**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Setting up AWS Shield Advanced
<a name="getting-started-ddos"></a>

This tutorial walks you through getting started with AWS Shield Advanced using the Shield Advanced console. 

**Note**  
Shield Advanced requires a subscription, while AWS Shield Standard does not. The protections provided by Shield Standard are available free of charge to all AWS customers.

Shield Advanced provides advanced DDoS detection and mitigation protection for network layer (layer 3), transport layer (layer 4), and application layer (layer 7) attacks. For more information about Shield Advanced, see [AWS Shield Advanced overview](ddos-advanced-summary.md).

The AWS technical community has published an example of an automated process for configuring Shield Advanced using the infrastructure as code (IaC) tools, AWS CloudFormation and Terraform. You can use AWS Firewall Manager with this solution if your accounts are part of an organization in AWS Organizations and if you're protecting any resource types except for Amazon Route 53 or AWS Global Accelerator. To explore this option, see the code repository at [aws-samples / aws-shield-advanced-one-click-deployment](https://github.com/aws-samples/aws-shield-advanced-one-click-deployment) and the tutorial at [One-click deployment of Shield Advanced](https://youtu.be/LCA3FwMk_QE). 

**Note**  
It's important that you fully configure Shield Advanced prior to a Distributed Denial of Service (DDoS) event. Complete the configuration to help ensure that your application is protected and that you are ready to respond if your application is affected by a DDoS attack.

Perform the following steps in sequence to get started using Shield Advanced. 

**Contents**
+ [

# Subscribing to AWS Shield Advanced
](enable-ddos-prem.md)
+ [

# Adding and configuring resource protections with Shield Advanced
](ddos-choose-resources.md)
  + [

# Configuring application layer (layer 7) DDoS protections with AWS WAF
](ddos-get-started-web-acl-rbr.md)
  + [

# Configuring health-based detection for your protections with Shield Advanced and Route 53
](ddos-get-started-health-checks.md)
  + [

# Configuring alarms and notifications with Shield Advanced and Amazon SNS
](ddos-get-started-create-alarms.md)
  + [

# Reviewing and finishing your protection configuration in Shield Advanced
](ddos-get-started-review-and-configure.md)
+ [

# Setting up AWS Shield Response Team (SRT) support for DDoS event response
](authorize-srt.md)
+ [

# Creating a DDoS dashboard in CloudWatch and setting CloudWatch alarms
](deploy-waf-dashboard.md)

# Subscribing to AWS Shield Advanced
<a name="enable-ddos-prem"></a>

This page explains how to subscribe your accounts to Shield Advanced, to start using the service.

You must subscribe to Shield Advanced for each AWS account that you want to protect. You do not need to subscribe to Shield Standard.

**Shield Advanced subscription billing**  
If you’re an AWS Channel Reseller, talk to your account team for information and guidance. This billing information is for customers that are not AWS Channel Resellers. 

For all others, the following subscription and billing guidelines apply:
+ For accounts that are members of an AWS Organizations organization, AWS bills the Shield Advanced subscriptions against the payer account for the organization, regardless of whether the payer account itself is subscribed. 
+ When you subscribe multiple accounts that are in the same [AWS Organizations consolidated billing account family](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html), one subscription price covers all subscribed accounts in the family. The organization must own all of the AWS accounts and all of their resources. 
+ When you subscribe multiple accounts for multiple organizations, you can still pay one subscription fee across all of the organizations, accounts, and resources providing you own all of them. Contact your account manager or AWS support and request a fee waiver on the AWS Shield Advanced subscription charges for all but one of the organizations. 

For detailed pricing information and examples, see [AWS Shield Pricing](https://aws.amazon.com/shield/pricing/). 

**Consider simplifying subscriptions with AWS Firewall Manager**  
If your accounts are part of an organization, we recommend that you use AWS Firewall Manager if you can, to automate your subscriptions and protections for the organization. Firewall Manager supports all protected resource types except for Amazon Route 53 and AWS Global Accelerator. To use Firewall Manager, see [AWS Firewall Manager](fms-chapter.md) and [Setting up AWS Firewall Manager​ AWS Shield Advanced policies](getting-started-fms-shield.md). 

If you don't use Firewall Manager, for each account with resources to protect, subscribe and add protections using the following procedures. 

