davidkelliott
commented
2 years ago Intro
AWS Shield Advanced is a paid version of their free offering AWS Shield
Features comparison
Table - https://aws.amazon.com/shield/getting-started/
| Feature | Shield | Advanced |
|---|---|---|
| Cost | Free, WAF additional | $3000 per month per org, egress traffic costs, WAF included for protected resources, Firewall manager policies included |
| Protects | Everything | CloudFront, Route 53, ELB, EC2, Global Accelerator, NLB |
| Protection offered | DDoS - Layer 3 and 4 (eg SYN/UDP floods, reflection attacks) | DDoS - Layer 3 and 4, Automatic layer 7 mitigations (WAF for CloudFront only), Additional DDoS mitigation capacity for large attacks |
| Support | Standard AWS support | AWS Shield Response Team |
| Monitoring | Standard Cloudwatch metrics | DDoS specific metrics |
| Cost protection | No | Don't pay for usage from a DDos attack |
How to implement
Subscribe once and agree to costs. It then needs to be enabled in each account individually. This can be done across multiple accounts using AWS Firewall Manager. AWS Firewall Manager can also be used to add protected resources across accounts. Policies can be scoped to accounts or OUs, and also tags. So for example we could automatically apply Shield Advanced to all resources with the "shield-advanced" tag in the Modernisation Platform OU via Auto remediate any noncompliant resources. We would probably want to only include external facing endpoints to keep costs down. Automatic application layer DDoS mitigation can also be enabled to automatically generate WAF rules to block DDoS traffic, this is only for CloudFront distributions. Manual WAF mitigations and rules can be applied across CloudFront and ELBs. Similar applications can be managed together in protection groups.
Shield Response Team (SRT) support
You can give the SRT access to assist during an attack, there is also an option for proactive engagement where they are notified and start working on an attack before you contact them, they can then apply WAF rules to mitigate the attack with our permission. This looks to have to be manually configured per account.
Terraform
AWS Firewall Manager policies can be implemented via Terraform.
There needs to be a Firewall Manager Administrator account, so this would most likely be the organisational security account and can be implemented with Terraform.
Resources can also be added to AWS Shield Advanced at an account level via terraform although it's not clear how this would work or if it would be needed if we were using auto remediation, I suspect if manually added it would just show as already in compliance for auto remediation. Firewall Manager doesn't support Amazon Route 53 or AWS Global Accelerator so these would need to be added manually.
Visibility
Activity is visible in the Shield dashboard per account, there are also some nice Cloudwatch metrics which we could alert on: DDoSDetected DDoSAttackBitsPerSecond DDoSAttackPacketsPerSecond DDoSAttackRequestsPerSecond
Credit
To apply for credit for usage costs during an attack you need to request it within 15 days of the end of the billing month in which the attack occurred.
Quotas
https://docs.aws.amazon.com/waf/latest/developerguide/shield-limits.html
User Story
We want to ensure we have the means to identify and mitigate DoS attacks, AWS shield https://aws.amazon.com/shield/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc Is a product that may help with this offering greater protection and monitoring.
Check if this is something we want to implement, discuss with other teams to gauge their interest in using it. (It is applied at an org level)
Value
Questions / Assumptions
Definition of done
Reference
How to write good user stories