Enabling AWS Shield Advanced for production applications
AWS Shield Advanced provides higher levels of DDoS protection and mitigation against our services.
Enabling AWS Shield Advanced
Shield advanced is enabled using AWS Firewall Manager policies. This is managed in the aws-root-account Terraform.
All Modernisation Platform accounts have Shield Advanced enabled by default with an auto remediation policy.
When this happens, any external facing EC2 Elastic IPs and Elastic Load Balancers will have a WAF automatically created for them if one does not already exist. This WAF has no rules, but is required to enable monitoring for DDoS attacks.
For production accounts, AWS Shield Response Team (SRT) access, and Automatic Layer 7 DDoS Mitigation can optionally be configured.
Managing AWS Shield Advanced for your account
You can complete the following tasks by implementing the shield_advanced terraform module into your environment code:
- Configure DDoS alerts
- Enable Shield Response Team (SRT) Access
- Associate Shield Protected resources with the Shield Managed WAF ACL
- Create alarms and notifications
- Apply a count/block rule to the managed WAF with a simple threshold
- Optionally apply AWS Shield automatic responses
Route53 hosted zones
Route53 hosted zones are protected and monitored by Shield Advanced with protections added through Terraform.
The modernisation-platform domain and production application domains are protected here, and the core-vpc subdomains here.
Monitoring is enabled and alarms will go to the #modernisation-platform-high-priority-alarms channel for production alarms, and #modernisation-platform-low-priority-alarms for non production.