Amazon managed policies for Amazon Shield
An Amazon managed policy is a standalone policy that is created and administered by Amazon. Amazon managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they're available for all Amazon customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in Amazon managed policies. If Amazon updates the permissions defined in an Amazon managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. Amazon is most likely to update an Amazon managed policy when a new Amazon Web Services service is launched or new API operations become available for existing services.
For more information, see Amazon managed policies in the IAM User Guide.
Amazon managed policy: AWSShieldDRTAccessPolicy
This section explains how to use Amazon managed policies for Shield.
Amazon Shield uses this managed policy when you grant permission to the Shield Response Team (SRT) to act on your behalf. This policy gives the SRT limited access to your Amazon account, to assist with DDoS attack mitigation during high-severity events. This policy allows the SRT to manage your Amazon WAF rules and Shield Advanced protections and to access your Amazon WAF logs.
For information about granting permission to the SRT to operate on your behalf, see Granting access for the SRT.
For details about this policy, see AWSShieldDRTAccessPolicy
Amazon managed policy: AWSShieldServiceRolePolicy
Shield Advanced uses this managed policy when you enable automatic application layer DDoS mitigation, to set the permissions it needs to manage resources for your account. This policy allows Shield Advanced to create and apply Amazon WAF rules and rule groups in the web ACLs that you've associated with your protected resources, to automatically respond to DDoS attacks.
You can't attach AWSShieldServiceRolePolicy to your IAM entities. Shield attaches this
policy to the service-linked role AWSServiceRoleForAWSShield
to allow Shield to perform
actions on your behalf.
Shield Advanced enables the use of this policy when you enable automatic application layer DDoS mitigation. For more information about the use for this policy, see Automating application layer DDoS mitigation with Shield Advanced .
For information about the service-linked role AWSServiceRoleForAWSShield that uses this policy, see Using service-linked roles for Shield Advanced
For details about this policy, see AWSShieldServiceRolePolicy
Shield updates to Amazon managed policies
View details about updates to Amazon managed policies for Shield since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Shield document history page at Document history.
Policy | Description of change | Date |
---|---|---|
This policy allows Shield to access and manage Amazon resources in order to automatically respond to application layer DDoS attacks on your behalf. Details in IAM console: AWSShieldServiceRolePolicy The service-linked role |
Added this policy to provide Shield Advanced with the permissions required for the automatic application layer DDoS mitigation functionality. For information about this feature, see Automating application layer DDoS mitigation with Shield Advanced . |
December 1, 2021 |
Shield started tracking changes |
Shield started tracking changes for its Amazon managed policies. |
March 3, 2021 |