This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html).

# AWS Shield
<a name="AWS_Shield"></a>

**Resource types**
+ [AWS::Shield::DRTAccess](aws-resource-shield-drtaccess.md)
+ [AWS::Shield::ProactiveEngagement](aws-resource-shield-proactiveengagement.md)
+ [AWS::Shield::Protection](aws-resource-shield-protection.md)
+ [AWS::Shield::ProtectionGroup](aws-resource-shield-protectiongroup.md)

# AWS::Shield::DRTAccess
<a name="aws-resource-shield-drtaccess"></a>

Provides permissions for the AWS Shield Advanced Shield response team (SRT) to access your account and your resource protections, to help you mitigate potential distributed denial of service (DDoS) attacks.

 **Configure `AWS::Shield::DRTAccess` for one account** 

To configure this resource through CloudFormation, you must be subscribed to AWS Shield Advanced. You can subscribe through the [Shield Advanced console](https://console.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). 

See example templates for Shield Advanced in CloudFormation at [aws-samples/aws-shield-advanced-examples](https://github.com/aws-samples/aws-shield-advanced-examples). 

 **Configure Shield Advanced using AWS CloudFormation and AWS Firewall Manager** 

You might be able to use Firewall Manager with AWS CloudFormation to configure Shield Advanced across multiple accounts and protected resources. To do this, your accounts must be part of an organization in AWS Organizations. You can use Firewall Manager to configure Shield Advanced protections for any resource types except for Amazon Route 53 or AWS Global Accelerator. 

For an example of this, see the one-click configuration guidance published by the AWS technical community at [One-click deployment of Shield Advanced](https://youtu.be/LCA3FwMk_QE). 

## Syntax
<a name="aws-resource-shield-drtaccess-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-shield-drtaccess-syntax.json"></a>

```
{
  "Type" : "AWS::Shield::DRTAccess",
  "Properties" : {
      "[LogBucketList](#cfn-shield-drtaccess-logbucketlist)" : [ String, ... ],
      "[RoleArn](#cfn-shield-drtaccess-rolearn)" : String
    }
}
```

### YAML
<a name="aws-resource-shield-drtaccess-syntax.yaml"></a>

```
Type: AWS::Shield::DRTAccess
Properties:
  [LogBucketList](#cfn-shield-drtaccess-logbucketlist): 
    - String
  [RoleArn](#cfn-shield-drtaccess-rolearn): String
```

## Properties
<a name="aws-resource-shield-drtaccess-properties"></a>

`LogBucketList`  <a name="cfn-shield-drtaccess-logbucketlist"></a>
Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.  
Use this to share information with the SRT that's not available in AWS WAF logs.   
To use the services of the SRT, you must be subscribed to the [Business Support plan](https://aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://aws.amazon.com/premiumsupport/enterprise-support/).   
*Required*: No  
*Type*: Array of String  
*Minimum*: `3 | 0`  
*Maximum*: `63 | 10`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`RoleArn`  <a name="cfn-shield-drtaccess-rolearn"></a>
Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.  
You can associate only one `RoleArn` with your subscription. If you submit this update for an account that already has an associated role, the new `RoleArn` will replace the existing `RoleArn`.   
This change requires the following:   
+ You must be subscribed to the [Business Support plan](https://aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://aws.amazon.com/premiumsupport/enterprise-support/). 
+ The `AWSShieldDRTAccessPolicy` managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at [AWSShieldDRTAccessPolicy](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy). For information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). 
+ The role must trust the service principal `drt.shield.amazonaws.com`. For information, see [IAM JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html).
The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.  
*Required*: Yes  
*Type*: String  
*Maximum*: `2048`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-shield-drtaccess-return-values"></a>

### Ref
<a name="aws-resource-shield-drtaccess-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the account that submitted the template.

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-shield-drtaccess-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-shield-drtaccess-return-values-fn--getatt-fn--getatt"></a>

`AccountId`  <a name="AccountId-fn::getatt"></a>
The ID of the account that submitted the template.

## Examples
<a name="aws-resource-shield-drtaccess--examples"></a>



**Topics**
+ [Configure access for the Shield response team](#aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team)
+ [Configure access for the Shield response team with additional data access](#aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team_with_additional_data_access)

### Configure access for the Shield response team
<a name="aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team"></a>

The following shows an example configuration to provide access to the Shield response team (SRT). 

