Description:
This policy ensures that all Elastic IP addresses (EIPs) that are associated with resources are protected by AWS Shield Advanced. This helps to protect your resources from DDoS attacks.

Rationale:
AWS Shield Advanced provides advanced monitoring and protection against DDoS attacks. By protecting your EIPs with Shield Advanced, you can help to ensure that your resources are available even during a DDoS attack.

Impact:
If you do not protect your EIPs with Shield Advanced, your resources may be unavailable during a DDoS attack. This could lead to lost revenue, customer dissatisfaction, and damage to your brand reputation.

Default Value:
AWS will not protect EIPs by default. You must explicitly enable Shield Advanced protection for each EIP.

Pre-requisites:

  • You must have an AWS account and be an IAM user with the appropriate permissions to enable Shield Advanced.
  • You must know the IDs of the EIPs that you want to protect.


Remediation Steps:

  1. Enable Shield Advanced protection for each EIP.
  2. Verify that the EIPs are protected by checking the AWS Shield Advanced console or the AWS CLI.


Test Plan:

  1. Identify a subset of EIPs that are not currently protected by Shield Advanced.
  2. Enable Shield Advanced protection for the selected EIPs.
  3. Verify that the EIPs are protected by checking the AWS Shield Advanced console or the AWS CLI.

Implementation Plan:

AWS CLI:


aws shield enable-protection --resource-type elastic-ip --resource-id <eip-id>

AWS GUI:
  1. Go to the AWS Shield Advanced console.
  2. Click Protect resources.
  3. Select Elastic IP addresses.
  4. Enter the ID of the EIP that you want to protect.
  5. Click Protect.


Backout Plan:

  1. Disable Shield Advanced protection for each EIP.
  2. Verify that the EIPs are no longer protected by checking the AWS Shield Advanced console or the AWS CLI.


Note:

  • This policy applies to all regions and accounts.
  • You can use the AWS Shield Advanced API to automate the process of enabling and disabling protection for EIPs.


Reference:

https://docs.aws.amazon.com/shield/

https://docs.aws.amazon.com/cli/latest/reference/shield/index.html