Requesting a credit in AWS Shield Advanced - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Requesting a credit in AWS Shield Advanced

If you're subscribed to AWS Shield Advanced and you experience a DDoS attack that increases utilization of a Shield Advanced protected resource, you can request a Shield Advanced service credit for charges related to the increased utilization, to the extent that it is not mitigated by Shield Advanced.


You can apply any credits received through this process only to Shield Advanced usage. Shield Advanced credits are not available for use with other services.

Credits are available only for the following types of charges:

  • Shield Advanced data transfer out

  • Amazon CloudFront HTTP/HTTPS requests

  • CloudFront data transfer out

  • Amazon RouteĀ 53 queries

  • AWS Global Accelerator standard accelerator data transfer

  • Load balancer capacity units for Application Load Balancer

  • Instance costs for protected Amazon Elastic Compute Cloud (Amazon EC2) instances that were created by an auto-scaling policy in response to the attack

Prerequisites for requesting a credit

To be eligible to receive a credit, before the attack began, you must have done the following:

  • You must have added Shield Advanced protection to the resources for which you want to request a credit. Protected resources added during an attack are not eligible for cost protection.


    Enabling Shield Advanced on your AWS account does not automatically enable Shield Advanced protection for individual resources.

    For more information about how to protect AWS resources using Shield Advanced, see Adding AWS Shield Advanced protection to AWS resources.

  • For applicable CloudFront and Application Load Balancer protected resources, you must have associated an AWS WAF web ACL and implemented a rate-based rule in the web ACL in Block mode. For information about AWS WAF rate-based rules, see Rate-based rule statement. For information about how to associate web ACLs with AWS resources, see AWS WAF web access control lists (web ACLs).

  • You must have implemented the appropriate best practices in AWS Best Practices for DDoS Resiliency to configure your application in a way that minimizes cost during a DDoS attack.

How to apply for a credit

To be eligible for a credit, you must submit your credit request within the 15 day period immediately following the billing month in which the attack occurred.

To apply for a credit, submit a billing case through the AWS Support Center. Include the following in your request:

  • The words "DDoS Concession" in the subject line

  • The dates and times of each event or availability interruption for which you're requesting a credit

  • The AWS services and specific resources that were affected

After you submit a request, the AWS Shield Response Team (SRT) will validate whether a DDoS attack occurred and, if so, whether any protected resources scaled to absorb the DDoS attack. If AWS determines that protected resources scaled to absorb the DDoS attack, AWS will issue a credit for that portion of traffic that AWS determines was caused by the DDoS attack. Credits are valid for 12 months.