Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I check if Shield Advanced is protecting my resources from DDoS attacks?

3 minute read

I want to verify that AWS Shield Advanced protects my AWS resources from distributed denial-of-service (DDoS) attacks.

Short description

To verify that Shield Advanced is protecting your resources, use the AWSPremiumSupport-DDoSResiliencyAssessment runbook to automate a resource check.

The runbook generates a report that shows whether you configured Shield Advanced based on the best practices for your resources.

Note: The runbook publishes a file in the Amazon Simple Storage Service (Amazon S3) bucket and might incur charges. For more information, see Amazon S3 pricing.

Resolution

To run the AWSPremiumSupport-DDoSResiliencyAssessment runbook, complete the following steps:

Open the AWS Systems Manager console.
Access the AWSPremiumSupport-DDoSResiliencyAssessment runbook.
Choose the AWS Region for the AWS account where you want to run the automation.
Choose Execute Automation.
Enter the following values for the input parameters:
(Optional) AutomationAssumeRole. The ARN of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user that started the runbook.
(Optional) AssessmentType. The type of resources that you want to evaluate. By default, the runbook evaluates global and Regional resources.
S3BucketName. The name of the Amazon S3 bucket where you want to save the assessment report.
S3BucketOwnerAccount. The ID of the account that owns the Amazon S3 bucket. This is required only when the bucket belongs to a different account from the account where you're running the automation.
(Optional) S3BucketPrefix. The prefix for the path in the Amazon S3 bucket where you want to store the report.
(Optional) S3BucketOwnerRoleArn. The ARN of the IAM role that has permissions to describe the Amazon S3 bucket. If the bucket is in a different account, then the IAM role can also control the public access configuration. If you don't specify S3BucketOwnerRoleArn, then the runbook uses AutomationAssumeRole or the IAM user that started the runbook.
Choose Execute.
Locate the Amazon S3 bucket URL in the Output section of the report.
Open the URL in a web browser to view the HTML assessment report file.
On the report, you can view the resources that have Shield Advanced protection activated. To review additional information, choose a resource from the list.

To turn on Shield Advanced protection for your resources, choose Add Resources to Shield Protected List on the report.

Related information

AWS best practices for DDoS resiliency

Run an automation step by step

Setting up Automation

AWS Support Automation Workflows (SAW)

Topics

Management & Governance End User Computing

Relevant content

Understanding AWS Shield Advanced Protection for Layer 7 DDoS Attacks
Accepted Answer
ShreyasD
asked 6 months ago
Currently under a DDoS attack. Does AWS Shield Advance instantly help?
SafariBookings_Dennis
asked 10 months ago
AWS Network Firewall to protect against DDoS layer 7 attacks
rePost-User-2820918
asked 2 years ago
How to prevent Ddos attacks from producing costs for small websites
Accepted Answer
mampf
asked 2 years ago
Baby DDOS Attacks Triggering AWS Shield Standard Throttling ? Causing ICMP to Fail.
stumped
asked 2 years ago
How can I defend against DDoS attacks with Shield Standard?
AWS OFFICIALUpdated 2 years ago
How can I simulate a DDoS attack to test Shield Advanced?
AWS OFFICIALUpdated 3 years ago
How many resources can Shield Advanced protect?
AWS OFFICIALUpdated 2 years ago
How do I configure AWS WAF to protect my resources from common attacks?
AWS OFFICIALUpdated a year ago
AWS re:Post Live | Defending Against DDOS Attacks Using AWS Web Application Firewall (WAF)
EXPERT
AWS rePost Live
published a year ago