Skip to main content

Enabling AWS Shield Advanced for production applications

AWS Shield Advanced provides higher levels of DDoS protection and mitigation against our services.

Enabling AWS Shield Advanced

Shield advanced is enabled using AWS Firewall Manager policies. This is managed in the aws-root-account Terraform.

All Modernisation Platform accounts have Shield Advanced enabled by default with an auto remediation policy.

When this happens, any external facing EC2 Elastic IPs and Elastic Load Balancers will have a WAF automatically created for them if one does not already exist. This WAF has no rules, but is required to enable monitoring for DDoS attacks.

For production accounts, AWS Shield Response Team (SRT) access, and Automatic Layer 7 DDoS Mitigation can optionally be configured.

Create alarms

DDoS alarms should be configured for all production public facing interfaces, when these alarms are triggered they should send a notification through to the #modernisation-platform-high-priority-alarms channel. See example code here.

Enable SRT Access

This needs to be done manually in the AWS console by a Modernisation Platform engineer in the application account.

  1. Navigate to the Shield Overview
  2. Under the Shield Advanced setup, click step 3. “Edit SRT access”
  3. Under SRT access setting, choose “Choose and existing role for the SRT to access my accounts”
  4. Select the AWSSRTSupport role
  5. Click “Save”

This will enable the SRT to view data to help them support and create WAF rules during a DDoS attack.

Enable Automatic Layer 7 Mitigation for Elastic Load Balancers

Automatic Layer 7 DDoS mitigation can be enabled for Application Load Balancers.

This needs to be done manually in the AWS console by a Modernisation Platform engineer in the application account.

  1. Navigate to the Shield Protected resources
  2. Select the Elastic Load Balancer and choose “Configure protections” and “Selected resources”
  3. Under “Associate web ACL” select the Web ACL (normally beginning with FMManagedWebACLV2)
  4. If there is no rate limit rule, add one and give it a sensible setting depending on the service, set the Action to “Count”
  5. Under “Automatic application layer DDoS mitigation”, select “Enable” and set the rule action to “Count”
  6. Select “Next”, associate a health check if one has been created and required
  7. Select “Next”, select the SNS topic created earlier for the alarms
  8. Select “Next”, review the configuration and click “Finish configuration”

Once the configuration is complete, monitor the WAF metrics and Shield events for 1-2 weeks to ensure that there are no false positives with the new rules. Then return to the configuration, and change the “Count” to “Block” for the rate limit rule and for the automatic mitigation.

Route53 hosted zones

Route53 hosted zones are protected and monitored by Shield Advanced with protections added through Terraform.

The modernisation-platform domain and production application domains are protected here, and the core-vpc subdomains here.

Monitoring is enabled and alarms will go to the #modernisation-platform-high-priority-alarms channel for production alarms, and #modernisation-platform-low-priority-alarms for non production.

This page was last reviewed on 10 May 2023. It needs to be reviewed again on 10 November 2023 by the page owner #modernisation-platform .
This page was set to be reviewed before 10 November 2023 by the page owner #modernisation-platform. This might mean the content is out of date.