#### YAML
<a name="aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team--yaml"></a>

```
Resources:
  DRTAccess:
    Type: AWS::Shield::DRTAccess
    Properties:
      RoleArn: !GetAtt DRTAccessRole.Arn
      
  # support resources
  DRTAccessRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"		 	 	 
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - 'drt.shield.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
```

#### JSON
<a name="aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team--json"></a>

```
{
    "Resources": {
        "DRTAccess": {
            "Type": "AWS::Shield::DRTAccess",
            "Properties": {
                "RoleArn": {
                    "Fn::GetAtt": [
                        "DRTAccessRole",
                        "Arn"
                    ]
                }
            }
        },
        "DRTAccessRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy"
                ],
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",		 	 	 
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "drt.shield.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                }
            }
        }
    }
}
```

### Configure access for the Shield response team with additional data access
<a name="aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team_with_additional_data_access"></a>

The following shows an example configuration to provide access to the Shield response team (SRT), including granting access to additional data that's outside of the web ACL logs. The SRT is automatically granted access to the web ACL logs based on the provided `RoleArn`.

#### YAML
<a name="aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team_with_additional_data_access--yaml"></a>

```
Resources:
  DRTAccess:
    Type: AWS::Shield::DRTAccess
    Properties:
      LogBucketList:
        - !Ref DRTLogBucket1
        - !Ref DRTLogBucket2
      RoleArn: !GetAtt DRTAccessRole.Arn
  
  # support resources
  DRTLogBucket1:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: BucketOwnerFullControl
  DRTLogBucket2:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: BucketOwnerFullControl
  DRTAccessRole:
    Type: AWS::IAM::Role
    Properties:
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy'
      AssumeRolePolicyDocument:
        Version: "2012-10-17"		 	 	 
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - 'drt.shield.amazonaws.com'
            Action:
              - 'sts:AssumeRole'
```

#### JSON
<a name="aws-resource-shield-drtaccess--examples--Configure_access_for_the_Shield_response_team_with_additional_data_access--json"></a>

```
{
    "Resources": {
        "DRTAccess": {
            "Type": "AWS::Shield::DRTAccess",
            "Properties": {
                "LogBucketList": [
                    {
                        "Ref": "DRTLogBucket1"
                    },
                    {
                        "Ref": "DRTLogBucket2"
                    }
                ],
                "RoleArn": {
                    "Fn::GetAtt": [
                        "DRTAccessRole",
                        "Arn"
                    ]
                }
            }
        },
        "DRTLogBucket1": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "AccessControl": "BucketOwnerFullControl"
            }
        },
        "DRTLogBucket2": {
            "Type": "AWS::S3::Bucket",
            "Properties": {
                "AccessControl": "BucketOwnerFullControl"
            }
        },
        "DRTAccessRole": {
            "Type": "AWS::IAM::Role",
            "Properties": {
                "ManagedPolicyArns": [
                    "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy"
                ],
                "AssumeRolePolicyDocument": {
                    "Version": "2012-10-17",		 	 	 
                    "Statement": [
                        {
                            "Effect": "Allow",
                            "Principal": {
                                "Service": [
                                    "drt.shield.amazonaws.com"
                                ]
                            },
                            "Action": [
                                "sts:AssumeRole"
                            ]
                        }
                    ]
                }
            }
        }
    }
}
```

# AWS::Shield::ProactiveEngagement
<a name="aws-resource-shield-proactiveengagement"></a>

Authorizes the Shield Response Team (SRT) to use email and phone to notify contacts about escalations to the SRT and to initiate proactive customer support.

To enable proactive engagement, you must be subscribed to the [Business Support plan](https://aws.amazon.com/premiumsupport/business-support/) or the [Enterprise Support plan](https://aws.amazon.com/premiumsupport/enterprise-support/). 

 **Configure `AWS::Shield::ProactiveEngagement` for one account** 

To configure this resource through CloudFormation, you must be subscribed to AWS Shield Advanced. You can subscribe through the [Shield Advanced console](https://console.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). 

See example templates for Shield Advanced in CloudFormation at [aws-samples/aws-shield-advanced-examples](https://github.com/aws-samples/aws-shield-advanced-examples). 

 **Configure Shield Advanced using AWS CloudFormation and AWS Firewall Manager** 

You might be able to use Firewall Manager with AWS CloudFormation to configure Shield Advanced across multiple accounts and protected resources. To do this, your accounts must be part of an organization in AWS Organizations. You can use Firewall Manager to configure Shield Advanced protections for any resource types except for Amazon Route 53 or AWS Global Accelerator. 

For an example of this, see the one-click configuration guidance published by the AWS technical community at [One-click deployment of Shield Advanced](https://youtu.be/LCA3FwMk_QE). 

## Syntax
<a name="aws-resource-shield-proactiveengagement-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-shield-proactiveengagement-syntax.json"></a>

```
{
  "Type" : "AWS::Shield::ProactiveEngagement",
  "Properties" : {
      "[EmergencyContactList](#cfn-shield-proactiveengagement-emergencycontactlist)" : [ EmergencyContact, ... ],
      "[ProactiveEngagementStatus](#cfn-shield-proactiveengagement-proactiveengagementstatus)" : String
    }
}
```

### YAML
<a name="aws-resource-shield-proactiveengagement-syntax.yaml"></a>

```
Type: AWS::Shield::ProactiveEngagement
Properties:
  [EmergencyContactList](#cfn-shield-proactiveengagement-emergencycontactlist): 
    - EmergencyContact
  [ProactiveEngagementStatus](#cfn-shield-proactiveengagement-proactiveengagementstatus): String
```

## Properties
<a name="aws-resource-shield-proactiveengagement-properties"></a>

`EmergencyContactList`  <a name="cfn-shield-proactiveengagement-emergencycontactlist"></a>
The list of email addresses and phone numbers that the Shield Response Team (SRT) can use to contact you for escalations to the SRT and to initiate proactive customer support, plus any relevant notes.   
To enable proactive engagement, the contact list must include at least one phone number.  
If you provide more than one contact, in the notes, indicate the circumstances under which each contact should be used. Include primary and secondary contact designations, and provide the hours of availability and time zones for each contact.  
Example contact notes:  
+ This is a hotline that's staffed 24x7x365. Please work with the responding analyst and they will get the appropriate person on the call.
+ Please contact the secondary phone number if the hotline doesn't respond within 5 minutes.
*Required*: Yes  
*Type*: Array of [EmergencyContact](aws-properties-shield-proactiveengagement-emergencycontact.md)  
*Minimum*: `1`  
*Maximum*: `10`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`ProactiveEngagementStatus`  <a name="cfn-shield-proactiveengagement-proactiveengagementstatus"></a>
Specifies whether proactive engagement is enabled or disabled.   
Valid values:   
`ENABLED` - The Shield Response Team (SRT) will use email and phone to notify contacts about escalations to the SRT and to initiate proactive customer support.  
`DISABLED` - The SRT will not proactively notify contacts about escalations or to initiate proactive customer support.   
*Required*: Yes  
*Type*: String  
*Allowed values*: `ENABLED | DISABLED`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-shield-proactiveengagement-return-values"></a>

### Ref
<a name="aws-resource-shield-proactiveengagement-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the account that submitted the template. 

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-shield-proactiveengagement-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-shield-proactiveengagement-return-values-fn--getatt-fn--getatt"></a>

`AccountId`  <a name="AccountId-fn::getatt"></a>
The ID of the account that submitted the template.

## Examples
<a name="aws-resource-shield-proactiveengagement--examples"></a>



### Enable proactive engagement and define contacts
<a name="aws-resource-shield-proactiveengagement--examples--Enable_proactive_engagement_and_define_contacts"></a>

The following shows an example proactive engagement configuration with proactive engagement enabled and with two emergency contacts. 

#### YAML
<a name="aws-resource-shield-proactiveengagement--examples--Enable_proactive_engagement_and_define_contacts--yaml"></a>

```
Resources:
  TestProactiveEngagement:
    DeletionPolicy: Delete
    Type: AWS::Shield::ProactiveEngagement
    Properties:
      ProactiveEngagementStatus: ENABLED
      EmergencyContactList:
        - EmailAddress: !Sub 'dev-on-duty@example.com'
          ContactNotes: !Sub 'Dev On Duty'
          PhoneNumber: '+10000000001'
        - EmailAddress: !Sub 'security@example.com'
          ContactNotes: !Sub 'Security Team'
          PhoneNumber: '+10000000002'
```

#### JSON
<a name="aws-resource-shield-proactiveengagement--examples--Enable_proactive_engagement_and_define_contacts--json"></a>

```
{
    "Resources": {
        "TestProactiveEngagement": {
            "DeletionPolicy": "Delete",
            "Type": "AWS::Shield::ProactiveEngagement",
            "Properties": {
                "ProactiveEngagementStatus": "ENABLED",
                "EmergencyContactList": [
                    {
                        "EmailAddress": {
                            "Fn::Sub": "dev-on-duty@example.com"
                        },
                        "ContactNotes": {
                            "Fn::Sub": "Dev On Duty"
                        },
                        "PhoneNumber": "+10000000001"
                    },
                    {
                        "EmailAddress": {
                            "Fn::Sub": "security@example.com"
                        },
                        "ContactNotes": {
                            "Fn::Sub": "Security Team"
                        },
                        "PhoneNumber": "+10000000002"
                    }
                ]
            }
        }
    }
}
```

# AWS::Shield::ProactiveEngagement EmergencyContact
<a name="aws-properties-shield-proactiveengagement-emergencycontact"></a>

Contact information that the SRT can use to contact you if you have proactive engagement enabled, for escalations to the SRT and to initiate proactive customer support.

## Syntax
<a name="aws-properties-shield-proactiveengagement-emergencycontact-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-shield-proactiveengagement-emergencycontact-syntax.json"></a>

```
{
  "[ContactNotes](#cfn-shield-proactiveengagement-emergencycontact-contactnotes)" : String,
  "[EmailAddress](#cfn-shield-proactiveengagement-emergencycontact-emailaddress)" : String,
  "[PhoneNumber](#cfn-shield-proactiveengagement-emergencycontact-phonenumber)" : String
}
```

### YAML
<a name="aws-properties-shield-proactiveengagement-emergencycontact-syntax.yaml"></a>

```
  [ContactNotes](#cfn-shield-proactiveengagement-emergencycontact-contactnotes): String
  [EmailAddress](#cfn-shield-proactiveengagement-emergencycontact-emailaddress): String
  [PhoneNumber](#cfn-shield-proactiveengagement-emergencycontact-phonenumber): String
```

## Properties
<a name="aws-properties-shield-proactiveengagement-emergencycontact-properties"></a>

`ContactNotes`  <a name="cfn-shield-proactiveengagement-emergencycontact-contactnotes"></a>
Additional notes regarding the contact.   
*Required*: No  
*Type*: String  
*Pattern*: `^[\w\s\.\-,:/()+@]*$`  
*Minimum*: `1`  
*Maximum*: `1024`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`EmailAddress`  <a name="cfn-shield-proactiveengagement-emergencycontact-emailaddress"></a>
The email address for the contact.  
*Required*: Yes  
*Type*: String  
*Pattern*: `^\S+@\S+\.\S+$`  
*Minimum*: `1`  
*Maximum*: `150`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`PhoneNumber`  <a name="cfn-shield-proactiveengagement-emergencycontact-phonenumber"></a>
The phone number for the contact.  
*Required*: No  
*Type*: String  
*Pattern*: `^\+[1-9]\d{1,14}$`  
*Minimum*: `1`  
*Maximum*: `16`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::Shield::Protection
<a name="aws-resource-shield-protection"></a>

Enables AWS Shield Advanced for a specific AWS resource. The resource can be an Amazon CloudFront distribution, Amazon Route 53 hosted zone, AWS Global Accelerator standard accelerator, Elastic IP Address, Application Load Balancer, or a Classic Load Balancer. You can protect Amazon EC2 instances and Network Load Balancers by association with protected Amazon EC2 Elastic IP addresses. 

 **Configure a single `AWS::Shield::Protection`** 

Use this protection to protect a single resource at a time. 

To configure this Shield Advanced protection through CloudFormation, you must be subscribed to Shield Advanced. You can subscribe through the [Shield Advanced console](https://console.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). 

See example templates for Shield Advanced in CloudFormation at [aws-samples/aws-shield-advanced-examples](https://github.com/aws-samples/aws-shield-advanced-examples). 

 **Configure Shield Advanced using AWS CloudFormation and AWS Firewall Manager** 

You might be able to use Firewall Manager with AWS CloudFormation to configure Shield Advanced across multiple accounts and protected resources. To do this, your accounts must be part of an organization in AWS Organizations. You can use Firewall Manager to configure Shield Advanced protections for any resource types except for Amazon Route 53 or AWS Global Accelerator. 

For an example of this, see the one-click configuration guidance published by the AWS technical community at [One-click deployment of Shield Advanced](https://youtu.be/LCA3FwMk_QE). 

 **Configure multiple protections through the Shield Advanced console** 

You can add protection to multiple resources at once through the [Shield Advanced console](https://console.aws.amazon.com/wafv2/shieldv2#/). For more information see [Getting Started with AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/getting-started-ddos.html) and [Managing resource protections in AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-manage-protected-resources.html).

## Syntax
<a name="aws-resource-shield-protection-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-shield-protection-syntax.json"></a>

```
{
  "Type" : "AWS::Shield::Protection",
  "Properties" : {
      "[ApplicationLayerAutomaticResponseConfiguration](#cfn-shield-protection-applicationlayerautomaticresponseconfiguration)" : ApplicationLayerAutomaticResponseConfiguration,
      "[HealthCheckArns](#cfn-shield-protection-healthcheckarns)" : [ String, ... ],
      "[Name](#cfn-shield-protection-name)" : String,
      "[ResourceArn](#cfn-shield-protection-resourcearn)" : String,
      "[Tags](#cfn-shield-protection-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-shield-protection-syntax.yaml"></a>

```
Type: AWS::Shield::Protection
Properties:
  [ApplicationLayerAutomaticResponseConfiguration](#cfn-shield-protection-applicationlayerautomaticresponseconfiguration): 
    ApplicationLayerAutomaticResponseConfiguration
  [HealthCheckArns](#cfn-shield-protection-healthcheckarns): 
    - String
  [Name](#cfn-shield-protection-name): String
  [ResourceArn](#cfn-shield-protection-resourcearn): String
  [Tags](#cfn-shield-protection-tags): 
    - Tag
```

## Properties
<a name="aws-resource-shield-protection-properties"></a>

`ApplicationLayerAutomaticResponseConfiguration`  <a name="cfn-shield-protection-applicationlayerautomaticresponseconfiguration"></a>
The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.   
If you use CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the additional guidance about web ACL management in the `AWS::WAFv2::WebACL` resource description.   
*Required*: No  
*Type*: [ApplicationLayerAutomaticResponseConfiguration](aws-properties-shield-protection-applicationlayerautomaticresponseconfiguration.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`HealthCheckArns`  <a name="cfn-shield-protection-healthcheckarns"></a>
The ARN (Amazon Resource Name) of the health check to associate with the protection. Health-based detection provides improved responsiveness and accuracy in attack detection and mitigation.   
You can use this option with any resource type except for Route 53 hosted zones.  
For more information, see [Configuring health-based detection using health checks](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced-health-checks.html) in the *AWS Shield Advanced Developer Guide*.  
*Required*: No  
*Type*: Array of String  
*Minimum*: `1`  
*Maximum*: `2048 | 1`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Name`  <a name="cfn-shield-protection-name"></a>
The name of the protection. For example, `My CloudFront distributions`.  
If you change the name of an existing protection, Shield Advanced deletes the protection and replaces it with a new one. While this is happening, the protection isn't available on the AWS resource. 
*Required*: Yes  
*Type*: String  
*Pattern*: `[ a-zA-Z0-9_\.\-]*`  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`ResourceArn`  <a name="cfn-shield-protection-resourcearn"></a>
The ARN (Amazon Resource Name) of the AWS resource that is protected.  
*Required*: Yes  
*Type*: String  
*Minimum*: `1`  
*Maximum*: `2048`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`Tags`  <a name="cfn-shield-protection-tags"></a>
Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.  
*Required*: No  
*Type*: Array of [Tag](aws-properties-shield-protection-tag.md)  
*Maximum*: `200`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-shield-protection-return-values"></a>

### Ref
<a name="aws-resource-shield-protection-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN (Amazon Resource Name) of the protection. 

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-shield-protection-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-shield-protection-return-values-fn--getatt-fn--getatt"></a>

`ProtectionArn`  <a name="ProtectionArn-fn::getatt"></a>
The ARN (Amazon Resource Name) of the new protection. 

`ProtectionId`  <a name="ProtectionId-fn::getatt"></a>
The ID of the new protection. 

## Examples
<a name="aws-resource-shield-protection--examples"></a>



**Topics**
+ [Create a network layer protection](#aws-resource-shield-protection--examples--Create_a_network_layer_protection)
+ [Create an application layer protection](#aws-resource-shield-protection--examples--Create_an_application_layer_protection)

### Create a network layer protection
<a name="aws-resource-shield-protection--examples--Create_a_network_layer_protection"></a>

The following shows an example protection configuration for an Amazon EC2 Elastic IP address. 

#### YAML
<a name="aws-resource-shield-protection--examples--Create_a_network_layer_protection--yaml"></a>

