Description:
AWS Shield Advanced provides enhanced protections for your applications running on protected Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, AWS Global Accelerator, and Route 53 resources against more sophisticated and larger attacks. AWS Shield Advanced protection provides always-on, flow-based monitoring of network traffic and active application monitoring to provide near real-time notifications of suspected DDoS incidents.
Rationale:
AWS Shield Standard tier, which provides basic DDoS protection, is automatically enabled for all AWS customers at no additional charge, however, the AWS Shield Advanced, the service that provides advanced DDoS protection, but comes with pricing. If the Auto renew check is DISABLED
,it may not offer advanced DDoS protection after the subscription period.
Impact:
If the Auto Renew check is ENABLED
, the subscription will be automatically renewed at the end of the existing subscription period.
Default Value:
When you initially create a subscription, AutoRenew
is set to ENABLED
.
Pre-Requisite:
The API endpoint of AWS Shield Advanced is only available in US East (N. Virginia) Region. This rule should only be scheduled to run in the US East (N. Virginia) Region.
Remediation:
Test Plan:
Using AWS console:
Sign in to AWS Management console https://console.aws.amazon.com/wafv2/shieldv2#/
Navigate to AWS Shield on left and click on overview
check whether auto renewal is enabled
If not follow implementation steps to enable
Using AWS CLI:
To view details about the Shield Advanced subscription for an account.
aws shield describe-subscription
This returns details about the AWS Shield Advanced tier subscription for your AWS account.
Look for auto-renew attribute in the output."AutoRenewal": "DISABLED",
Then follow the Implementation steps
Implementation steps:
Using AWS console:
Sign in to AWS Management console https://console.aws.amazon.com/wafv2/shieldv2#/
Navigate to AWS Shield on left and click on Getting started.
Choose to Subscribe to Shield Advanced.
Agree to Auto renewal and click on Subscribe to Shield Advanced.
Using AWS CLI:
Updates the details of an existing subscription. Only enter values for parameters you want to change. Empty parameters are not updated.
aws shield update-subscription --auto-renew ENABLE
Backout Plan:
Follow implementation steps upto 3rd and then disable the check box of auto renewal and click on subscribe to shield advance
Using AWS CLI:
To revoke changes, specify the value of auto-renew to DISABLE
aws shield update-subscription --auto-renew DISABLE
Note:
Only enter values for parameters you want to change.
Empty parameters are not updated.
Reference: