Configuring access for the Shield Response Team (SRT) - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Configuring access for the Shield Response Team (SRT)

You can grant permission to the Shield Response Team (SRT) to act on your behalf, accessing your Amazon WAF logs and making calls to the Amazon Shield Advanced and Amazon WAF APIs to manage protections. During application layer DDoS events, the SRT can monitor Amazon WAF requests to identify anomalous traffic and help craft custom Amazon WAF rules to mitigate offending traffic sources.

Additionally, you can grant the SRT access to other data that you have stored in Amazon S3 buckets, such as packet captures or logs from an Application Load Balancer, Amazon CloudFront, or from third party sources.

Note

To use the services of the Shield Response Team (SRT), you must be subscribed to the Business Support plan or the Enterprise Support plan.

To manage permissions for the SRT
  1. In the Amazon Shield console Overview page, under Configure Amazon SRT support, choose Edit SRT access. The Edit Amazon Shield Response Team (SRT) access page opens.

  2. For SRT access setting select one of the options:

    • Do not grant the SRT access to my account – Shield removes any permissions you previously gave to the SRT to access your account and resources.

    • Create a new role for the SRT to access my account – Shield creates a role that trusts the service principal drt.shield.amazonaws.com, which represents the SRT, and attaches the managed policy AWSShieldDRTAccessPolicy to it. The managed policy allows the SRT to make Amazon Shield Advanced and Amazon WAF API calls on your behalf and to access your Amazon WAF logs. For more information about the managed policy, see Amazon managed policy: AWSShieldDRTAccessPolicy.

    • Choose an existing role for the SRT to access my accounts – For this option, you must modify the configuration of the role in Amazon Identity and Access Management (IAM) as follows:

      • Attach the managed policy AWSShieldDRTAccessPolicy to the role. This managed policy allows the SRT to make Amazon Shield Advanced and Amazon WAF API calls on your behalf and to access your Amazon WAF logs. For more information about the managed policy, see Amazon managed policy: AWSShieldDRTAccessPolicy. For information about attaching the managed policy to your role, see Attaching and Detaching IAM Policies.

      • Modify the role to trust the service principal drt.shield.amazonaws.com. This is the service principal that represents the SRT. For more information, see IAM JSON Policy Elements: Principal.

  3. For (Optional): Grant SRT access to an Amazon S3 bucket, if you need to share data that isn't in your Amazon WAF web ACL logs, configure this. For example, Application Load Balancer access logs, Amazon CloudFront logs, or logs from third party sources.

    Note

    You don't need to do this for your Amazon WAF web ACL logs. The SRT gains access to those when you grant access to your account.

    1. Configure the Amazon S3 buckets according to the following guidelines:

      • The bucket locations must be in the same Amazon Web Services account as the one you gave the SRT general access to, in the prior step Amazon Shield Response Team (SRT) access.

      • The buckets can be either plaintext or SSE-S3 encrypted. For more information about Amazon S3 SSE-S3 encryption, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in the Amazon S3 User Guide.

        The SRT cannot view or process logs that are stored in buckets that are encrypted with keys stored in Amazon Key Management Service (Amazon KMS).

    2. In the Shield Advanced (Optional): Grant SRT access to an Amazon S3 bucket section, for each Amazon S3 bucket where your data or logs are stored, enter the name of the bucket and choose Add Bucket. You can add up to 10 buckets.

      This grants the SRT the following permissions on each bucket: s3:GetBucketLocation, s3:GetObject, and s3:ListBucket.

      If you want to give the SRT permission to access more than 10 buckets, you can do this by editing the additional bucket policies and manually granting the permissions listed here for the SRT.

      The following shows an example policy listing.

      { "Sid": "AWSDDoSResponseTeamAccessS3Bucket", "Effect": "Allow", "Principal": { "Service": "drt.shield.amazonaws.com" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*" ] }
  4. Choose Save to save your changes.

You can also authorize the SRT through the API by creating an IAM role, attaching the policy AWSShieldDRTAccessPolicy to it, and then passing the role to the operation AssociateDRTRole.