```
Resources:
  EIP:
    Type: AWS::EC2::EIP
  Protection:
    Type: AWS::Shield::Protection
    Properties:
      Name: 'MyEIPProtection'
            ResourceArn: !Sub 'arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:eip-allocation/${EIP.AllocationId}'
```

#### JSON
<a name="aws-resource-shield-protection--examples--Create_a_network_layer_protection--json"></a>

```
{
    "Resources": {
        "EIP": {
            "Type": "AWS::EC2::EIP"
        },
        "Protection": {
            "Type": "AWS::Shield::Protection",
            "Properties": {
                "Name": "MyEIPProtection",
                "ResourceArn": {
                    "Fn::Sub": "arn:${AWS::Partition}:ec2:${AWS::Region}:${AWS::AccountId}:eip-allocation/${EIP.AllocationId}"
                }
            }
        }
    }
}
```

### Create an application layer protection
<a name="aws-resource-shield-protection--examples--Create_an_application_layer_protection"></a>

The following shows an example layer 7 protection configuration for an application load balancer. The protection includes a health check and has application layer automatic response enabled. The load balancer must be associated with an AWS WAF web ACL that has a rate-based rule defined in it. 

#### YAML
<a name="aws-resource-shield-protection--examples--Create_an_application_layer_protection--yaml"></a>

```
Resources:
  # Create L7 Protection
  Protection:
    Type: AWS::Shield::Protection
    DependsOn:
    - WebACLAssociation
    Properties:
      Name: 'MyL7Protection'
      ResourceArn: !Ref ALB
      HealthCheckArns:
        - !Sub 'arn:${AWS::Partition}:route53:::healthcheck/${HealthCheck}'
      ApplicationLayerAutomaticResponseConfiguration:
        Status: ENABLED
        Action:
          Block: { }
```

#### JSON
<a name="aws-resource-shield-protection--examples--Create_an_application_layer_protection--json"></a>

```
{
    "Resources": {
        "Protection": {
            "Type": "AWS::Shield::Protection",
            "DependsOn": [
                "WebACLAssociation"
            ],
            "Properties": {
                "Name": "MyL7Protection",
                "ResourceArn": {
                    "Ref": "ALB"
                },
                "HealthCheckArns": [
                    {
                        "Fn::Sub": "arn:${AWS::Partition}:route53:::healthcheck/${HealthCheck}"
                    }
                ],
                "ApplicationLayerAutomaticResponseConfiguration": {
                    "Status": "ENABLED",
                    "Action": {
                        "Block": {}
                    }
                }
            }
        }
    }
}
```

# AWS::Shield::Protection Action
<a name="aws-properties-shield-protection-action"></a>

Specifies the action setting that Shield Advanced should use in the AWS WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the AWS WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource. 

## Syntax
<a name="aws-properties-shield-protection-action-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-shield-protection-action-syntax.json"></a>

```
{
  "[Block](#cfn-shield-protection-action-block)" : Json,
  "[Count](#cfn-shield-protection-action-count)" : Json
}
```

### YAML
<a name="aws-properties-shield-protection-action-syntax.yaml"></a>

