This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Shield examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Shield.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-drt-log-bucket
.
- Amazon CLI
-
To authorize the DRT to access an Amazon S3 bucket
The following
associate-drt-log-bucket
example creates an association between the DRT and the specified S3 bucket. This permits the DRT to access the bucket on behalf of the account.:aws shield associate-drt-log-bucket \ --log-bucket
flow-logs-for-website-lb
This command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see AssociateDrtLogBucket
in Amazon CLI Command Reference.
-
The following code example shows how to use associate-drt-role
.
- Amazon CLI
-
To authorize the DRT to mitigate potential attacks on your behalf
The following
associate-drt-role
example creates an association between the DRT and the specified role. The DRT can use the role to access and manage the account.aws shield associate-drt-role \ --role-arn
arn:aws:iam::123456789012:role/service-role/DrtRole
This command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see AssociateDrtRole
in Amazon CLI Command Reference.
-
The following code example shows how to use create-protection
.
- Amazon CLI
-
To enable Amazon Shield Advanced protection for a single Amazon resource
The following
create-protection
example enables Shield Advanced protection for the specified Amazon CloudFront distribution.aws shield create-protection \ --name
"Protection for CloudFront distribution"
\ --resource-arnarn:aws:cloudfront::123456789012:distribution/E198WC25FXOWY8
Output:
{ "ProtectionId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }
For more information, see Specify Your Resources to Protect
in the Amazon Shield Advanced Developer Guide. -
For API details, see CreateProtection
in Amazon CLI Command Reference.
-
The following code example shows how to use create-subscription
.
- Amazon CLI
-
To enable Amazon Shield Advanced protection for an account
The following
create-subscription
example enables Shield Advanced protection for the account.aws shield create-subscription
This command produces no output.
For more information, see Getting Started with Amazon Shield Advanced
in the Amazon Shield Advanced Developer Guide. -
For API details, see CreateSubscription
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-protection
.
- Amazon CLI
-
To remove Amazon Shield Advanced protection from an Amazon resource
The following
delete-protection
example removes the specified Amazon Shield Advanced protection.aws shield delete-protection \ --protection-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
This command produces no output.
For more information, see Removing Amazon Shield Advanced from an Amazon Resource
in the Amazon Shield Advanced Developer Guide. -
For API details, see DeleteProtection
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-attack
.
- Amazon CLI
-
To retrieve a detailed description of an attack
The following
describe-attack
example displays details about the DDoS attack with the specified attack ID. You can obtain attack IDs by running thelist-attacks
command.aws shield describe-attack --attack-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE22222
Output:
{ "Attack": { "AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "ResourceArn": "arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/testElb", "SubResources": [ { "Type": "IP", "Id": "192.0.2.2", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 11786208.0, "N": 12, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.3", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 9821840.0, "N": 10, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.4", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 7857472.0, "N": 8, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.5", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 1964368.0, "N": 2, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "2001:DB8::bcde:4321:8765:0:0", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 1964368.0, "N": 2, "Unit": "BPS" } ] } ], "Counters": [] }, { "Type": "IP", "Id": "192.0.2.6", "AttackVectors": [ { "VectorType": "SYN_FLOOD", "VectorCounters": [ { "Name": "SYN_FLOOD_BPS", "Max": 982184.0, "Average": 982184.0, "Sum": 1964368.0, "N": 2, "Unit": "BPS" } ] } ], "Counters": [] } ], "StartTime": 1576024927.457, "EndTime": 1576025647.457, "AttackCounters": [], "AttackProperties": [ { "AttackLayer": "NETWORK", "AttackPropertyIdentifier": "SOURCE_IP_ADDRESS", "TopContributors": [ { "Name": "198.51.100.5", "Value": 2024475682 }, { "Name": "198.51.100.8", "Value": 1311380863 }, { "Name": "203.0.113.4", "Value": 900599855 }, { "Name": "198.51.100.4", "Value": 769417366 }, { "Name": "203.1.113.13", "Value": 757992847 } ], "Unit": "BYTES", "Total": 92773354841 }, { "AttackLayer": "NETWORK", "AttackPropertyIdentifier": "SOURCE_COUNTRY", "TopContributors": [ { "Name": "United States", "Value": 80938161764 }, { "Name": "Brazil", "Value": 9929864330 }, { "Name": "Netherlands", "Value": 1635009446 }, { "Name": "Mexico", "Value": 144832971 }, { "Name": "Japan", "Value": 45369000 } ], "Unit": "BYTES", "Total": 92773354841 }, { "AttackLayer": "NETWORK", "AttackPropertyIdentifier": "SOURCE_ASN", "TopContributors": [ { "Name": "12345", "Value": 74953625841 }, { "Name": "12346", "Value": 4440087595 }, { "Name": "12347", "Value": 1635009446 }, { "Name": "12348", "Value": 1221230000 }, { "Name": "12349", "Value": 1199425294 } ], "Unit": "BYTES", "Total": 92755479921 } ], "Mitigations": [] } }
For more information, see Reviewing DDoS Incidents
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeAttack
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-drt-access
.
- Amazon CLI
-
To retrieve a description of the authorizations the DRT has to mitigate attacks on your behalf
The following
describe-drt-access
example retrieves the role and S3 bucket authorizations that the DRT has, which allow it to respond to potential attacks on your behalf.aws shield describe-drt-access
Output:
{ "RoleArn": "arn:aws:iam::123456789012:role/service-role/DrtRole", "LogBucketList": [ "flow-logs-for-website-lb" ] }
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeDrtAccess
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-emergency-contact-settings
.
