Shield Advanced not in use

This product is not supported for your selected Datadog site. ().

Metadata

Id: 084c6686-2a70-4710-91b1-000393e54c12

Cloud Provider: aws

Framework: Terraform

Severity: Low

Category: Networking and Firewall

Learn More

Description

AWS Shield Advanced provides enhanced protection against distributed denial-of-service (DDoS) attacks for critical AWS resources, such as Amazon Route 53 hosted zones, AWS Global Accelerator accelerators, Elastic IP addresses, Elastic Load Balancers, and Amazon CloudFront distributions. Without Shield Advanced enabled, these resources are vulnerable to large-scale DDoS attacks, which can lead to downtime, degraded performance, and increased mitigation costs. To secure these resources in Terraform, use the aws_shield_protection resource with the correct resource_arn. For example:

resource "aws_shield_protection" "example" {
  name         = "example"
  resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.example.id}"

  tags = {
    Environment = "Prod"
  }
}

Compliant Code Examples

resource "aws_route53_zone" "negative2" {
  name = "example.com"
}

resource "aws_shield_protection" "negative2" {
  name         = "example"
  resource_arn = aws_route53_zone.negative2.arn

  tags = {
    Environment = "Dev"
  }
}

data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}

resource "aws_eip" "negative1" {
  vpc = true
}

resource "aws_shield_protection" "negative1" {
  name         = "example"
  resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.negative1.id}"

  tags = {
    Environment = "Dev"
  }
}

Non-Compliant Code Examples

resource "aws_route53_zone" "positive2" {
  name = "example.com"
}

resource "aws_shield_protection" "positive2" {
  name         = "example"
  resource_arn = aws_route53_zone.positive.arn

  tags = {
    Environment = "Dev"
  }
}

data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}

resource "aws_eip" "positive1" {
  vpc = true
}

resource "aws_shield_protection" "positive1" {
  name         = "example"
  resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.positive.id}"

  tags = {
    Environment = "Dev"
  }
}