How do I protect my AWS resources from DDoS attacks?

3 minute read

I want to verify whether AWS Shield Advanced is protecting my AWS resources from distributed denial-of-service (DDoS) attacks.

Short description

AWS Shield Advanced is a service that helps you protect your application against external threats, like DDoS attacks. To verify whether Shield Advanced is protecting your resources, use the AWSPremiumSupport-DDoSResiliencyAssessment runbook to automate a resource check.

The runbook generates a report that shows whether Shield Advanced is activated and configured based on best practices for your specific resources.

Note: The runbook publishes a file in the Amazon Simple Storage Service (Amazon S3) bucket, and might incur charges. For more information, see Amazon S3 pricing.

Resolution

To run the AWSPremiumSupport-DDoSResiliencyAssessment runbook, complete the following steps:

Access the AWSPremiumSupport-DDoSResiliencyAssessment runbook in the AWS Systems Manager console.
Choose the AWS Region for the account where you want to run the automation.
Choose Execute Automation.
Enter the following values for the input parameters:
(Optional) AutomationAssumeRole: The ARN of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user that started the runbook.
(Optional) AssessmentType: The type of resources to evaluate for the DDoS resiliency assessment. By default, the runbook evaluates global and AWS Regional resources.
S3BucketName: The name of the Amazon S3 bucket where you want to save the assessment report.
S3BucketOwnerAccount: The ID of the AWS account that owns the Amazon S3 bucket. This is required only if the Amazon S3 belongs to an account other than the account that runs the automation.
(Optional) S3BucketPrefix: The prefix for the path in the Amazon S3 bucket where you want to store the report.
(Optional) S3BucketOwnerRoleArn: The ARN of an IAM role that has permissions to describe the Amazon S3 bucket. If the bucket is in a different account, then this role can also control the public access configuration. If you don't specify this parameter, then the runbook uses the AutomationAssumeRole or the IAM user that started the runbook.
Choose Execute.
Locate the Amazon S3 bucket URL in the Output section of the report.
Open the URL in a web browser to view the HTML assessment report file.
On the report, view the information about resources that have Shield Advanced Protection activated. To see additional information, choose a resource from the list.

To turn on Shield Advanced protection for resources, select Add Resources to Shield Protected List for the resource on the report.

Related information

AWS best practices for DDoS resiliency

Run an automation

Setting up Automation

AWS Support Automation Workflows (SAW)

Topics

Management & Governance End User Computing

Relevant content

How to protect EC2 against intermittent DDos attack
AdrianJones
asked 2 years ago
Is there any visibility into if a DDoS attack occurs on an API Gateway using WAF & Shield Standard?
Accepted Answer
rePost-User-2581820
asked a year ago
AWS Network Firewall to protect against DDoS layer 7 attacks
rePost-User-2820918
asked a year ago
Baby DDOS Attacks Triggering AWS Shield Standard Throttling ? Causing ICMP to Fail.
stumped
asked a year ago
Are Lightsail instances protected against DDOS by default using AWS Shield Standard ?
Accepted Answer
rePost-User-2758834
asked a year ago
How can I defend against DDoS attacks with Shield Standard?
AWS OFFICIALUpdated a year ago
How do I configure AWS WAF to protect my resources from common attacks?
AWS OFFICIALUpdated 3 years ago
How can I simulate a DDoS attack to test Shield Advanced?
AWS OFFICIALUpdated 2 years ago
How many resources can Shield Advanced protect?
AWS OFFICIALUpdated a year ago
Building Security Conscious Video Streaming Infrastructure on AWS, Lesson 2: Protect Your Buckets
EXPERT
BCole2019
published 6 months ago