**To subscribe an account to AWS Shield Advanced**

1. Sign in to the AWS Management Console and open the AWS WAF & Shield console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

1. In the **AWS Shield** navigation bar, choose **Getting started**. Choose **Subscribe to Shield Advanced**. 

1. In the **Subscribe to Shield Advanced** page, read each term of the agreement, and then select all of the check boxes to indicate that you accept the terms. For accounts in a consolidated billing family, you must agree to the terms for each account. 
**Important**  
When you are subscribed, to unsubscribe you must contact [AWS Support](https://console.aws.amazon.com/support).   
To disable autorenewal for your subscription, you must use the Shield API operation [UpdateSubscription](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_UpdateSubscription.html) or the CLI command [update-subscription](https://docs.aws.amazon.com/cli/latest/reference/shield/update-subscription.html).

   Choose **Subscribe to Shield Advanced**. This subscribes your account to Shield Advanced and activates the service.

Your account is subscribed. Continue through the following steps to protect your account's resources with Shield Advanced. 

**Note**  
Shield Advanced doesn't automatically protect your resources after you subscribe. You must specify the resources you want Shield Advanced to protect. 

# Adding and configuring resource protections with Shield Advanced
<a name="ddos-choose-resources"></a>

This page provides instructions for adding and configuring protections for your resources. 

Shield Advanced only protects the resources that you specify, either through Shield Advanced or in a Firewall Manager Shield Advanced policy. It doesn't automatically protect the resources of a subscribed account. 

**Note**  
If you use an AWS Firewall Manager Shield Advanced policy for your protections, you don't need to do this step. You configure the policy with the types of resource to protect, and Firewall Manager automatically adds protections to resources that are within scope of the policy. 

If you don't use Firewall Manager, go through the following procedures for each account that has resources to protect.

**To choose the resources to protect using Shield Advanced**

1. Choose **Add resources to protect** from the subscription confirmation page of the prior procedure, or from the **Protected resources** or **Overview** page. 

1. In the **Choose resources to protect with Shield Advanced** page, in **Specify the Region and resource types**, provide the Region and resource type specifications for the resources that you want to protect. You can protect resources in multiple Regions by selecting **All Regions** and you can narrow the selection to global resources by selecting **Global**. You can deselect any resource types that you do not want to protect. For information about protections for your resource types, see [List of resources that AWS Shield Advanced protects](ddos-protections-by-resource-type.md).

1. Choose **Load resources**. Shield Advanced populates the **Select Resources** section with the AWS resources that match your criteria. 

1. In the **Select Resources** section, you can filter the list of resources by entering a string to search for in the resource listings. 

   Select the resources that you want to protect.

1. In the **Tags** section, if you want to add tags to the Shield Advanced protections that you are creating, specify those. For information about tagging AWS resources, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html). 

1. Choose **Protect with Shield Advanced**. This adds Shield Advanced protections to the resources.

Continue through the console wizard screens to complete the configuration of your resource protections. 

**Topics**
+ [

# Configuring application layer (layer 7) DDoS protections with AWS WAF
](ddos-get-started-web-acl-rbr.md)
+ [

# Configuring health-based detection for your protections with Shield Advanced and Route 53
](ddos-get-started-health-checks.md)
+ [

# Configuring alarms and notifications with Shield Advanced and Amazon SNS
](ddos-get-started-create-alarms.md)
+ [

# Reviewing and finishing your protection configuration in Shield Advanced
](ddos-get-started-review-and-configure.md)

# Configuring application layer (layer 7) DDoS protections with AWS WAF
<a name="ddos-get-started-web-acl-rbr"></a>

This page provides instructions for configuring application layer protections with AWS WAF web ACLs. 

To protect an application layer resource, Shield Advanced uses an AWS WAF web ACL with a rate-based rule as a starting point. AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your application layer resources, and lets you control access to your content based on the characteristics of the requests. A rate-based rule limits the volume of traffic based on your request aggregation criteria, providing basic DDoS protection to your application. For more information, see [How AWS WAF works](how-aws-waf-works.md) and [Using rate-based rule statements in AWS WAF](waf-rule-statement-type-rate-based.md).

