For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-shield-advanced-not-in-use.md. A documentation index is available at /llms.txt.

Shield Advanced not in use

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-shield-advanced-not-in-use

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Networking and Firewall

Learn More

Description

Resources such as CloudFront distributions, Elastic Load Balancers, Global Accelerator accelerators, Elastic IPs, and Route 53 hosted zones should be protected by AWS Shield Advanced to reduce the risk of large-scale DDoS attacks that can cause prolonged service disruption and costly mitigation.

This check requires an AWS::FMS::Policy resource whose Properties.SecurityServicePolicyData.Type is set to SHIELD_ADVANCED. That FMS policy must include the relevant resource type in Properties.ResourceTypeList (for example, AWS::CloudFront::Distribution, AWS::ElasticLoadBalancing::LoadBalancer, AWS::GlobalAccelerator::Accelerator, AWS::EC2::EIP, or AWS::Route53::HostedZone). Resources without such an association will be flagged.

Secure configuration example:

ShieldAdvancedFmsPolicy:
  Type: AWS::FMS::Policy
  Properties:
    PolicyName: ShieldAdvancedPolicy
    ResourceTypeList:
      - AWS::CloudFront::Distribution
      - AWS::ElasticLoadBalancing::LoadBalancer
      - AWS::GlobalAccelerator::Accelerator
      - AWS::EC2::EIP
      - AWS::Route53::HostedZone
    SecurityServicePolicyData:
      Type: SHIELD_ADVANCED

Compliant Code Examples

Resources:
  MyEIP:
    Type: AWS::EC2::EIP
    Properties:
      InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
  Policy2:
    Type: AWS::FMS::Policy
    Properties:
      ExcludeResourceTags: true
      ResourceTags:
        - Key: resourceTag1
          Value: value
        - Key: resourceTag2
          Value: value
      IncludeMap:
        ACCOUNT:
          - !Ref AWS::AccountId
      PolicyName: TaggedPolicy
      RemediationEnabled: false
      ResourceType: ResourceTypeList
      ResourceTypeList:
        - AWS::EC2::EIP
      SecurityServicePolicyData:
        Type: SHIELD_ADVANCED
      DeleteAllPolicyResources: false
      Tags:
        - Key: tag1
          Value: value
        - Key: tag2
          Value: value

{
  "Resources": {
    "MyEIP": {
      "Properties": {
        "InstanceId": "Logical name of an AWS::EC2::Instance resource"
      },
      "Type": "AWS::EC2::EIP"
    },
    "Policy2": {
      "Properties": {
        "DeleteAllPolicyResources": false,
        "ExcludeResourceTags": true,
        "IncludeMap": {
          "ACCOUNT": [
            "AWS::AccountId"
          ]
        },
        "PolicyName": "TaggedPolicy",
        "RemediationEnabled": false,
        "ResourceTags": [
          {
            "Key": "resourceTag1",
            "Value": "value"
          },
          {
            "Key": "resourceTag2",
            "Value": "value"
          }
        ],
        "ResourceType": "ResourceTypeList",
        "ResourceTypeList": [
          "AWS::EC2::EIP"
        ],
        "SecurityServicePolicyData": {
          "Type": "SHIELD_ADVANCED"
        },
        "Tags": [
          {
            "Key": "tag1",
            "Value": "value"
          },
          {
            "Key": "tag2",
            "Value": "value"
          }
        ]
      },
      "Type": "AWS::FMS::Policy"
    }
  }
}

Non-Compliant Code Examples

Resources:
  HostedZone:
    Type: AWS::Route53::HostedZone
    Properties:
      Name: "HostedZone"
      QueryLoggingConfig:
        CloudWatchLogsLogGroupArn: "SomeCloudWatchLogGroupArn"
  Policy:
    Type: AWS::FMS::Policy
    Properties:
      ExcludeResourceTags: true
      ResourceTags:
        - Key: resourceTag1
          Value: value
        - Key: resourceTag2
          Value: value
      IncludeMap:
        ACCOUNT:
          - !Ref AWS::AccountId
      PolicyName: TaggedPolicy
      RemediationEnabled: false
      ResourceType: ResourceTypeList
      ResourceTypeList:
        - AWS::GlobalAccelerator::Accelerator
      SecurityServicePolicyData:
        Type: SHIELD_ADVANCED
      DeleteAllPolicyResources: false
      Tags:
        - Key: tag1
          Value: value
        - Key: tag2
          Value: value

{
  "Resources": {
    "HostedZone": {
      "Properties": {
        "Name": "HostedZone",
        "QueryLoggingConfig": {
          "CloudWatchLogsLogGroupArn": "SomeCloudWatchLogGroupArn"
        }
      },
      "Type": "AWS::Route53::HostedZone"
    },
    "Policy": {
      "Properties": {
        "DeleteAllPolicyResources": false,
        "ExcludeResourceTags": true,
        "IncludeMap": {
          "ACCOUNT": [
            "AWS::AccountId"
          ]
        },
        "PolicyName": "TaggedPolicy",
        "RemediationEnabled": false,
        "ResourceTags": [
          {
            "Key": "resourceTag1",
            "Value": "value"
          },
          {
            "Key": "resourceTag2",
            "Value": "value"
          }
        ],
        "ResourceType": "ResourceTypeList",
        "ResourceTypeList": [
          "AWS::GlobalAccelerator::Accelerator"
        ],
        "SecurityServicePolicyData": {
          "Type": "SHIELD_ADVANCED"
        },
        "Tags": [
          {
            "Key": "tag1",
            "Value": "value"
          },
          {
            "Key": "tag2",
            "Value": "value"
          }
        ]
      },
      "Type": "AWS::FMS::Policy"
    }
  }
}