Profile Applicability:

  • Level 1

Description:

AWS Global Accelerator is a service that improves the availability and performance of your applications with users worldwide. AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service that helps safeguard your AWS resources from DDoS attacks. This SOP ensures that Global Accelerators are protected by AWS Shield Advanced, providing an extra layer of security against DDoS threats and ensuring high availability and resilience for your applications.

Rationale:

  • Security: AWS Shield Advanced offers enhanced DDoS protection to prevent malicious actors from disrupting your services. Without Shield Advanced, your Global Accelerator may be vulnerable to large-scale DDoS attacks that could lead to service downtime or performance degradation.

  • Availability: By protecting Global Accelerators with AWS Shield Advanced, you ensure continuous service delivery, even under potential attack scenarios, reducing the risk of application outages.

  • Compliance: Many industry standards and regulations (e.g., PCI-DSS, SOC 2) require DDoS protection mechanisms to ensure the availability and integrity of services.

  • Best Practices: Shield Advanced is recommended to protect critical AWS resources, such as Global Accelerators, to ensure they remain operational even during large-scale attacks.

Impact:

Pros:

  • Enhanced Security: Provides proactive DDoS protection for your Global Accelerator, protecting against large-scale attacks.

  • Improved Availability: Reduces the risk of service disruption, ensuring better user experience and application performance.

  • Compliance: Helps meet compliance requirements related to availability and security.

Cons:

  • Cost: AWS Shield Advanced incurs additional costs compared to the standard AWS Shield service, so enabling it may increase overall costs.

  • Configuration Overhead: Additional configuration steps are required to enable Shield Advanced, especially for existing resources.

Default Value:

By default, Global Accelerators are not protected by AWS Shield Advanced. You must manually enable Shield Advanced protection for Global Accelerators.

Pre-requisite:

  • AWS IAM Permissions:

    • globalaccelerator:DescribeAccelerator

    • globalaccelerator:UpdateAccelerator

    • shield:DescribeProtection

    • shield:CreateProtection

  • AWS CLI installed and configured.

  • AWS Shield Advanced subscription is active.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Global Accelerator under Services.

  3. In the Global Accelerator Dashboard, select the Global Accelerator you want to review.

  4. Under Protection, check if AWS Shield Advanced is enabled.

    • Shield Advanced protection should be listed for the selected Global Accelerator.

  5. If Shield Advanced is not enabled, proceed with enabling it as described in the Implementation Steps.

Using AWS CLI:

  1. To check if AWS Shield Advanced protection is enabled for a Global Accelerator, run the following command:

    aws globalaccelerator describe-accelerator --accelerator-arn <accelerator-arn>

  2. Review the output to check if Shield Advanced protection is enabled under the protection settings:

  • Look for a "ShieldAdvancedProtection" field indicating Shield Advanced protection.

  1. If Shield Advanced is not enabled, proceed to enable it using the CLI.

Implementation Steps

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to Global Accelerator.

  2. In the Global Accelerator Dashboard, select the Global Accelerator you want to protect.

  3. Under the Protection section, click Enable AWS Shield Advanced to activate Shield Advanced protection for the Global Accelerator.

  4. Ensure that AWS Shield Advanced is now listed as being enabled for the Global Accelerator.

Using AWS CLI:

  1. To enable AWS Shield Advanced protection for a Global Accelerator, run the following command:

    aws shield create-protection --name <protection-name> --resource-arn <accelerator-arn> --protection-group-id <protection-group-id>

  2. Verify that the protection has been applied by running:

    aws shield describe-protection --protection-id <protection-id>

  3. Confirm that the Shield Advanced protection is successfully enabled for the Global Accelerator.

Backout Plan:

Using AWS Console:

  1. If enabling Shield Advanced protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Shield, select the Protection you want to disable, and click Delete Protection.

  3. Confirm the deletion and verify that the Global Accelerator is no longer protected by AWS Shield Advanced.

Using AWS CLI:

  1. To remove Shield Advanced protection from the Global Accelerator, run:

    aws shield delete-protection --protection-id <PROTECTION_ID>

  2. Verify that the Global Accelerator is no longer protected:

    aws shield describe-protection --protection-id <PROTECTION_ID

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.