You can also optionally enable Shield Advanced automatic application layer DDoS mitigation, to have Shield Advanced rate limit requests from known DDoS sources and automatically provide incident-specific protections for you. 

**Important**  
If you manage your Shield Advanced protections through AWS Firewall Manager using a Shield Advanced policy, you can't manage application layer protections here. You must manage them in your Firewall Manager Shield Advanced policy.

**Shield Advanced subscriptions and AWS WAF costs**  
Your Shield Advanced subscription covers the costs of using standard AWS WAF capabilities for resources that you protect with Shield Advanced. The standard AWS WAF fees that are covered by your Shield Advanced protections are the cost per protection pack (web ACL), the cost per rule, and the base price per million requests for web request inspection, up to 1,500 WCUs and up to the default body size.

Enabling Shield Advanced automatic application layer DDoS mitigation adds a rule group to your protection pack (web ACL) that uses 150 web ACL capacity units (WCUs). These WCUs count against the WCU usage in your protection pack (web ACL). For more information, see [Automating application layer DDoS mitigation with Shield Advanced](ddos-automatic-app-layer-response.md), [Protecting the application layer with the Shield Advanced rule group](ddos-automatic-app-layer-response-rg.md), and [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md).

Your subscription to Shield Advanced does not cover the use of AWS WAF for resources that you do not protect using Shield Advanced. It also does not cover any additional non-standard AWS WAF costs for protected resources. Examples of non-standard AWS WAF costs are those for Bot Control, for the CAPTCHA rule action, for web ACLs that use more than 1,500 WCUs, and for inspecting the request body beyond the default body size. The full list is provided on the AWS WAF pricing page. Your subscription to Shield Advanced includes access to the Layer 7 Anti-DDoS Amazon Managed Rule group. As part of your subscription, you will get up to 50 billion requests to Shield Advanced protected AWS WAF resources in a calendar month. Requests beyond 50 billion will be billed as per the AWS Shield Advanced pricing page.

For full information and pricing examples, see [Shield Pricing](https://aws.amazon.com/shield/pricing/) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**To configure layer 7 DDoS protections for a Region**

Shield Advanced gives you the option to configure layer 7 DDoS mitigation for each Region where your chosen resources are located. If you're adding protections in multiple regions, the wizard walks you through the following procedure for each Region. 

1. The **Configure layer 7 DDoS protections** page lists each resource that isn't yet associated with a web ACL. For each of these, either choose an existing web ACL or create a new web ACL. For any resource that already has an associated web ACL, you can change web ACLs by first disassociating the current one through AWS WAF. For more information, see [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md).

   For web ACLs that don't already have a rate-based rule, the configuration wizard prompts you to add one. A rate-based rule limits traffic from IP addresses when they are sending a high volume of requests. Rate-based rules help protect your application against web request floods and can provide alerts about sudden spikes in traffic that might indicate a potential DDoS attack. Add a rate-based rule to a web ACL by choosing **Add rate limit rule** and then providing a rate limit and rule action. You can configure additional protections in the web ACL through AWS WAF. 

   For information about using web ACLs and rate-based rules in your Shield Advanced protections, including additional configuration options for rate-based rules, see [Protecting the application layer with AWS WAF web ACLs and Shield Advanced](ddos-app-layer-web-ACL-and-rbr.md).

1. For **Automatic application layer DDoS mitigation**, if you want to have Shield Advanced automatically mitigate DDoS attacks against your application layer resources, choose **Enable** and then select the AWS WAF rule action that you want Shield Advanced to use in its custom rules. This setting applies to all of the web ACLs for the resources that you are managing in this wizard session. 

   With automatic application layer DDoS mitigation, Shield Advanced maintains a rate-based rule in the resource's AWS WAF web ACL that limits the volume of requests from known DDoS sources. Additionally, Shield Advanced compares current traffic patterns against historic traffic baselines to detect deviations that might indicate a DDoS attack. When Shield Advanced detects a DDoS attack, it responds by creating, evaluating, and deploying custom AWS WAF rules to respond. You specify whether the custom rules count or block attacks on your behalf. 
**Note**  
Automatic application layer DDoS mitigation works only with protection packs (web ACLs) that were created using the latest version of AWS WAF (v2). 

