Open menu
-->

AWS Shield In Use

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Last updated: 03 April 2018
Security

Risk level: Medium (should be achieved)

Ensure that Amazon Shield service is currently in use in order to protect your AWS-powered web applications from Distributed Denial of Service (DDoS) attacks that can affect the application's availability and response time by overwhelming (flooding) them with traffic from multiple sources.
Shield works in conjunction with Elastic Load Balancing (ELB), CloudFront and AWS Route 53 to protect your applications from different types of DDoS attacks such as TCP connection attacks, volumetric attacks, fragmentation and application attacks using amplification methods like DNS Reflection and Chargen Reflection. Shield service is implemented by default on all AWS edge locations to mitigate DDoS attacks and provides two tiers of service - Standard and Advanced:
AWS Shield Standard is automatically available to all AWS customers at no extra cost. The Standard tier protects your applications from 96% of the most common DDOS attacks, including SYN/ACK floods, Reflection attacks and HTTP slow reads. This layer of protection is applied transparently to your Elastic Load Balancers, CloudFront CDN distributions and Route 53 DNS resources.
AWS Shield Advanced provides intelligent attack detection, mitigation for DDoS attacks initiated at application/network layer and additional mitigation capability for volumetric attacks. Once the Advanced tier is activated, you will get 24/7 access to Amazon DDoS Response Team (DRT) for custom mitigation during attacks, detailed visibility into DDoS events with advanced real time metrics and reports, and cost protection to guard against bill spikes in the aftermath of a Distributed Denial of Service (DDoS) attack. AWS Web Application Firewall (WAF) service is also included at no additional cost within the AWS Shield Advanced plan.

The main benefits of using the AWS Shield Advanced plan are: enhanced DDoS attack detection
provides granular detection of Distributed Denial of Service (DDoS) attacks by monitoring the application layer traffic to your AWS ELBs, CloudFront distributions or AWS Route 53 resources, advanced Layer 3 (L3), L4 and L7 DDoS attack protection and mitigation - in addition to the protection level guaranteed by AWS Shield Standard, the AWS Shield Advanced tier provides you with more sophisticated automatic mitigations and full support from the Amazon DDoS Response Team (a support team enabled to respond to complex DDoS attacks), detailed visibility (advanced reporting and attack notification) - provides comprehensive visibility into DDoS events with Layer 3/4/7 attack forensic reports and Layer 3/4 real-time attack notifications via AWS CloudWatch, 24/7 specialized support - engage with the DDoS Response Team (DRT) that will help prioritize the ongoing incidents, identify the root causes and apply DDoS attack mitigations on your behalf, and AWS bill protection - supply AWS service credits for charges due to usage spikes when services such as ELB, Cloudfront and Route 53 scale up their resources in response to the attack.

Audit

- AWS Shield Standard tier, which provides basic DDoS protection, is automatically enabled for all AWS customers at no additional charge, however, the AWS Shield Advanced, the service that provides advanced DDoS protection, is a paid solution. To determine if AWS Shield Advanced plan is enabled within your AWS account, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to AWS WAF and AWS Shield home page at https://console.aws.amazon.com/waf/.

03 Click Go to AWS Shield to access the service dashboard. If you are being redirected to the AWS Shield subscription page where the Status value for the AWS Shield Advanced, plan is set to "Not activated":

AWS Shield Advanced

the Amazon Shield Advanced tier is not currently enabled within your AWS account, therefore your AWS-powered web applications do not benefit from advanced DDoS protection.

Using AWS CLI

01 Run describe-subscription command (OSX/Linux/UNIX) to get details about the AWS Shield Advanced tier subscription for your AWS account:

aws shield describe-subscription
	--region us-east-1

02 The command output should return the AWS Shield Advanced subscription details (metadata) such as the start time of the subscription, the length of the subscription, etc, or an error message if the subscription does not exists:

An error occurred (ResourceNotFoundException) when calling the DescribeSubscription operation: The subscription does not exist.

03 Run describe-nat-gateways command (OSX/Linux/UNIX) using each VPC ID to list any NAT Gateway devices currently in use for the selected VPC:

aws ec2 describe-nat-gateways
	--region us-east-1
	--filter "Name=vpc-id,Values=vpc-f7ac5792" "Name=state,Values=available"

Remediation / Resolution

- To enable AWS Shield Advanced tier for your AWS account in order to benefit from advanced DDoS detection and mitigation protection for network layer, transport layer, and application layer attacks, you need to perform the following actions:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to AWS WAF and AWS Shield home page at https://console.aws.amazon.com/waf/.

03 Click Go to AWS Shield to access the service dashboard.

04 On the AWS Shield subscription page, click Activate AWS Shield Advanced button to subscribe to the Advanced tier and initiate the configuration process.

05 Choose the AWS resource type and the resource to protect, e.g. an Amazon CloudFront CDN distribution.

06 For Name, provide a unique name for the AWS resource that you want to protect, e.g. DDoS-protected Cloudfront CDN distribution.

07 (Optional) For Web DDoS attack option, select Enable. You will be notified to associate an existing AWS WAF web ACL with the specified resource, or create a new web ACL if you don't have one yet.

08 Click Add DDoS protection to enable advanced DDoS protection for the specified AWS resource.

09 To protect additional AWS resources (ELBs, Route 53 DNS zone, etc) currently available within your AWS account, select Protected resources from the left navigation panel and repeat steps no. 5 – 8.

Using AWS CLI

01 Run create-subscription command (OSX/Linux/UNIX) to activate AWS Shield Advanced plan subscription for your AWS account (the command does not produce an output):

aws shield create-subscription

02 Now execute create-protection command (OSX/Linux/UNIX) using the Amazon Resource Name (ARN) of the AWS resource that you want to protect against DDoS attacks as parameter to enable the AWS Shield Advanced for the selected AWS resource – the resource can be an AWS CloudFront CDN distribution, an AWS ELB load balancer or an AWS Route 53 hosted zone. The following command example enables advanced DDoS protection for a Cloudfront web distribution identified by the ARN arn:aws:cloudfront::123456789012:distribution/CDOXVBD32B7DS:

aws shield create-protection
	--name ddos-protected-cloudfront-web-distribution
	--resource-arn arn:aws:cloudfront::123456789012:distribution/CDOXVBD32B7DS

03 The command output should return the unique identifier (ID) of the Protection Object, created for the selected AWS resource (i.e. Amazon Cloudfront CDN distribution):

{
    "ProtectionId": "dab5d8bb-38du-ba2a-397d-fde38f134725"
}

References

Publication date Jun 12, 2017