Description:
This policy ensures that all Elastic IP addresses (EIPs) that are associated with resources are protected by AWS Shield Advanced. This helps to protect your resources from DDoS attacks.
Rationale:
AWS Shield Advanced provides advanced monitoring and protection against DDoS attacks. By protecting your EIPs with Shield Advanced, you can help to ensure that your resources are available even during a DDoS attack.
Impact:
If you do not protect your EIPs with Shield Advanced, your resources may be unavailable during a DDoS attack. This could lead to lost revenue, customer dissatisfaction, and damage to your brand reputation.
Default Value:
AWS will not protect EIPs by default. You must explicitly enable Shield Advanced protection for each EIP.
Pre-requisites:
- You must have an AWS account and be an IAM user with the appropriate permissions to enable Shield Advanced.
- You must know the IDs of the EIPs that you want to protect.
Remediation Steps:
- Enable Shield Advanced protection for each EIP.
- Verify that the EIPs are protected by checking the AWS Shield Advanced console or the AWS CLI.
Test Plan:
- Identify a subset of EIPs that are not currently protected by Shield Advanced.
- Enable Shield Advanced protection for the selected EIPs.
- Verify that the EIPs are protected by checking the AWS Shield Advanced console or the AWS CLI.
Implementation Plan:
AWS CLI:
aws shield enable-protection --resource-type elastic-ip --resource-id <eip-id>
AWS GUI:
- Go to the AWS Shield Advanced console.
- Click Protect resources.
- Select Elastic IP addresses.
- Enter the ID of the EIP that you want to protect.
- Click Protect.
Backout Plan:
- Disable Shield Advanced protection for each EIP.
- Verify that the EIPs are no longer protected by checking the AWS Shield Advanced console or the AWS CLI.
Note:
- This policy applies to all regions and accounts.
- You can use the AWS Shield Advanced API to automate the process of enabling and disabling protection for EIPs.
Reference:
https://docs.aws.amazon.com/shield/
https://docs.aws.amazon.com/cli/latest/reference/shield/index.html