   For more information about Shield Advanced automatic application layer DDoS mitigation, including caveats and best practices for using this feature, see [Automating application layer DDoS mitigation with Shield Advanced](ddos-automatic-app-layer-response.md).

1. Choose **Next**. The console wizard advances to the health-based detection page. 

# Configuring health-based detection for your protections with Shield Advanced and Route 53
<a name="ddos-get-started-health-checks"></a>

This page provides instructions for configuring Shield Advanced to use health-based detection. This can help improve responsiveness and accuracy in attack detection and mitigation.

Well-configured health checks are essential for accurate detection of events. You can configure health-based detection for any resource type except for Route 53 hosted zones. 

To use health-based detection, define a health check for your resource in Route 53, and then associate the health check with your Shield Advanced protection. It's important that the health check that you configure accurately reflect the health of the resource. For information and examples for configuring health checks to use with Shield Advanced, see [Health-based detection using health checks with Shield Advanced and Route 53](ddos-advanced-health-checks.md). 

Health checks are required for Shield Response Team (SRT) proactive engagement support. For information about proactive engagement, see [Setting up proactive engagement for the SRT to contact you directly](ddos-srt-proactive-engagement.md).

**Note**  
Health checks must be reporting healthy when you associate them with your Shield Advanced protections.

**To configure health-based detection**

1. Under **Associated Health Check**, choose the ID of the health check that you want to associate with the protection. 
**Note**  
If you do not see the health check you need, go to the Route 53 console and verify the health check and its ID. For information, see [Creating and Updating Health Checks](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-creating.html).

1. Choose **Next**. The console wizard advances to the alarms and notifications page. 

# Configuring alarms and notifications with Shield Advanced and Amazon SNS
<a name="ddos-get-started-create-alarms"></a>

This page provides instructions to optionally configure Amazon Simple Notification Service notifications for detected Amazon CloudWatch alarms and rate-based rule activity. You can use these to receive notification when Shield detects an event on a protected resource or when a rate-limit configured in a rate-based rule is exceeded. 

For information about Shield Advanced CloudWatch metrics, see [AWS Shield Advanced metrics](shield-metrics.md). For information about Amazon SNS, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/). 

**To configure alarms and notifications**

1. Select the Amazon SNS topics that you want notification for. You can use a single Amazon SNS topic for all protected resources and rate-based rules, or you can choose different topics, customized to your organization. For example, you can create an SNS topic for each team that's responsible for incident response for a specific set of resources.

1. Choose **Next**. The console wizard advances to the resource protection review page.

# Reviewing and finishing your protection configuration in Shield Advanced
<a name="ddos-get-started-review-and-configure"></a>

**To review and finish your settings**

1. In the **Review and configure DDoS mitigation and visibility** page, review your settings. To make modifications, choose **Edit** in the area that you want to modify. This takes you back to the associated page in the console wizard. Make your changes, then choose **Next** in the subsequent pages until you return to the **Review and configure DDoS mitigation and visibility** page.

1. Choose **Finish configuration**. The **Protected resources** page lists your newly protected resources.

# Setting up AWS Shield Response Team (SRT) support for DDoS event response
<a name="authorize-srt"></a>

This page provides instructions for setting up Shield Response Team (SRT) support.

The SRT includes security engineers who specialize in DDoS event response. You can optionally add permissions that allow the SRT to manage resources on your behalf during a DDoS event. In addition, you can configure the SRT to proactively engage with you if the Route 53 health checks associated with your protected resources are unhealthy during a detected event. Both of these additions to your protections enable quicker responses to DDoS events. 

**Note**  
To use the services of the Shield Response Team (SRT), you must be subscribed to the [Business Support plan](https://aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://aws.amazon.com/premiumsupport/enterprise-support/). 

The SRT can monitor AWS WAF request data and logs during application layer events to identify anomalous traffic. They can help craft custom AWS WAF rules to mitigate offending traffic sources. As needed, the SRT might make architectural recommendations to help you better align your resources with AWS recommendations. 

For more information about the SRT, see [Managed DDoS event response with Shield Response Team (SRT) support](ddos-srt-support.md).

**To grant permissions to the SRT**

1. In the AWS Shield console **Overview** page, under **Configure AWS SRT support**, choose **Edit SRT access**. The **Edit AWS Shield Response Team (SRT) access** page opens.

