Add Resource to AWS Shield and associate with WAF policy

timckt commented 3 months ago

Background

Shield advanced is enabled using AWS Firewall Manager policies. This is managed in the aws-root-account Terraform code. Our both Cloud Platform and Cloud Platform Ephemeral Test AWS Account have already enabled AWS Shield but there are no resource to be protected for Cloud Platform AWS account at the moment.

We need to add the resource to AWS Shield Advanced and associate an WAF policy to these resources if applicable.

It seems only Application load balancer can be associated with AWS WAF web ACL and Automatic application layer DDoS mitigation. Its not applicate for EIP.

AWS document here

Proposed user journey

Ask Dave to help add CP production account into the local.shield_advanced_auto_remediate.accounts),
EIP
NLB (Block by https://github.com/ministryofjustice/cloud-platform/issues/6000)
Route 53
Associate WAF policy to each resource if applicable

Refer to #5644 comment for more detail

Approach

Which part of the user docs does this impact

Communicate changes

[ ] post for #cloud-platform-update
[ ] Weeknotes item
[ ] Show the Thing/P&A All Hands/User CoP
[ ] Announcements channel

Questions / Assumptions

Definition of done

[ ] Add EIP to Shield
[ ] Add R53 to Shield
[ ] Add NLB through EIP to Shield
[ ] Associate WAF policy to each resource if applicable
[ ] Integration tests are green
[ ] Prepare demo for the team

Reference

How to write good user stories

timckt commented 2 months ago

This ticket is blocked by the outcome of #6114.

We shall need to discuss the next action item for ingress if we would like to implement AWS Shield Advanced. Once we have solve the IP incident and have a decision on the new ingress deployment, we can visit back this ticket.

timckt commented 2 months ago

Apart from EIP and ALB, we can add AWS Shield Advanced protection for Route 53, and the working branch is here.

Pros of adding Route 53:
- Enhanced DDoS Protection: AWS Shield Advanced provides sophisticated protection against DDoS attacks, especially for critical DNS services like Route 53. It offers automatic attack detection and mitigation at both the infrastructure and application levels, minimizing downtime.
- Real-Time Attack Visibility: New CloudWatch alarm allows for real-time monitoring of attack patterns.
- 24/7 AWS Shield Advanced SRT (Shield Response Team): AWS SRT team can provide guidance and assistance in mitigating large-scale attacks.
Limitation of adding Route 53:
- No Layer 7 protection Same as EIP, Route 53 does not have Layer 7 protection and no automatic application layer DDoS mitigation. We can only rely on passive monitoring by AWS. We cannot set rate based rule for route 53.

Reference: https://docs.aws.amazon.com/waf/latest/developerguide/ddos-event-mitigation-logic-continuous-inspection.html

Also for SNS Notifications in AWS Shield Advanced:

Inside the Shield Advanced Protection resources, SNS can be used for DDoS detected alarms, but requires permissions in Firewall Manager to create global SNS topics.
- We currently do not have the necessary permissions to create and manage global SNS topics.
Amazon SNS notifications may be delayed, and are not sent in real-time for potential DDoS activity. (reference here)

From above AWS document, to enable real-time notifications of potential DDoS activity, we can use a CloudWatch alarm.

Real-time notifications: CloudWatch provides faster alerts, triggering as soon as DDoS activity is detected.
No additional permissions: CloudWatch alarms do not require Firewall Manager or SNS permissions, simplifying setup.
to reduce the noise and confusion, we should only use CloudWatch alarm and no need SNS Notifications in AWS Shield Advanced.

ministryofjustice / cloud-platform