Description:
This policy ensures that all internet-facing Application Load Balancers (ALBs) are protected by AWS Shield Advanced. This helps to protect your ALBs from DDoS attacks.

Rationale:
AWS Shield Advanced provides advanced monitoring and protection against DDoS attacks. By protecting your ALBs with Shield Advanced, you can help to ensure that your applications are available even during a DDoS attack.

Impact:
If you do not protect your ALBs with Shield Advanced, your applications may be unavailable during a DDoS attack. This could lead to customer dissatisfaction and loss of revenue.

Default Value:
AWS will not protect ALBs by default. You must explicitly enable Shield Advanced protection for each ALB.

Pre-requisites:

  • You must have an AWS account and be an IAM user with the appropriate permissions to enable Shield Advanced.
  • You must know the names or IDs of the ALBs that you want to protect.


Remediation Steps:

  1. Enable Shield Advanced protection for each ALB.
  2. Verify that the ALBs are protected by checking the AWS Shield Advanced console or the AWS CLI.


Test Plan:

  1. Identify a subset of ALBs that are not currently protected by Shield Advanced.
  2. Enable Shield Advanced protection for the selected ALBs.
  3. Verify that the ALBs are protected by checking the AWS Shield Advanced console or the AWS CLI.

Implementation Plan:

AWS CLI:


aws shield enable-protection --resource-type application-load-balancer --resource-id <alb-id>


AWS GUI:

  1. Go to the AWS Shield Advanced console.
  2. Click Protect resources.
  3. Select Application load balancers.
  4. Enter the name or ID of the ALB that you want to protect.
  5. Click Protect.

Backout Plan:

  1. Disable Shield Advanced protection for each ALB.
  2. Verify that the ALBs are no longer protected by checking the AWS Shield Advanced console or the AWS CLI.


Note:

  • This policy applies to all regions and accounts.
  • You can use the AWS Shield Advanced API to automate the process of enabling and disabling protection for ALBs.


Reference:

https://docs.aws.amazon.com/shield/

https://docs.aws.amazon.com/cli/latest/reference/shield/index.html