Shield examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Shield.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.
Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.
Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-drt-log-bucket.
- Amazon CLI
-
To authorize the DRT to access an Amazon S3 bucket
The following
associate-drt-log-bucketexample creates an association between the DRT and the specified S3 bucket. This permits the DRT to access the bucket on behalf of the account.:aws shield associate-drt-log-bucket \ --log-bucketflow-logs-for-website-lbThis command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see AssociateDrtLogBucket
in Amazon CLI Command Reference.
-
The following code example shows how to use associate-drt-role.
- Amazon CLI
-
To authorize the DRT to mitigate potential attacks on your behalf
The following
associate-drt-roleexample creates an association between the DRT and the specified role. The DRT can use the role to access and manage the account.aws shield associate-drt-role \ --role-arnarn:aws:iam::123456789012:role/service-role/DrtRoleThis command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see AssociateDrtRole
in Amazon CLI Command Reference.
-
The following code example shows how to use create-protection.
- Amazon CLI
-
To enable Amazon Shield Advanced protection for a single Amazon resource
The following
create-protectionexample enables Shield Advanced protection for the specified Amazon CloudFront distribution.aws shield create-protection \ --name"Protection for CloudFront distribution"\ --resource-arnarn:aws:cloudfront::123456789012:distribution/E198WC25FXOWY8Output:
{ "ProtectionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }For more information, see Specify Your Resources to Protect
in the Amazon Shield Advanced Developer Guide. -
For API details, see CreateProtection
in Amazon CLI Command Reference.
-
The following code example shows how to use create-subscription.
- Amazon CLI
-
To enable Amazon Shield Advanced protection for an account
The following
create-subscriptionexample enables Shield Advanced protection for the account.aws shield create-subscriptionThis command produces no output.
For more information, see Getting Started with Amazon Shield Advanced
in the Amazon Shield Advanced Developer Guide. -
For API details, see CreateSubscription
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-protection.
- Amazon CLI
-
To remove Amazon Shield Advanced protection from an Amazon resource
The following
delete-protectionexample removes the specified Amazon Shield Advanced protection.aws shield delete-protection \ --protection-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111This command produces no output.
For more information, see Removing Amazon Shield Advanced from an Amazon Resource
in the Amazon Shield Advanced Developer Guide. -
For API details, see DeleteProtection
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-attack.
- Amazon CLI
-
To retrieve a detailed description of an attack
The following
describe-attackexample displays details about the DDoS attack with the specified attack ID. You can obtain attack IDs by running thelist-attackscommand.aws shield describe-attack --attack-ida1b2c3d4-5678-90ab-cdef-EXAMPLE22222Output:
{ "Attack": { "AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ResourceArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/testElb", "SubResources": [ { "Type": "IP", "Id": "192.0.2.2", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 11786208.0, "N": 12, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.3", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 9821840.0, "N": 10, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.4", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 7857472.0, "N": 8, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.5", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 1964368.0, "N": 2, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "2001:DB8::bcde:4321:8765:0:0", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 1964368.0, "N": 2, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.6", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 1964368.0, "N": 2, "Unit": "BPS" } ] } ], "Counters": [] } ], "StartTime": 1576024927.457, "EndTime": 1576025647.457, "AttackCounters": [], "AttackProperties": [ { "AttackLayer": "NETWORK", "AttackPropertyIdentifier": "SOURCE_IP_ADDRESS", "TopContributors": [ { "Name": "198.51.100.5", "Value": 2024475682 }, { "Name": "198.51.100.8", "Value": 1311380863 }, { "Name": "203.0.113.4", "Value": 900599855 }, { "Name": "198.51.100.4", "Value": 769417366 }, { "Name": "203.1.113.13", "Value": 757992847 } ], "Unit": "BYTES", "Total": 92773354841 }, { "AttackLayer": "NETWORK", "AttackPropertyIdentifier": "SOURCE_COUNTRY", "TopContributors": [ { "Name": "United States", "Value": 80938161764 }, { "Name": "Brazil", "Value": 9929864330 }, { "Name": "Netherlands", "Value": 1635009446 }, { "Name": "Mexico", "Value": 144832971 }, { "Name": "Japan", "Value": 45369000 } ], "Unit": "BYTES", "Total": 92773354841 }, { "AttackLayer": "NETWORK", "AttackPropertyIdentifier": "SOURCE_ASN", "TopContributors": [ { "Name": "12345", "Value": 74953625841 }, { "Name": "12346", "Value": 4440087595 }, { "Name": "12347", "Value": 1635009446 }, { "Name": "12348", "Value": 1221230000 }, { "Name": "12349", "Value": 1199425294 } ], "Unit": "BYTES", "Total": 92755479921 } ], "Mitigations": [] } }For more information, see Reviewing DDoS Incidents
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeAttack
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-drt-access.
- Amazon CLI
-
To retrieve a description of the authorizations the DRT has to mitigate attacks on your behalf
The following
describe-drt-accessexample retrieves the role and S3 bucket authorizations that the DRT has, which allow it to respond to potential attacks on your behalf.aws shield describe-drt-accessOutput:
{ "RoleArn": "arn:aws:iam::123456789012:role/service-role/DrtRole", "LogBucketList": [ "flow-logs-for-website-lb" ] }For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeDrtAccess
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-emergency-contact-settings.
