Using Amazon CloudFormation with automatic application layer DDoS mitigation
This page explains how to use Amazon CloudFormation to manage your protections and Amazon WAF web ACLs.
Enabling or disabling automatic application layer DDoS mitigation
You can enable and disable automatic application layer DDoS mitigation through Amazon CloudFormation, using the
AWS::Shield::Protection
resource. The effect is the same as
when you enable or disable the feature through the console or any other
interface. For information about the Amazon CloudFormation resource, see AWS::Shield::Protection in the Amazon CloudFormation user guide.
Managing web ACLs used with automatic mitigation
Shield Advanced manages automatic mitigation for your protected resource using a rule
group rule in the protected resource's Amazon WAF web ACL. Through
the Amazon WAF console and APIs, you'll see the rule listed
in your web ACL rules, with a name that starts with
ShieldMitigationRuleGroup
. This rule
is dedicated to your automatic application layer DDoS mitigation and it's
managed for you by Shield Advanced and Amazon WAF. For more information, see Protecting the application layer with the Shield Advanced
rule group and How Shield Advanced manages automatic mitigation.
If you use Amazon CloudFormation to manage your web ACLs, don't add the Shield Advanced rule group rule to your web ACL template. When you update a web ACL that's being used with your automatic mitigation protections, Amazon WAF automatically manages the rule group rule in the web ACL.
You'll see the following differences compared to other web ACLs that you manage through Amazon CloudFormation:
Amazon CloudFormation won't report any drift in the stack drift status between the actual configuration of the web ACL, with the Shield Advanced rule group rule, and your web ACL template, without the rule. The Shield Advanced rule won't appear in the actual listing for the resource in the drift details.
You will be able to see the Shield Advanced rule group rule in web ACL listings that you retrieve from Amazon WAF, such as through the Amazon WAF console or Amazon WAF APIs.
-
If you modify the web ACL template in a stack, Amazon WAF and Shield Advanced automatically maintain the Shield Advanced automatic mitigation rule in the updated web ACL. The automatic mitigation protections provided by Shield Advanced are not interrupted by your update to the web ACL.
Don't manage the Shield Advanced rule in your Amazon CloudFormation web ACL template. The web ACL template shouldn't list the Shield Advanced rule. Follow the best practices for web ACL management at Best practices for using automatic application layer DDoS mitigation.