Protection: if it doesn’t manage to protect a resource you have explicitly enabled protection upon and you pay for, for instance, huge autoscaling costs, AWS will not charge you for the latter. This does not include resources Shield Advanced doesn’t cover or covered resources you didn’t apply Shield upon.

It also includes Proactive Engagement: the AWS Shield Response Team (SRT) will contact you when performance of an application may be impacted due to a possible attack. You can contact the team to log support tickets. You need to provide your contact and ENABLE the feature.

Shield Advanced integrates with WAF to provide its Layer 7 protection. It includes basic WAF fees to implement this protection.

With Shield Advanced you get Real time visibility of DDoS events and attacks along with metrics via CloudWatch, the Shield Advanced console and API.

To reduced false positives it uses Route53 Health Checks when a DDoS attack is detected.

These are groups of resources with common rules. But they can automatically include newly created resources that match their criteria.