Using Amazon CloudFormation with automatic application layer DDoS mitigation - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon CloudFormation with automatic application layer DDoS mitigation

This page explains how to use Amazon CloudFormation to manage your protections and Amazon WAF web ACLs.

Enabling or disabling automatic application layer DDoS mitigation

You can enable and disable automatic application layer DDoS mitigation through Amazon CloudFormation, using the AWS::Shield::Protection resource. The effect is the same as when you enable or disable the feature through the console or any other interface. For information about the Amazon CloudFormation resource, see AWS::Shield::Protection in the Amazon CloudFormation user guide.

Managing web ACLs used with automatic mitigation

Shield Advanced manages automatic mitigation for your protected resource using a rule group rule in the protected resource's Amazon WAF web ACL. Through the Amazon WAF console and APIs, you'll see the rule listed in your web ACL rules, with a name that starts with ShieldMitigationRuleGroup. This rule is dedicated to your automatic application layer DDoS mitigation and it's managed for you by Shield Advanced and Amazon WAF. For more information, see Protecting the application layer with the Shield Advanced rule group and How Shield Advanced manages automatic mitigation.

If you use Amazon CloudFormation to manage your web ACLs, don't add the Shield Advanced rule group rule to your web ACL template. When you update a web ACL that's being used with your automatic mitigation protections, Amazon WAF automatically manages the rule group rule in the web ACL.

You'll see the following differences compared to other web ACLs that you manage through Amazon CloudFormation:

  • Amazon CloudFormation won't report any drift in the stack drift status between the actual configuration of the web ACL, with the Shield Advanced rule group rule, and your web ACL template, without the rule. The Shield Advanced rule won't appear in the actual listing for the resource in the drift details.

    You will be able to see the Shield Advanced rule group rule in web ACL listings that you retrieve from Amazon WAF, such as through the Amazon WAF console or Amazon WAF APIs.

  • If you modify the web ACL template in a stack, Amazon WAF and Shield Advanced automatically maintain the Shield Advanced automatic mitigation rule in the updated web ACL. The automatic mitigation protections provided by Shield Advanced are not interrupted by your update to the web ACL.

Don't manage the Shield Advanced rule in your Amazon CloudFormation web ACL template. The web ACL template shouldn't list the Shield Advanced rule. Follow the best practices for web ACL management at Best practices for using automatic application layer DDoS mitigation.