Managing resource protections in Amazon Shield Advanced - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing resource protections in Amazon Shield Advanced

Use the guidance in this section to manage Shield Advanced protections for your resources.

Note

Shield Advanced protects only resources that you have specified either in Shield Advanced or through an Amazon Firewall Manager Shield Advanced policy. It doesn't automatically protect your resources.

If you're using an Amazon Firewall Manager Shield Advanced policy, you don't need to manage protections for resources that are in scope of the policy. Firewall Manager automatically manages protections for accounts and resources that are in scope of a policy, according to the policy configuration. For more information, see Amazon Shield Advanced policies.

Adding Amazon Shield Advanced protection to Amazon resources

Follow the guidance in this section to add Shield Advanced protection to one or more resources.

To add protection for an Amazon resource
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF & Shield console at https://console.amazonaws.cn/wafv2/.

  2. In the navigation pane, under Amazon Shield choose Protected resources.

  3. Choose Add resources to protect.

  4. In the Choose resources to protect with Shield Advanced page, in Specify the Region and resource types, provide the Region and resource type specifications for the resources that you want to protect. You can protect resources in multiple Regions by selecting All Regions and you can narrow the selection to global resources by selecting Global. You can deselect any resource types that you do not want to protect. For information about protections for your resource types, see Amazon Shield Advanced protections by resource type.

  5. Choose Load resources. Shield Advanced populates the Select Resources section with the Amazon resources that match your criteria.

  6. In the Select Resources section, you can filter the list of resources by entering a string to search for in the resource listings.

    Select the resources that you want to protect.

  7. In the Tags section, if you want to add tags to the Shield Advanced protections that you are creating, specify those. For information about tagging Amazon resources, see Working with Tag Editor.

  8. Choose Protect with Shield Advanced. This adds Shield Advanced protections to the resources.

Configuring Amazon Shield Advanced protections

You can change the settings for your Amazon Shield Advanced protections at any time. To do this, walk through the options for your selected protections and modify the settings that you need to change.

To manage protected resources
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF & Shield console at https://console.amazonaws.cn/wafv2/.

  2. In the Amazon Shield navigation pane, choose Protected resources.

  3. In the Protections tab, select the resources that you want to protect.

  4. Choose Configure protections and the resource specification option that you want.

  5. Walk through each of the resource protection options, making changes as needed.

Configure application layer DDoS protections

For protection against attacks on Amazon CloudFront and Application Load Balancer resources, you can add Amazon WAF web ACLs and add rate-based rules. For information about this, see Shield Advanced application layer Amazon WAF web ACLs and rate-based rules.

You can also enable the Shield Advanced automatic application layer DDoS mitigation. For information about how Amazon WAF works, see Amazon WAF. For information about the automatic mitigation feature, see Shield Advanced automatic application layer DDoS mitigation.

Important

If you manage your Shield Advanced protections through Amazon Firewall Manager using a Shield Advanced policy, you can't manage the application layer protections here. For all other resources, we recommend that, at a minimum, you attach a web ACL to each resource, even if web ACL doesn't contain any rules.

Note

When you enable automatic application layer DDoS mitigation for a resource, if needed, the operation automatically adds a service-linked role to your account to give Shield Advanced the permissions it needs to manage your web ACL protections. For information, see Using service-linked roles for Shield Advanced.

To configure application layer DDoS protections
  1. In the Configure layer 7 DDoS protections page, if the resource isn't already associated with a web ACL, you can choose an existing web ACL or create your own.

    To create a web ACL, follow these steps:

    1. Choose Create web ACL.

    2. Enter a name. You can't change the name after you create the web ACL.

    3. Choose Create.

    Note

    If a resource is already associated with a web ACL, you can't change to a different web ACL. If you want to change the web ACL, you must first remove the associated web ACLs from the resource. For more information, see Associating or disassociating a web ACL with an Amazon resource.

  2. If the web ACL doesn't have a rate-based rule defined, you can add one by choosing Add rate limit rule and then performing the following steps:

    1. Enter a name.

    2. Enter a rate limit. This is the maximum number of requests allowed in any five minute period from any single IP address before the rate-based rule action is applied to the IP address. When the requests from the IP address fall below the limit, the action is discontinued.

    3. Set the rule action to count or block requests from IP addresses while their request counts are over the limit. The application and removal of the rule action might take effect a minute or two after the IP address request rate changes.

    4. Choose Add rule.

  3. For Automatic application layer DDoS mitigation, choose whether you want Shield Advanced to automatically mitigate DDoS attacks on your behalf, as follows:

    • To enable automatic mitigation, choose Enable and then select the Amazon WAF rule action that you want Shield Advanced to use in its custom rules. Your choices are Count and Block. For information about these Amazon WAF rule actions, see Rule action. For information about how Shield Advanced manages this action setting, see How Shield Advanced manages the rule action setting.

    • To disable automatic mitigation, choose Disable.

    • To leave the automatic mitigation settings unchanged for the resources that you're managing, leave the default choice Keep current settings.

    For information about Shield Advanced automatic application layer DDoS mitigation, see Shield Advanced automatic application layer DDoS mitigation.

  4. Choose Next.

Create alarms and notifications

The following procedure shows how to manage CloudWatch alarms for protected resources.

Note

CloudWatch incurs additional costs. For CloudWatch pricing, see Amazon CloudWatch Pricing.

To create alarms and notifications
  1. In the protections page Create alarms and notifications - optional, configure the SNS topics for the alarms and notifications that you want to receive. For resources that you don't want notifications for, choose No topic. You can add an Amazon SNS topic or create a new topic.

  2. To create an Amazon SNS topic, follow these steps:

    1. In the dropdown list, choose Create an SNS topic.

    2. Enter a topic name.

    3. Optionally enter an email address that the Amazon SNS messages will be sent to, and then choose Add email. You can enter more than one.

    4. Choose Create.

  3. Choose Next.

Removing Amazon Shield Advanced protection from an Amazon resource

You can remove Amazon Shield Advanced protection from any of your Amazon resources at any time.

Important

Deleting an Amazon resource doesn't remove the resource from Amazon Shield Advanced. You must also remove the protection on the resource from Amazon Shield Advanced, as described in this procedure.

Remove Amazon Shield Advanced protection from an Amazon resource
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF & Shield console at https://console.amazonaws.cn/wafv2/.

  2. In the Amazon Shield navigation pane, choose Protected resources.

  3. In the Protections tab, select the resources whose protections you want to remove.

  4. Choose Delete protections.

    1. If you have an Amazon CloudWatch alarm configured for a protection, you are given the option to delete the alarm along with the protection. If you choose not to delete the alarm at this point, you can instead delete it later using the CloudWatch console.

    Note

    For protections that have an Amazon Route 53 health check configured, if you add the protection again later, the protection still includes the health check.

The preceding steps remove Amazon Shield Advanced protection from specific Amazon resources. They don't cancel your Amazon Shield Advanced subscription. You will continue to be charged for the service. For information about your Amazon Shield Advanced subscription, contact the Amazon Web Services Support Center.

Removing a CloudWatch alarm from your Shield Advanced protections

To remove a CloudWatch alarm from your Shield Advanced protections, do one of the following: