Profile Applicability:

  • Level 1

Description:

Application Load Balancers (ALBs) are used to distribute incoming application traffic across multiple targets, such as EC2 instances, within a VPC. AWS Shield Advanced provides enhanced DDoS protection for AWS resources, including internet-facing Application Load Balancers. This SOP ensures that internet-facing ALBs are protected by AWS Shield Advanced, safeguarding them from DDoS attacks and ensuring high availability for your applications.

Rationale:

  • Security: Internet-facing ALBs are exposed to the public internet and, therefore, more vulnerable to DDoS attacks. AWS Shield Advanced offers proactive detection and mitigation of such attacks, ensuring the ALB remains available and secure under attack.

  • Availability: By protecting internet-facing ALBs with AWS Shield Advanced, you can mitigate large-scale attacks that could otherwise bring down your services or degrade performance.

  • Compliance: Regulatory frameworks like PCI-DSS, SOC 2, and HIPAA often require DDoS protection for publicly accessible resources. AWS Shield Advanced helps meet such compliance requirements for ALBs.

  • Best Practices: Protecting internet-facing ALBs with AWS Shield Advanced is considered a best practice to ensure the security, resilience, and availability of your critical application services.

Impact:

Pros:

  • Enhanced Security: Shield Advanced provides real-time protection against DDoS attacks, ensuring internet-facing ALBs remain operational.

  • Availability: DDoS attacks can overwhelm ALBs, leading to service interruptions. Shield Advanced helps mitigate these attacks, ensuring continuous availability.

  • Compliance: Helps meet regulatory requirements for DDoS protection in industries like finance, healthcare, and e-commerce.

Cons:

  • Cost: AWS Shield Advanced comes with additional costs. Be sure to evaluate if the benefits of DDoS protection justify the extra expenditure.

  • Configuration Overhead: Requires manual configuration to link ALBs with Shield Advanced protection, which may add complexity to the environment.

Default Value:

By default, internet-facing ALBs are not protected by AWS Shield Advanced. Protection must be explicitly enabled.

Pre-requisite:

  • AWS IAM Permissions:

    • elasticloadbalancing:DescribeLoadBalancers

    • shield:DescribeProtection

    • shield:CreateProtection

  • AWS CLI installed and configured.

  • AWS Shield Advanced subscription is active.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the Load Balancing section, select Load balancers.

  4. Find the internet-facing Application Load Balancer you want to check.

  5. Under the Description tab, check for the DDoS Protection setting.

    • Look for AWS Shield Advanced protection listed under the DDoS Protection section.

    • If Shield Advanced protection is not enabled, proceed with enabling it as described in the Implementation Steps below.

Using AWS CLI:

  1. To check if Shield Advanced protection is enabled for an internet-facing ALB, run the following command:

    aws elb describe-load-balancers --query 'LoadBalancerDescriptions[*].{Name:LoadBalancerName,Protection:SecurityGroups}'

  2. Review the output and verify that Shield Advanced protection is active. If not, proceed with enabling it as described in the Implementation Steps.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to EC2.

  2. In the Load Balancers section, select the internet-facing Application Load Balancer to protect.

  3. In the Description section, locate DDoS Protection and ensure that AWS Shield Advanced protection is enabled.

  4. If protection is not enabled, enable AWS Shield Advanced protection by associating the ALB with a WAF Web ACL linked to Shield Advanced.

  5. Save the changes to enable Shield Advanced protection for the internet-facing ALB.

Using AWS CLI:

  1. To enable AWS Shield Advanced protection for the internet-facing ALB, run:

    aws shield create-protection --name <protection-name> --resource-arn <alb-arn>

  2. To verify the protection status, run:

    aws shield describe-protection --protection-id <protection-id>

  3. Ensure that AWS Shield Advanced protection is successfully enabled for the internet-facing ALB.

Backout Plan:

Using AWS Console:

  1. If enabling Shield Advanced protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Shield, select the Protection you want to disable, and click Delete Protection.

  3. Confirm the deletion and verify that the ALB is no longer protected by AWS Shield Advanced.

Using AWS CLI:

  1. To remove Shield Advanced protection from the ALB, run:

    aws shield delete-protection --protection-id <PROTECTION_ID>

  2. Verify that the ALB is no longer protected:

    aws shield describe-protection --protection-id <PROTECTION_ID

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.