Profile Applicability:

  • Level 1

Description:

Elastic IP addresses (EIP) in AWS are static IP addresses designed for dynamic cloud computing. AWS Shield Advanced provides enhanced DDoS (Distributed Denial of Service) protection for AWS resources, including Elastic IP addresses that are associated with critical services. This SOP ensures that Elastic IP addresses with active associations are protected by AWS Shield Advanced, providing an additional layer of security against potential DDoS attacks.

Rationale:

  • Security: Elastic IP addresses that are associated with critical services or applications could be prime targets for DDoS attacks. AWS Shield Advanced protects against these attacks, ensuring that services remain available and resilient even under attack.

  • Availability: Shield Advanced helps maintain uptime and performance by automatically mitigating DDoS attacks, which is crucial for high-availability applications.

  • Compliance: Many security standards and regulations (e.g., PCI-DSS, SOC 2) require the protection of critical resources, including Elastic IP addresses, from DDoS attacks. Enabling Shield Advanced helps meet compliance requirements.

  • Best Practices: Enabling AWS Shield Advanced ensures that your Elastic IP addresses are protected according to AWS best practices for DDoS mitigation.

Impact:

Pros:

  • Enhanced Security: Provides continuous DDoS protection for Elastic IP addresses and the services associated with them.

  • Improved Availability: Protects against potential service disruptions caused by DDoS attacks, ensuring services remain online and performant.

  • Compliance: Helps meet security requirements for DDoS protection in compliance frameworks like PCI-DSS and SOC 2.

Cons:

  • Cost: AWS Shield Advanced incurs additional costs compared to the basic AWS Shield service. It is important to evaluate the cost versus the security benefits.

  • Configuration Overhead: Requires explicit configuration to enable Shield Advanced protection for Elastic IP addresses, which may involve additional steps.

Default Value:

By default, Elastic IP addresses do not have AWS Shield Advanced protection enabled. Protection must be configured and enabled explicitly.

Pre-requisite:

  • AWS IAM Permissions:

    • ec2:DescribeAddresses

    • shield:DescribeProtection

    • shield:CreateProtection

  • AWS CLI installed and configured.

  • AWS Shield Advanced subscription is active.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to EC2 under Services.

  3. In the Elastic IPs section of the EC2 dashboard, select Elastic IPs.

  4. For each Elastic IP address with associations, check if AWS Shield Advanced protection is enabled.

    • Select the Elastic IP address and confirm if Shield Advanced protection is listed as enabled in the DDoS Protection section.

    • If Shield Advanced is not enabled, proceed with enabling it as described in the Implementation Steps below.

Using AWS CLI:

  1. To check if Shield Advanced protection is enabled for an Elastic IP, run:

    aws ec2 describe-addresses --query 'Addresses[*].{IP:PublicIp,Protection:AssociatedWithShieldAdvanced}'

  2. Review the output to check whether Shield Advanced protection is enabled for each Elastic IP address. If the protection is not enabled, proceed with enabling it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to EC2.

  2. Under Elastic IPs, select the Elastic IP address to check.

  3. In the Elastic IP details, click on DDoS Protection settings.

  4. Enable AWS Shield Advanced protection if it is not already activated.

    • This may require associating the Elastic IP address with an AWS WAF Web ACL linked to Shield Advanced.

  5. Save the changes to activate Shield Advanced protection for the Elastic IP.

Using AWS CLI:

  1. To enable AWS Shield Advanced protection for an Elastic IP address, run the following command:

    aws shield create-protection --name <protection-name> --resource-arn <elastic-ip-arn>

  2. To verify that Shield Advanced protection is successfully enabled, run:

    aws shield describe-protection --protection-id <protection-id>

  3. Ensure that the Elastic IP address is protected by Shield Advanced.

Backout Plan:

Using AWS Console:

  1. If enabling Shield Advanced protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Shield, select the Protection you want to disable, and click Delete Protection.

  3. Confirm the deletion and verify that the Elastic IP address is no longer protected.

Using AWS CLI:

  1. To remove Shield Advanced protection from the Elastic IP address, run:

    aws shield delete-protection --protection-id <PROTECTION_ID>

  2. Verify that the Elastic IP address is no longer protected:

    aws shield describe-protection --protection-id <PROTECTION_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.