Cost reduction Tips in Shield Advanced

Hi, All of the Data Transfer Out pricing for resources protected by AWS Shield Advanced are explained here - https://aws.amazon.com/shield/pricing/

If you can provide more detail about your workload, it would be helpful in terms of offering advice.

Hi,

You'll need to run an estimation on the data transfer cost to understand what are the resource consuming the most and benefits of using Shield Advanced.

Use this reference to do the same - https://aws.amazon.com/blogs/aws-cloud-financial-management/estimate-your-aws-waf-and-aws-shield-advanced-cost/

Once you know how to estimate the cost to protect your resources with AWS Shield Advanced, you will be able to balance more efficiently between the extra protection and services brought by this new technology and the cost incurred by this feature.

1. Ensure you are serving compressed responses to clients where possible.
2. For ALB/CloudFront, ensure that your WAF WebACL is configured to block malicious traffic with a small response Content-Length - either the default WAF 403, or if you want client to see a branded page when blocked you can serve a 403 containing either a javascript redirect to the branded page or a 302 redirect to branded page.
3. The WAF rules you should have in place to block malicious DDoS traffic include:

• one or more rate-based rules in Block mode
• IPReputation rulegroup with IPDDosList in 'Block' mode
• ShieldMitigation rulegroup by enabling Automatic Application Layer Protection

4. Do not add a CloudFront origin as a Protected Resource if the CloudFront distribution is itself 'Protected' - instead ensure that only traffic from your CloudFront distribution can reach your origin by combining the AWS-managed prefix list for Cloudfront with a custom header inserted by your distribution and a ALB listener rule that checks for the presence of the header.