Description:
This policy ensures that all Route 53 hosted zones are protected by AWS Shield Advanced. This helps to protect your Route 53 hosted zones from DDoS attacks.

Rationale:
AWS Shield Advanced provides advanced monitoring and protection against DDoS attacks. By protecting your Route 53 hosted zones with Shield Advanced, you can help to ensure that your DNS resolution is available even during a DDoS attack.

Impact:
If you do not protect your Route 53 hosted zones with Shield Advanced, your DNS resolution may be unavailable during a DDoS attack. This could lead to customer dissatisfaction and difficulty accessing your applications and services.

Default Value:
AWS will not protect Route 53 hosted zones by default. You must explicitly enable Shield Advanced protection for each hosted zone.

Pre-requisites:

  • You must have an AWS account and be an IAM user with the appropriate permissions to enable Shield Advanced.
  • You must know the names or IDs of the Route 53 hosted zones that you want to protect.


Remediation Steps:

  1. Enable Shield Advanced protection for each Route 53 hosted zone.
  2. Verify that the hosted zones are protected by checking the AWS Shield Advanced console or the AWS CLI.


Test Plan:

  1. Identify a subset of Route 53 hosted zones that are not currently protected by Shield Advanced.
  2. Enable Shield Advanced protection for the selected hosted zones.
  3. Verify that the hosted zones are protected by checking the AWS Shield Advanced console or the AWS CLI.

Implementation Plan:

AWS CLI:


aws shield enable-protection --resource-type hosted-zone --resource-id <hosted-zone-id>


AWS GUI:

  1. Go to the AWS Shield Advanced console.
  2. Click Protect resources.
  3. Select Route 53 hosted zones.
  4. Enter the name or ID of the Route 53 hosted zone that you want to protect.
  5. Click Protect.


Backout Plan:

  1. Disable Shield Advanced protection for each Route 53 hosted zone.
  2. Verify that the hosted zones are no longer protected by checking the AWS Shield Advanced console or the AWS CLI.


Note:

  • This policy applies to all regions and accounts.
  • You can use the AWS Shield Advanced API to automate the process of enabling and disabling protection for Route 53 hosted zones.

Reference:
https://docs.aws.amazon.com/shield/
https://docs.aws.amazon.com/cli/latest/reference/shield/index.html