Configuring access for the Shield Response Team (SRT)

To manage permissions for the SRT

1. In the Amazon Shield console Overview page, under Configure Amazon SRT support, choose Edit SRT access. The Edit Amazon Shield Response Team (SRT) access page opens.

2. For SRT access setting select one of the options:

   • Do not grant the SRT access to my account – Shield removes any permissions you previously gave to the SRT to access your account and resources.

   • Create a new role for the SRT to access my account – Shield creates a role that trusts the service principal drt.shield.amazonaws.com, which represents the SRT, and attaches the managed policy AWSShieldDRTAccessPolicy to it. The managed policy allows the SRT to make Amazon Shield Advanced and Amazon WAF API calls on your behalf and to access your Amazon WAF logs. For more information about the managed policy, see Amazon managed policy: AWSShieldDRTAccessPolicy.

   • Choose an existing role for the SRT to access my accounts – For this option, you must modify the configuration of the role in Amazon Identity and Access Management (IAM) as follows:

     • Attach the managed policy AWSShieldDRTAccessPolicy to the role. This managed policy allows the SRT to make Amazon Shield Advanced and Amazon WAF API calls on your behalf and to access your Amazon WAF logs. For more information about the managed policy, see Amazon managed policy: AWSShieldDRTAccessPolicy. For information about attaching the managed policy to your role, see Attaching and Detaching IAM Policies.

     • Modify the role to trust the service principal drt.shield.amazonaws.com. This is the service principal that represents the SRT. For more information, see IAM JSON Policy Elements: Principal.

3. For (Optional): Grant SRT access to an Amazon S3 bucket, if you need to share data that isn't in your Amazon WAF web ACL logs, configure this. For example, Application Load Balancer access logs, Amazon CloudFront logs, or logs from third party sources.

   Note

   You don't need to do this for your Amazon WAF web ACL logs. The SRT gains access to those when you grant access to your account.

   1. Configure the Amazon S3 buckets according to the following guidelines:

      • The bucket locations must be in the same Amazon Web Services account as the one you gave the SRT general access to, in the prior step Amazon Shield Response Team (SRT) access.

      • The buckets can be either plaintext or SSE-S3 encrypted. For more information about Amazon S3 SSE-S3 encryption, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon S3 User Guide.

        The SRT cannot view or process logs that are stored in buckets that are encrypted with keys stored in Amazon Key Management Service (Amazon KMS).

   2. In the Shield Advanced (Optional): Grant SRT access to an Amazon S3 bucket section, for each Amazon S3 bucket where your data or logs are stored, enter the name of the bucket and choose Add Bucket. You can add up to 10 buckets.

      This grants the SRT the following permissions on each bucket: s3:GetBucketLocation, s3:GetObject, and s3:ListBucket.

      If you want to give the SRT permission to access more than 10 buckets, you can do this by editing the additional bucket policies and manually granting the permissions listed here for the SRT.

      The following shows an example policy listing.

      {
          "Sid": "AWSDDoSResponseTeamAccessS3Bucket",
          "Effect": "Allow",
          "Principal": {
              "Service": "drt.shield.amazonaws.com"
          },
          "Action": [
              "s3:GetBucketLocation",
              "s3:GetObject",
              "s3:ListBucket"
          ],
          "Resource": [
              "arn:aws:s3:::bucket-name",
              "arn:aws:s3:::bucket-name/*"
          ]
      } 

4. Choose Save to save your changes.