--- title: Shield Advanced not in use description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Shield Advanced not in use --- # Shield Advanced not in use {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-shield-advanced-not-in-use` **Provider:** AWS **Platform:** Terraform **Severity:** Low **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/shield_protection#resource_arn) ### Description{% #description %} AWS Shield Advanced provides enhanced protection against distributed denial-of-service (DDoS) attacks for critical AWS resources, such as Amazon Route 53 hosted zones, AWS Global Accelerator accelerators, Elastic IP addresses, Elastic Load Balancers, and Amazon CloudFront distributions. Without Shield Advanced enabled, these resources are vulnerable to large-scale DDoS attacks, which can lead to downtime, degraded performance, and increased mitigation costs. To secure these resources in Terraform, use the `aws_shield_protection` resource with the correct `resource_arn`. For example: ``` resource "aws_shield_protection" "example" { name = "example" resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.example.id}" tags = { Environment = "Prod" } } ``` ## Compliant Code Examples{% #compliant-code-examples %} ```terraform data "aws_availability_zones" "available" {} data "aws_region" "current" {} data "aws_caller_identity" "current" {} resource "aws_eip" "negative1" { vpc = true } resource "aws_shield_protection" "negative1" { name = "example" resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.negative1.id}" tags = { Environment = "Dev" } } ``` ```terraform resource "aws_route53_zone" "negative2" { name = "example.com" } resource "aws_shield_protection" "negative2" { name = "example" resource_arn = aws_route53_zone.negative2.arn tags = { Environment = "Dev" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform data "aws_availability_zones" "available" {} data "aws_region" "current" {} data "aws_caller_identity" "current" {} resource "aws_eip" "positive1" { vpc = true } resource "aws_shield_protection" "positive1" { name = "example" resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.positive.id}" tags = { Environment = "Dev" } } ``` ```terraform resource "aws_route53_zone" "positive2" { name = "example.com" } resource "aws_shield_protection" "positive2" { name = "example" resource_arn = aws_route53_zone.positive.arn tags = { Environment = "Dev" } } ```