Description:

AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of suspected DDoS incidents.

Rationale:

AWS Shield Standard tier, which provides basic DDoS protection, is automatically enabled for all AWS customers at no additional charge, however, the AWS Shield Advanced, the service that provides advanced DDoS protection, but comes with pricing. If the Auto renew check is DISABLED,it may not offer advanced DDoS protection after the subscription period.

Impact:

 If the Auto Renew check is ENABLED, the subscription will be automatically renewed at the end of the existing subscription period.

Default Value:

 When you initially create a subscription, AutoRenew is set to ENABLED .

Pre-Requisite:

The API endpoint of AWS Shield Advanced is only available in US East (N. Virginia) Region. This rule should only be scheduled to run in the US East (N. Virginia) Region.

Remediation:

Test Plan:

Using AWS  console: 

  1. Sign in to AWS Management console https://console.aws.amazon.com/wafv2/shieldv2#/

  2. Navigate to AWS Shield on left and click on overview 

  3. check whether auto renewal is enabled 

  4. If not follow implementation steps to enable

Using AWS CLI:

To view details about the Shield Advanced subscription for an account.

aws shield describe-subscription

This returns details about the AWS Shield Advanced tier subscription for your AWS account. 

Look for auto-renew attribute in the output."AutoRenewal": "DISABLED",

Then follow the Implementation steps

Implementation steps:

Using AWS  console: 

  1. Sign in to AWS Management console https://console.aws.amazon.com/wafv2/shieldv2#/

  2. Navigate to AWS Shield on left and click on Getting started.

  3. Choose to Subscribe to Shield Advanced.

  4. Agree to Auto renewal and click on Subscribe to Shield Advanced.

Using AWS CLI:

Updates the details of an existing subscription. Only enter values for parameters you want to change. Empty parameters are not updated.

aws shield update-subscription
  --auto-renew ENABLE

Backout Plan:

Follow implementation steps upto 3rd and then disable the check box of auto renewal and click on subscribe to shield advance

Using AWS CLI:

 To revoke changes, specify the value of auto-renew to DISABLE

aws shield update-subscription
  --auto-renew DISABLE

Note:

  • Only enter values for parameters you want to change. 

  • Empty parameters are not updated.

Reference:

Actions - AWS Shield Advanced