ShieldMitigationRuleGroup Priority modified from default 10,000,000

Question

I have used Firewall Manager with a Shield Advanced policy to deploy automatic DDoS mitigation to our dev accounts. All of our dev accounts and associated web ACLs under Shield protection have the correct priority of 10,000,000, except one. I received a support ticket from one of our teams indicating that a terraform build failed due to the ShieldMitigationRuleGroup-*** in that account having a priority of 24, causing a duplication error. They manually deleted the rule group and continued with their deployment.

I am aware that it should be avoided to NOT delete this rule group...however, it was restored shortly after with a new ShieldMitigationRuleGroup-*** and had the proper 10,000,000 priority, so I thought it was a fluke and the issue was resolved. Checked the following day and the new rule group now had a value of 24 again. I have scoured Cloudtrail and there is no evidence of what modified the priority (automated or manual actions).

Can someone explain to me what could possibly modify this rule group considering that:
1. It is owned by AWS, therefore no entity in this account should be able to modify it
2. Terraform explicitly indicates for the wafv2_web_acl resource that any rules matching the ShieldMitigationRuleGroup pattern will be ignored

Answer

Hi, 
You must be able to set ON/OFF automatic AWS Shield mitigation.
In terraform nice example here https://github.com/cloudposse/terraform-aws-firewall-manager/blob/main/shield_advanced.tf.
I'm guessing the SSM automation (https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-aws-ddosresiliencyassessment.html) is executed to fix a missing rule, if AWS Shield mitigation is not disabled, you should be able to check it in SSM.

ShieldMitigationRuleGroup Priority modified from default 10,000,000

Relevant content