1. For **SRT access setting** select one of the options: 
   + **Do not grant the SRT access to my account** – Shield removes any permissions you previously gave to the SRT to access your account and resources.
   + **Create a new role for the SRT to access my account** – Shield creates a role that trusts the service principal `drt.shield.amazonaws.com`, which represents the SRT, and attaches the managed policy `AWSShieldDRTAccessPolicy` to it. The managed policy allows the SRT to make AWS Shield Advanced and AWS WAF API calls on your behalf and to access your AWS WAF logs. For more information about the managed policy, see [AWS managed policy: AWSShieldDRTAccessPolicy](shd-security-iam-awsmanpol.md#shd-security-iam-awsmanpol-AWSShieldDRTAccessPolicy).
   + **Choose an existing role for the SRT to access my accounts** – For this option, you must modify the configuration of the role in AWS Identity and Access Management (IAM) as follows: 
     + Attach the managed policy `AWSShieldDRTAccessPolicy` to the role. This managed policy allows the SRT to make AWS Shield Advanced and AWS WAF API calls on your behalf and to access your AWS WAF logs. For more information about the managed policy, see [AWS managed policy: AWSShieldDRTAccessPolicy](shd-security-iam-awsmanpol.md#shd-security-iam-awsmanpol-AWSShieldDRTAccessPolicy). For information about attaching the managed policy to your role, see [Attaching and Detaching IAM Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). 
     + Modify the role to trust the service principal `drt.shield.amazonaws.com`. This is the service principal that represents the SRT. For more information, see [IAM JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html). 

1. Choose **Save** to save your changes. 

For more information about giving the SRT access to your protections and data, see [Granting access for the SRT](ddos-srt-access.md). 

**To enable SRT proactive engagement**

1. In the AWS Shield console **Overview** page, under **Proactive engagement and contacts**, in the contacts area, choose **Edit**.

   In the **Edit contacts** page, provide the contact information for the people that you want the SRT to contact for proactive engagement. 

   If you provide more than one contact, in the **Notes**, indicate the circumstances under which each contact should be used. Include primary and secondary contact designations, and provide the hours of availability and time zones for each contact. 

   Example contact notes: 
   + This is a hotline that's staffed 24x7x365. Please work with the responding analyst and they will get the appropriate person on the call. 
   + Please contact me if the hotline doesn't respond within 5 minutes.

1. Choose **Save**. 

   The **Overview** page reflects the updated contact information.

1. Choose **Edit proactive engagement feature**, choose **Enable**, and then choose **Save** to enable proactive engagement. 

For more information about proactive engagement, see [Setting up proactive engagement for the SRT to contact you directly](ddos-srt-proactive-engagement.md).

# Creating a DDoS dashboard in CloudWatch and setting CloudWatch alarms
<a name="deploy-waf-dashboard"></a>

This page provides instructions for creating a DDoS dashboard in CloudWatch and setting CloudWatch alarms.

You can monitor potential DDoS activity using Amazon CloudWatch, which collects raw data from Shield Advanced and processes it into readable, near real-time metrics. You can use statistics in CloudWatch to gain a perspective on how your web application or service is performing. For more information about using CloudWatch, see [What is CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/WhatIsCloudWatch.html) in the *Amazon CloudWatch User Guide*.
+ For instructions for creating a CloudWatch dashboard, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md). 
+ For descriptions of the Shield Advanced metrics that you can add to your dashboard, see [AWS Shield Advanced metrics](shield-metrics.md). 

Shield Advanced reports resource metrics to CloudWatch more frequently during DDoS events than while no events are underway. Shield Advanced reports metrics once a minute during an event, and then once right after the event ends. While no events are underway, Shield Advanced reports metrics once a day, at a time assigned to the resource. This periodic report keeps the metrics active and available for use in your custom CloudWatch alarms. 

This completes the tutorial for getting started with Shield Advanced. To take full advantage of the protections you've chosen, continue exploring the features and options of Shield Advanced. To start, familiarize yourself with your options for viewing and responding to events at [Visibility into DDoS events with Shield Advanced](ddos-viewing-events.md) and [Responding to DDoS events in AWS](ddos-responding.md).