- Amazon CLI
-
To retrieve emergency e-mail addresses that you have on file with the DRT
The following
describe-emergency-contact-settings
example retrieves the e-mail addresses that are on file with the DRT for the account. These are the addresses the DRT should contact when it's responding to a suspected attack.aws shield describe-emergency-contact-settings
Output:
{ "EmergencyContactList": [ { "EmailAddress": "ops@example.com" }, { "EmailAddress": "ddos-notifications@example.com" } ] }
For more information, see How Amazon Shield Works<https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html> in the Amazon Shield Advanced Developer Guide.
-
For API details, see DescribeEmergencyContactSettings
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-protection
.
- Amazon CLI
-
To retrieve the details for an Amazon Shield Advanced protection
The following
describe-protection
example displays details about the Shield Advanced protection with the specified ID. You can obtain protection IDs by running thelist-protections
command.aws shield describe-protection \ --protection-id
a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "Protection": { "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "1.2.3.4", "ResourceArn": "arn:aws:ec2:us-west-2:123456789012:eip-allocation/eipalloc-0ac1537af40742a6d" } }
For more information, see Specify Your Resources to Protect
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeProtection
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-subscription
.
- Amazon CLI
-
To retrieve the details of the Amazon Shield Advanced protection for the account
The following
describe-subscription
example displays details about the Shield Advanced protection provided for the account.:aws shield describe-subscription
Output:
{ "Subscription": { "StartTime": 1534368978.0, "EndTime": 1597613778.0, "TimeCommitmentInSeconds": 63244800, "AutoRenew": "ENABLED", "Limits": [ { "Type": "GLOBAL_ACCELERATOR", "Max": 1000 }, { "Type": "ROUTE53_HOSTED_ZONE", "Max": 1000 }, { "Type": "CF_DISTRIBUTION", "Max": 1000 }, { "Type": "ELB_LOAD_BALANCER", "Max": 1000 }, { "Type": "EC2_ELASTIC_IP_ALLOCATION", "Max": 1000 } ] } }
For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see DescribeSubscription
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-drt-log-bucket
.
- Amazon CLI
-
To remove the authorization for DRT to access an Amazon S3 bucket on your behalf
The following
disassociate-drt-log-bucket
example removes the association between the DRT and the specified S3 bucket. After this command completes, the DRT can no longer access the bucket on behalf of the account.aws shield disassociate-drt-log-bucket \ --log-bucket
flow-logs-for-website-lb
This command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see DisassociateDrtLogBucket
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-drt-role
.
- Amazon CLI
-
To remove the authorization for DRT to mitigate potential attacks on your behalf
The following
disassociate-drt-role
example removes the association between the DRT and the account. After this call, the DRT can no longer access or manage your account.aws shield disassociate-drt-role
This command produces no output.
For more information, see Authorize the DDoS Response Team
in the Amazon Shield Advanced Developer Guide. -
For API details, see DisassociateDrtRole
in Amazon CLI Command Reference.
-
The following code example shows how to use get-subscription-state
.
- Amazon CLI
-
To retrieve the current state of the account's Amazon Shield Advanced subscription
The following
get-subscription-state
example retrieves the state of the Shield Advanced protection for the account.aws shield get-subscription-state
Output:
{ "SubscriptionState": "ACTIVE" }
For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see GetSubscriptionState
in Amazon CLI Command Reference.
-
The following code example shows how to use list-attacks
.
- Amazon CLI
-
To retrieve attack summaries from Amazon Shield Advanced
The following
list-attacks
example retrieves summaries of attacks for the specified Amazon CloudFront distribution during the specified time period. The response includes attack IDs that you can provide to thedescribe-attack
command for detailed information on an attack.aws shield list-attacks \ --resource-arns
arn:aws:cloudfront::12345678910:distribution/E1PXMP22ZVFAOR
\ --start-timeFromInclusive=1529280000,ToExclusive=1529300000
Output:
{ "AttackSummaries": [ { "AttackId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ResourceArn": "arn:aws:cloudfront::123456789012:distribution/E1PXMP22ZVFAOR", "StartTime": 1529280000.0, "EndTime": 1529449200.0, "AttackVectors": [ { "VectorType": "SYN_FLOOD" } ] } ] }
For more information, see Reviewing DDoS Incidents
in the Amazon Shield Advanced Developer Guide. -
For API details, see ListAttacks
in Amazon CLI Command Reference.
-
The following code example shows how to use list-protections
.
- Amazon CLI
-
To retrieve protection summaries from Amazon Shield Advanced
The following
list-protections
example retrieves summaries of the protections that are enabled for the account.aws shield list-protections
Output:
{ "Protections": [ { "Id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name": "Protection for CloudFront distribution", "ResourceArn": "arn:aws:cloudfront::123456789012:distribution/E198WC25FXOWY8" } ] }
For more information, see Specify Your Resources to Protect
in the Amazon Shield Advanced Developer Guide. -
For API details, see ListProtections
in Amazon CLI Command Reference.
-
The following code example shows how to use update-emergency-contact-settings
.
- Amazon CLI
-
To define the emergency e-mail addresses that are on file with the DRT
The following
update-emergency-contact-settings
example defines two e-mail addresses that the DRT should contact when it's responding to a suspected attack.aws shield update-emergency-contact-settings \ --emergency-contact-list
EmailAddress=ops@example.com
EmailAddress=ddos-notifications@example.com
This command produces no output.
For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see UpdateEmergencyContactSettings
in Amazon CLI Command Reference.
-
The following code example shows how to use update-subscription
.
- Amazon CLI
-
To modify the account's Amazon Shield Advanced subscription
The following
update-subscription
example enables auto-renewal of the Amazon Shield Advanced subscription for the account.aws shield update-subscription \ --auto-renew
ENABLED
This command produces no output.
For more information, see How Amazon Shield Works
in the Amazon Shield Advanced Developer Guide. -
For API details, see UpdateSubscription
in Amazon CLI Command Reference.
-