Skip to main content

Enabling AWS Shield Advanced for production applications

AWS Shield Advanced provides higher levels of DDoS protection and mitigation against our services.

Enabling AWS Shield Advanced

Shield advanced is enabled using AWS Firewall Manager policies. This is managed in the aws-root-account Terraform.

All Modernisation Platform accounts have Shield Advanced enabled by default with an auto remediation policy.

When this happens, any external facing EC2 Elastic IPs and Elastic Load Balancers will have a WAF automatically created for them if one does not already exist. This WAF has no rules, but is required to enable monitoring for DDoS attacks.

For production accounts, AWS Shield Response Team (SRT) access, and Automatic Layer 7 DDoS Mitigation can optionally be configured.

Managing AWS Shield Advanced for your account

You can complete the following tasks by implementing the shield_advanced terraform module into your environment code:

  • Configure DDoS alerts
  • Enable Shield Response Team (SRT) Access
  • Associate Shield Protected resources with the Shield Managed WAF ACL
  • Create alarms and notifications
  • Apply a count/block rule to the managed WAF with a simple threshold
  • Optionally apply AWS Shield automatic responses

Route53 hosted zones

Route53 hosted zones are protected and monitored by Shield Advanced with protections added through Terraform.

The modernisation-platform domain and production application domains are protected here, and the core-vpc subdomains here.

Monitoring is enabled and alarms will go to the #modernisation-platform-high-priority-alarms channel for production alarms, and #modernisation-platform-low-priority-alarms for non production.

This page was last reviewed on 9 December 2024. It needs to be reviewed again on 9 June 2025 by the page owner #modernisation-platform .
This page was set to be reviewed before 9 June 2025 by the page owner #modernisation-platform. This might mean the content is out of date.