Description: 

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

Rationale:

AWS Shield Standard defends against the most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. AWS Shield Advanced provides expanded DDoS attack protection for web applications running on the resources.

 

Impact:

AWS Shield automatically provides comprehensive protection against infrastructure layer attacks like SYN floods, UDP floods, or other Reflection attacks. AWS Shield always-on detection and mitigation systems automatically scrub bad traffic at Layer 3 and 4 to protect your application.

Default Value: 

AWS Shield Standard is automatically enabled to all AWS customers at no additional cost. For advanced protection you have to go through audit and remediation steps

Pre-requisites:

  • Sign in as Admin or IAM user with required permissions


Remediation:

Test Plan:


Follow the steps to find whether AWS Shield Advanced is enabled or not

  1. Login to AWS Management console

  2. Go to WAF and Shields service at https://console.aws.amazon.com/wafv2/shieldv2

  3. Click on the Getting started under AWS Shield

  4. If it shows subscribe to Shield Advanced, it means the Advanced version is not enabled


Using  AWS CLI:

aws shield describe-subscription --region us-east-1


Implementation Steps:

  1. Login to AWS Management console

  2. Go to WAF and Shields service at https://console.aws.amazon.com/wafv2/shieldv2

  3. Click on the Getting started under AWS Shield

  4. Select Subscribe to Shield Advanced 

  5. Then follow the steps
    Step 1: Subscribe to AWS Shield Advanced

    • In the Subscribe to Shield Advanced page, read each term of the agreement, and then select all of the checkboxes to indicate that you accept the terms.

    • Click on Subscribe to Shield Advanced
    • Step 2: Add resources to protect

      • From the console navigation bar, choose Protected Resources and then choose Add resources to protect.

      • In the Choose resources to protect with Shield Advanced page, select the Regions and resource types that you want to protect, then choose Load resources.

    • Select the resources that you want to protect, then choose to Protect with Shield Advanced



Using AWS CLI:

aws shield create-protection \
    --name ddos-protected-<enter the resource you want to protect>
    --resource-arn arn:aws:<enter the resource arn >


Backout Plan:

For Unsubscribe the advanced shield protection needs to contact AWS support.

Reference:

AWS Shield - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced