For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-shield-advanced-not-in-use.md. A documentation index is available at /llms.txt.

Shield Advanced not in use

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-aws-shield-advanced-not-in-use

Provider: AWS

Platform: Terraform

Severity: Low

Category: Networking and Firewall

Learn More

Description

AWS Shield Advanced provides enhanced protection against distributed denial-of-service (DDoS) attacks for critical AWS resources, such as Amazon Route 53 hosted zones, AWS Global Accelerator accelerators, Elastic IP addresses, Elastic Load Balancers, and Amazon CloudFront distributions. Without Shield Advanced enabled, these resources are vulnerable to large-scale DDoS attacks, which can lead to downtime, degraded performance, and increased mitigation costs. To secure these resources in Terraform, use the aws_shield_protection resource with the correct resource_arn. For example:

resource "aws_shield_protection" "example" {
  name         = "example"
  resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.example.id}"

  tags = {
    Environment = "Prod"
  }
}

Compliant Code Examples

data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}

resource "aws_eip" "negative1" {
  vpc = true
}

resource "aws_shield_protection" "negative1" {
  name         = "example"
  resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.negative1.id}"

  tags = {
    Environment = "Dev"
  }
}

resource "aws_route53_zone" "negative2" {
  name = "example.com"
}

resource "aws_shield_protection" "negative2" {
  name         = "example"
  resource_arn = aws_route53_zone.negative2.arn

  tags = {
    Environment = "Dev"
  }
}

Non-Compliant Code Examples

data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}

resource "aws_eip" "positive1" {
  vpc = true
}

resource "aws_shield_protection" "positive1" {
  name         = "example"
  resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.positive.id}"

  tags = {
    Environment = "Dev"
  }
}

resource "aws_route53_zone" "positive2" {
  name = "example.com"
}

resource "aws_shield_protection" "positive2" {
  name         = "example"
  resource_arn = aws_route53_zone.positive.arn

  tags = {
    Environment = "Dev"
  }
}