- Amazon CLI
-
To retrieve emergency e-mail addresses that you have on file with the DRT
The following
describe-emergency-contact-settingsexample retrieves the e-mail addresses that are on file with the DRT for the account. These are the addresses the DRT should contact when it's responding to a suspected attack.aws shield describe-emergency-contact-settingsOutput:
{ "EmergencyContactList": [ { "EmailAddress": "ops@example.com" }, { "EmailAddress": "ddos-notifications@example.com" } ] }For more information, see How Amazon Shield Works<https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html> in the Amazon Shield Advanced Developer Guide.
-
For API details, see DescribeEmergencyContactSettings
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-protection.
- Amazon CLI
-
To retrieve the details for an Amazon Shield Advanced protection
The following
describe-protectionexample displays details about the Shield Advanced protection with the specified ID. You can obtain protection IDs by running thelist-protectionscommand.aws shield describe-protection \ --protection-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111Output:
{ "Protection": { "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "1.2.3.4", "ResourceArn": "arn:aws:ec2:us-west-2:123456789012:eip-allocation/eipalloc-0ac1537af40742a6d" } }For more information, see Specify Your Resources to Protect
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeProtection
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-subscription.
- Amazon CLI
-
To retrieve the details of the Amazon Shield Advanced protection for the account
The following
describe-subscriptionexample displays details about the Shield Advanced protection provided for the account.:aws shield describe-subscriptionOutput:
{ "Subscription": { "StartTime": 1534368978.0, "EndTime": 1597613778.0, "TimeCommitmentInSeconds": 63244800, "AutoRenew": "ENABLED", "Limits": [ { "Type": "GLOBAL_ACCELERATOR", "Max": 1000 }, { "Type": "ROUTE53_HOSTED_ZONE", "Max": 1000 }, { "Type": "CF_DISTRIBUTION", "Max": 1000 }, { "Type": "ELB_LOAD_BALANCER", "Max": 1000 }, { "Type": "EC2_ELASTIC_IP_ALLOCATION", "Max": 1000 } ] } }For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeSubscription
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-drt-log-bucket.
- Amazon CLI
-
To remove the authorization for DRT to access an Amazon S3 bucket on your behalf
The following
disassociate-drt-log-bucketexample removes the association between the DRT and the specified S3 bucket. After this command completes, the DRT can no longer access the bucket on behalf of the account.aws shield disassociate-drt-log-bucket \ --log-bucketflow-logs-for-website-lbThis command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see DisassociateDrtLogBucket
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-drt-role.
- Amazon CLI
-
To remove the authorization for DRT to mitigate potential attacks on your behalf
The following
disassociate-drt-roleexample removes the association between the DRT and the account. After this call, the DRT can no longer access or manage your account.aws shield disassociate-drt-roleThis command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see DisassociateDrtRole
in Amazon CLI Command Reference.
-
The following code example shows how to use get-subscription-state.
- Amazon CLI
-
To retrieve the current state of the account's Amazon Shield Advanced subscription
The following
get-subscription-stateexample retrieves the state of the Shield Advanced protection for the account.aws shield get-subscription-stateOutput:
{ "SubscriptionState": "ACTIVE" }For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see GetSubscriptionState
in Amazon CLI Command Reference.
-
The following code example shows how to use list-attacks.
- Amazon CLI
-
To retrieve attack summaries from Amazon Shield Advanced
The following
list-attacksexample retrieves summaries of attacks for the specified Amazon CloudFront distribution during the specified time period. The response includes attack IDs that you can provide to thedescribe-attackcommand for detailed information on an attack.aws shield list-attacks \ --resource-arnsarn:aws:cloudfront::12345678910:distribution/E1PXMP22ZVFAOR\ --start-timeFromInclusive=1529280000,ToExclusive=1529300000Output:
{ "AttackSummaries": [ { "AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResourceArn": "arn:aws:cloudfront::123456789012:distribution/E1PXMP22ZVFAOR", "StartTime": 1529280000.0, "EndTime": 1529449200.0, "AttackVectors": [ { "VectorType": "SYN_FLOOD" } ] } ] }For more information, see Reviewing DDoS Incidents
in the Amazon Shield Advanced Developer Guide. -
For API details, see ListAttacks
in Amazon CLI Command Reference.
-
The following code example shows how to use list-protections.
- Amazon CLI
-
To retrieve protection summaries from Amazon Shield Advanced
The following
list-protectionsexample retrieves summaries of the protections that are enabled for the account.aws shield list-protectionsOutput:
{ "Protections": [ { "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Protection for CloudFront distribution", "ResourceArn": "arn:aws:cloudfront::123456789012:distribution/E198WC25FXOWY8" } ] }For more information, see Specify Your Resources to Protect
in the Amazon Shield Advanced Developer Guide. -
For API details, see ListProtections
in Amazon CLI Command Reference.
-
The following code example shows how to use update-emergency-contact-settings.
- Amazon CLI
-
To define the emergency e-mail addresses that are on file with the DRT
The following
update-emergency-contact-settingsexample defines two e-mail addresses that the DRT should contact when it's responding to a suspected attack.aws shield update-emergency-contact-settings \ --emergency-contact-listEmailAddress=ops@example.comEmailAddress=ddos-notifications@example.comThis command produces no output.
For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see UpdateEmergencyContactSettings
in Amazon CLI Command Reference.
-
The following code example shows how to use update-subscription.
- Amazon CLI
-
To modify the account's Amazon Shield Advanced subscription
The following
update-subscriptionexample enables auto-renewal of the Amazon Shield Advanced subscription for the account.aws shield update-subscription \ --auto-renewENABLEDThis command produces no output.
For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see UpdateSubscription
in Amazon CLI Command Reference.
-