Profile Applicability:

  • Level 1

Description:

Amazon Route 53 is a scalable Domain Name System (DNS) service that translates domain names into IP addresses. AWS Shield Advanced provides enhanced DDoS (Distributed Denial of Service) protection for AWS resources, including Route 53 hosted zones. This SOP ensures that Route 53 hosted zones are protected by AWS Shield Advanced, securing them from potential DDoS attacks and ensuring high availability and resilience for your applications.

Rationale:

  • Security: Route 53 hosted zones are integral to your application's availability and performance. Without AWS Shield Advanced, Route 53 is vulnerable to DDoS attacks, which could result in service disruption. Shield Advanced offers additional protection to safeguard DNS queries and routing.

  • Availability: DDoS attacks targeting DNS infrastructure can cause global service outages. By enabling Shield Advanced, you ensure continuous availability for your applications and services, even during large-scale attacks.

  • Compliance: Many regulatory standards (e.g., PCI-DSS, SOC 2) require DDoS protection for critical resources like Route 53 hosted zones. Enabling Shield Advanced helps meet these security and compliance requirements.

  • Best Practices: It is a best practice to enable AWS Shield Advanced on your critical AWS resources, including Route 53 hosted zones, to provide enhanced protection and prevent downtime from DDoS attacks.

Impact:

Pros:

  • Enhanced Security: Shield Advanced provides proactive protection against DDoS attacks, ensuring Route 53 hosted zones remain protected.

  • Improved Availability: Helps prevent service disruptions caused by DNS-targeted attacks, ensuring high availability for your applications.

  • Compliance: Meets DDoS protection requirements for regulatory compliance frameworks like PCI-DSS and SOC 2.

Cons:

  • Cost: AWS Shield Advanced incurs additional charges beyond the basic AWS Shield service. Ensure the added cost aligns with your security needs.

  • Configuration: Requires manual activation and configuration to link Route 53 hosted zones with Shield Advanced protection.

Default Value:

By default, Route 53 hosted zones are not protected by AWS Shield Advanced. You need to enable Shield Advanced protection explicitly.

Pre-requisite:

  • AWS IAM Permissions:

    • route53:ListHostedZones

    • shield:DescribeProtection

    • shield:CreateProtection

  • AWS CLI installed and configured.

  • AWS Shield Advanced subscription is active.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Route 53 under Services.

  3. In the Route 53 Dashboard, select Hosted Zones.

  4. Choose the Hosted Zone you want to check.

  5. In the Details section, confirm if AWS Shield Advanced protection is enabled.

    • There should be an option or indicator showing that Shield Advanced protection is enabled.

  6. If Shield Advanced protection is not enabled, proceed with enabling it as described in the Implementation Steps below.

Using AWS CLI:

  1. To check if AWS Shield Advanced protection is enabled for a Route 53 hosted zone, run the following command:

    aws route53 list-hosted-zones --query 'HostedZones[*].{ID:Id,ShieldAdvancedProtection:WebACLId}'

  2. Review the output to see if Shield Advanced protection is listed for the hosted zone. If it is not enabled, follow the next steps to enable protection.

Implementation Steps

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Route 53.

  2. In the Route 53 Dashboard, select Hosted Zones and choose the Hosted Zone to protect.

  3. Under the Details section, find the DDoS Protection setting or Web ACL configuration.

  4. Enable AWS Shield Advanced by associating the Hosted Zone with a Web ACL that is linked to Shield Advanced.

  5. Save the changes to activate Shield Advanced protection for the Hosted Zone.

Using AWS CLI:

  1. To enable AWS Shield Advanced protection for a Route 53 hosted zone, run the following command:

    aws shield create-protection --name <protection-name> --resource-arn <route53-hosted-zone-arn>

  2. To verify that Shield Advanced protection is successfully enabled, run:

    aws shield describe-protection --protection-id <protection-id>

  3. Ensure that the Route 53 hosted zone is now protected by Shield Advanced.

Backout Plan:

Using AWS Console:

  1. If enabling Shield Advanced protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Shield, select the Protection you want to disable, and click Delete Protection.

  3. Confirm the deletion and verify that the Route 53 Hosted Zone is no longer protected.

Using AWS CLI:

  1. To remove Shield Advanced protection from the Hosted Zone, run:

    aws shield delete-protection --protection-id <PROTECTION_ID>

  2. Verify that the Route 53 Hosted Zone is no longer protected:

    aws shield describe-protection --protection-id <PROTECTION_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.