Description:
This policy ensures that all internet-facing Application Load Balancers (ALBs) are protected by AWS Shield Advanced. This helps to protect your ALBs from DDoS attacks.
Rationale:
AWS Shield Advanced provides advanced monitoring and protection against DDoS attacks. By protecting your ALBs with Shield Advanced, you can help to ensure that your applications are available even during a DDoS attack.
Impact:
If you do not protect your ALBs with Shield Advanced, your applications may be unavailable during a DDoS attack. This could lead to customer dissatisfaction and loss of revenue.
Default Value:
AWS will not protect ALBs by default. You must explicitly enable Shield Advanced protection for each ALB.
Pre-requisites:
- You must have an AWS account and be an IAM user with the appropriate permissions to enable Shield Advanced.
- You must know the names or IDs of the ALBs that you want to protect.
Remediation Steps:
- Enable Shield Advanced protection for each ALB.
- Verify that the ALBs are protected by checking the AWS Shield Advanced console or the AWS CLI.
Test Plan:
- Identify a subset of ALBs that are not currently protected by Shield Advanced.
- Enable Shield Advanced protection for the selected ALBs.
- Verify that the ALBs are protected by checking the AWS Shield Advanced console or the AWS CLI.
Implementation Plan:
AWS CLI:
aws shield enable-protection --resource-type application-load-balancer --resource-id <alb-id>
AWS GUI:
- Go to the AWS Shield Advanced console.
- Click Protect resources.
- Select Application load balancers.
- Enter the name or ID of the ALB that you want to protect.
- Click Protect.
Backout Plan:
- Disable Shield Advanced protection for each ALB.
- Verify that the ALBs are no longer protected by checking the AWS Shield Advanced console or the AWS CLI.
Note:
- This policy applies to all regions and accounts.
- You can use the AWS Shield Advanced API to automate the process of enabling and disabling protection for ALBs.
Reference:
https://docs.aws.amazon.com/shield/
https://docs.aws.amazon.com/cli/latest/reference/shield/index.html