This is the new *Amazon CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [Amazon CloudFormation User Guide](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/Welcome.html).
# AWS::Shield::DRTAccess
Provides permissions for the Amazon Shield Advanced Shield response team (SRT) to access your account and your resource protections, to help you mitigate potential distributed denial of service (DDoS) attacks.
**Configure `AWS::Shield::DRTAccess` for one account**
To configure this resource through Amazon CloudFormation, you must be subscribed to Amazon Shield Advanced. You can subscribe through the [Shield Advanced console](https://console.amazonaws.cn/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to Amazon Shield Advanced](https://docs.amazonaws.cn/waf/latest/developerguide/enable-ddos-prem.html).
See example templates for Shield Advanced in Amazon CloudFormation at [aws-samples/aws-shield-advanced-examples](https://github.com/aws-samples/aws-shield-advanced-examples).
**Configure Shield Advanced using Amazon CloudFormation and Amazon Firewall Manager**
You might be able to use Firewall Manager with Amazon CloudFormation to configure Shield Advanced across multiple accounts and protected resources. To do this, your accounts must be part of an organization in Amazon Organizations. You can use Firewall Manager to configure Shield Advanced protections for any resource types except for Amazon RouteĀ 53 or Amazon Global Accelerator.
For an example of this, see the one-click configuration guidance published by the Amazon technical community at [One-click deployment of Shield Advanced](https://youtu.be/LCA3FwMk_QE).
## Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
### JSON
```
{
"Type" : "AWS::Shield::DRTAccess",
"Properties" : {
"[LogBucketList](#cfn-shield-drtaccess-logbucketlist)" : {{[ String, ... ]}},
"[RoleArn](#cfn-shield-drtaccess-rolearn)" : {{String}}
}
}
```
### YAML
```
Type: AWS::Shield::DRTAccess
Properties:
[LogBucketList](#cfn-shield-drtaccess-logbucketlist): {{
- String}}
[RoleArn](#cfn-shield-drtaccess-rolearn): {{String}}
```
## Properties
`LogBucketList`
Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.
Use this to share information with the SRT that's not available in Amazon WAF logs.
To use the services of the SRT, you must be subscribed to the [Business Support plan](https://www.amazonaws.cn/premiumsupport/business-support/) or the [Enterprise Support plan](https://www.amazonaws.cn/premiumsupport/enterprise-support/).
*Required*: No
*Type*: Array of String
*Minimum*: `3 | 0`
*Maximum*: `63 | 10`
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
`RoleArn`
Authorizes the Shield Response Team (SRT) using the specified role, to access your Amazon account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your Amazon WAF configuration and logs and to create or update Amazon WAF rules and web ACLs.
You can associate only one `RoleArn` with your subscription. If you submit this update for an account that already has an associated role, the new `RoleArn` will replace the existing `RoleArn`.
This change requires the following:
+ You must be subscribed to the [Business Support plan](https://www.amazonaws.cn/premiumsupport/business-support/) or the [Enterprise Support plan](https://www.amazonaws.cn/premiumsupport/enterprise-support/).
+ The `AWSShieldDRTAccessPolicy` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at [AWSShieldDRTAccessPolicy](https://console.amazonaws.cn/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy). For information, see [Adding and removing IAM identity permissions](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage-attach-detach.html).
+ The role must trust the service principal `drt.shield.amazonaws.com`. For information, see [IAM JSON policy elements: Principal](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_elements_principal.html).
The SRT will have access only to your Amazon WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your Amazon WAF and Shield configuration and logs, and to create and update Amazon WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
*Required*: Yes
*Type*: String
*Maximum*: `2048`
*Update requires*: [No interruption](https://docs.amazonaws.cn/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
## Return values
### Ref
When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the account that submitted the template.
For more information about using the `Ref` function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).
### Fn::GetAtt
The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.amazonaws.cn/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).
####
`AccountId`
The ID of the account that submitted the template.
## Examples
**Topics**
+ [Configure access for the Shield response team](#aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team)
+ [Configure access for the Shield response team with additional data access](#aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team_with_additional_data_access)
### Configure access for the Shield response team
The following shows an example configuration to provide access to the Shield response team (SRT).
#### YAML
```
Resources:
DRTAccess:
Type: AWS::Shield::DRTAccess
Properties:
RoleArn: !GetAtt DRTAccessRole.Arn
# support resources
DRTAccessRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- 'drt.shield.amazonaws.com'
Action:
- 'sts:AssumeRole'
```
#### JSON
```
{
"Resources": {
"DRTAccess": {
"Type": "AWS::Shield::DRTAccess",
"Properties": {
"RoleArn": {
"Fn::GetAtt": [
"DRTAccessRole",
"Arn"
]
}
}
},
"DRTAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"drt.shield.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}
}
}
```
### Configure access for the Shield response team with additional data access
The following shows an example configuration to provide access to the Shield response team (SRT), including granting access to additional data that's outside of the web ACL logs. The SRT is automatically granted access to the web ACL logs based on the provided `RoleArn`.
#### YAML
```
Resources:
DRTAccess:
Type: AWS::Shield::DRTAccess
Properties:
LogBucketList:
- !Ref DRTLogBucket1
- !Ref DRTLogBucket2
RoleArn: !GetAtt DRTAccessRole.Arn
# support resources
DRTLogBucket1:
Type: AWS::S3::Bucket
Properties:
AccessControl: BucketOwnerFullControl
DRTLogBucket2:
Type: AWS::S3::Bucket
Properties:
AccessControl: BucketOwnerFullControl
DRTAccessRole:
Type: AWS::IAM::Role
Properties:
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy'
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- 'drt.shield.amazonaws.com'
Action:
- 'sts:AssumeRole'
```
#### JSON
```
{
"Resources": {
"DRTAccess": {
"Type": "AWS::Shield::DRTAccess",
"Properties": {
"LogBucketList": [
{
"Ref": "DRTLogBucket1"
},
{
"Ref": "DRTLogBucket2"
}
],
"RoleArn": {
"Fn::GetAtt": [
"DRTAccessRole",
"Arn"
]
}
}
},
"DRTLogBucket1": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "BucketOwnerFullControl"
}
},
"DRTLogBucket2": {
"Type": "AWS::S3::Bucket",
"Properties": {
"AccessControl": "BucketOwnerFullControl"
}
},
"DRTAccessRole": {
"Type": "AWS::IAM::Role",
"Properties": {
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy"
],
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"drt.shield.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}
}
}
}
}
```