Which should I choose? AWS Shield vs WAF vs Firewall Manager

What is AWS Shield?

AWS Shield protects AWS components against DDoS attacks. These attacks produce a large number of artificially generated requests to disrupt public applications. Shield is available in two presentations: Standard and Advanced.

AWS Shield Standard

AWS Shield Standard is enabled by default in CloudFront, Route 53 and Global Accelerator at no extra cost.

AWS Shield Standard offers protection against certain attacks but lacks flexibility for custom configurations. Shield Advanced integrates with the AWS WAF service to configure specific protection rules. It also protects against additional AWS charges that could be incurred due to increased usage resulting from a DDoS attack. Affected customers can request credits.

AWS Shield Advanced

AWS Shield Advanced is available for CloudFront, Route 53 and Global Accelerator, as well as ELB, Elastic IPs and EC2.

AWS Shield Advanced costs $3,000 per month and it requires a 1-year subscription commitment. It provides access to the AWS Shield Response Team, a 24/7 support group available for emergencies, but this is only for AWS accounts that also have AWS Premium Support with Enterprise or Business Support levels, which are support plans that have an additional cost depending on the monthly AWS bill.

There is an additional data transfer fee, which varies depending on the protected resource type and the amount of data transferred (for example, <100 TB, 400 TB and 500 TB). The Shield Advanced data transfer fee could be between $25 to $50 for 1 TB of data transferred within the initial 100 TB bracket, depending on the protected resource type. This is in addition to the data transfer fees applicable to each protected resource. The monthly fee is applicable per AWS Organization. Therefore, deployments across multiple AWS accounts within one Organization would pay only a single fee.

While Shield Standard protects against attacks on layers 3 and 4, Shield Advanced expands the number of supported AWS services and integrates with WAF to provide coverage against attacks on layer 7. 

What is AWS WAF?

The Web Application Firewall service focuses on Layer 7 protection. WAF's configurable feature set detects and blocks specific traffic patterns trying to reach your application in real time. It interacts with CloudFront distributions, Application Load Balancers, Cognito user pools, AWS Verified Access instances, AppSync GraphQL APIs and API Gateway REST APIs. A WAF can be configured to detect traffic from the following:

• Specific IPs.
• Cross-site scripting.
• SQL injection attacks.
• IP ranges or country of origin.
• IPs exceeding rate-based rules.
• Content patterns in request bodies, paths, JA3/JA4 fingerprints, queries, headers and cookies.

With Firewall Manager, application owners can configure rules that apply to all accounts within an AWS Organization. When incoming traffic matches any of the configured rules, WAF can reject requests, return custom responses or simply create metrics to monitor applicable requests. Additional rules are also available in the AWS Marketplace.

It has two main features:

AWS WAF Bot Control. It provides rules focused on identifying and taking measures against requests that follow patterns commonly used by pervasive bots. It can also be configured to allow traffic from search engines or uptime status monitoring tools. For common bot traffic, it costs $1 per million requests evaluated. For rules that target specific bots, it is $10 for each million of inspected requests.

AWS WAF Fraud Control. It protects login and user creation pages against fraudulent requests. Fraud Control can cost $1,000 per million requests analyzed for deployments that have between 10 thousand and 2 million requests per month.

Both Bot Control and Fraud Control support configuring rules that display CAPTCHA challenges. These challenges incur an additional cost of $4 per 10,000 attempts analyzed for Bot Control Common, with no additional cost for Bot Control Targeted and Fraud Control.

WAF charges $5 a month per web Access Control List (ACL) and $1 a month per configured rule in the web ACL. A web ACL can be associated with multiple resources; check the documentation for details.

WAF charges $0.60 per 1 million requests. For example, an application that handles 10 requests per second will cost approximately $15 per month. Plus, factor in any charges related to the number of rules and web ACLs.

What is AWS Firewall Manager?

AWS Firewall Manager is intended for centralized management across multiple AWS accounts and resources. It supports the following services:

• WAF.
• Shield Advanced.
• Network Firewall.
• VPC security groups.
• Route 53 Resolver DNS Firewall.

With Firewall Manager, application owners can configure rules that apply to all accounts. Owners can configure rules for all resources of a certain type within an account or organization, such as applying rules to all CloudFront distributions. It also supports applying configurations based on resource tags. When you add new resources to an account, you can automatically assign specific protection rules to them, which enhances security by simplifying and automating the configuration of critical protection features across multiple AWS resources in one or more AWS accounts.

Large organizations sometimes struggle to protect their growing number of configurations and resources, Firewall Manager assists with that. It charges $100 a month per configured policy per region. Plus, factor in any charges related to created resources, such as WAF webACLs, WAF rules, AWS Config rules and so on. Customers with Shield Advanced can configure Firewall Manager with no additional cost per policy.

Combining AWS Shield Standard and WAF is a great option for small or medium deployments. AWS Shield Advanced and Firewall Manager, together with WAF, are a suitable option for large deployments.

How to decide which tool is right for your organization

While all three cloud security services deliver very important features for most AWS cloud deployments, it is important to evaluate if they are a good fit for specific application needs. Protected OSI Layers are an important area to evaluate, as well as the required services to protect in a particular application.

Cost is also an important factor, particularly for AWS Shield Advanced, given its monthly fee of $3,000 and the required 1-year commitment. Large organizations with numerous accounts and cloud resources should really consider a service such as Firewall Manager, given it simplifies management for many cloud components.

Given the high priority that security represents in modern cloud deployments, it is highly recommended to evaluate these AWS security services and configure them according to specific application and compliance requirements.

Editor's note: This article originally published in 2022 and was updated in 2025 to include updated features and pricing information.

Ernesto Marquez is owner and project director at Concurrency Labs, where he helps startups launch and grow their applications on AWS. He enjoys building serverless architectures, building data analytics solutions, implementing automation and helping customers cut their AWS costs.