```
  [Block](#cfn-shield-protection-action-block): Json
  [Count](#cfn-shield-protection-action-count): Json
```

## Properties
<a name="aws-properties-shield-protection-action-properties"></a>

`Block`  <a name="cfn-shield-protection-action-block"></a>
Specifies that Shield Advanced should configure its AWS WAF rules with the AWS WAF`Block` action.   
You must specify exactly one action, either `Block` or `Count`.  
Example JSON: `{ "Block": {} }`  
Example YAML: `Block: {}`  
*Required*: No  
*Type*: Json  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Count`  <a name="cfn-shield-protection-action-count"></a>
Specifies that Shield Advanced should configure its AWS WAF rules with the AWS WAF`Count` action.   
You must specify exactly one action, either `Block` or `Count`.  
Example JSON: `{ "Count": {} }`  
Example YAML: `Count: {}`  
*Required*: No  
*Type*: Json  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::Shield::Protection ApplicationLayerAutomaticResponseConfiguration
<a name="aws-properties-shield-protection-applicationlayerautomaticresponseconfiguration"></a>

The automatic application layer DDoS mitigation settings for a [AWS::Shield::Protection](aws-resource-shield-protection.md). This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks. 

If you use CloudFormation to manage the web ACLs that you use with Shield Advanced automatic mitigation, see the guidance for the `AWS::WAFv2::WebACL` resource. 

## Syntax
<a name="aws-properties-shield-protection-applicationlayerautomaticresponseconfiguration-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-shield-protection-applicationlayerautomaticresponseconfiguration-syntax.json"></a>

```
{
  "[Action](#cfn-shield-protection-applicationlayerautomaticresponseconfiguration-action)" : Action,
  "[Status](#cfn-shield-protection-applicationlayerautomaticresponseconfiguration-status)" : String
}
```

### YAML
<a name="aws-properties-shield-protection-applicationlayerautomaticresponseconfiguration-syntax.yaml"></a>

```
  [Action](#cfn-shield-protection-applicationlayerautomaticresponseconfiguration-action): 
    Action
  [Status](#cfn-shield-protection-applicationlayerautomaticresponseconfiguration-status): String
```

## Properties
<a name="aws-properties-shield-protection-applicationlayerautomaticresponseconfiguration-properties"></a>

`Action`  <a name="cfn-shield-protection-applicationlayerautomaticresponseconfiguration-action"></a>
Specifies the action setting that Shield Advanced should use in the AWS WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the AWS WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.   
*Required*: Yes  
*Type*: [Action](aws-properties-shield-protection-action.md)  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Status`  <a name="cfn-shield-protection-applicationlayerautomaticresponseconfiguration-status"></a>
Indicates whether automatic application layer DDoS mitigation is enabled for the protection.   
*Required*: Yes  
*Type*: String  
*Allowed values*: `ENABLED | DISABLED`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::Shield::Protection Tag
<a name="aws-properties-shield-protection-tag"></a>

A tag associated with an AWS resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as "environment", and the tag value represents a specific value within that category, such as "test," "development," or "production". Or you might set the tag key to "customer" and the value to the customer name or ID. You can specify one or more tags to add to each AWS resource, up to 50 tags for a resource.

## Syntax
<a name="aws-properties-shield-protection-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-shield-protection-tag-syntax.json"></a>

```
{
  "[Key](#cfn-shield-protection-tag-key)" : String,
  "[Value](#cfn-shield-protection-tag-value)" : String
}
```

### YAML
<a name="aws-properties-shield-protection-tag-syntax.yaml"></a>

```
  [Key](#cfn-shield-protection-tag-key): String
  [Value](#cfn-shield-protection-tag-value): String
```

## Properties
<a name="aws-properties-shield-protection-tag-properties"></a>

`Key`  <a name="cfn-shield-protection-tag-key"></a>
Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.  
*Required*: Yes  
*Type*: String  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-shield-protection-tag-value"></a>
Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.  
*Required*: Yes  
*Type*: String  
*Minimum*: `0`  
*Maximum*: `256`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

# AWS::Shield::ProtectionGroup
<a name="aws-resource-shield-protectiongroup"></a>

Creates a grouping of protected resources so they can be handled as a collective. This resource grouping improves the accuracy of detection and reduces false positives. 

To configure this resource through CloudFormation, you must be subscribed to AWS Shield Advanced. You can subscribe through the [Shield Advanced console](https://console.aws.amazon.com/wafv2/shieldv2#/) and through the APIs. For more information, see [Subscribe to AWS Shield Advanced](https://docs.aws.amazon.com/waf/latest/developerguide/enable-ddos-prem.html). 

## Syntax
<a name="aws-resource-shield-protectiongroup-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-resource-shield-protectiongroup-syntax.json"></a>

```
{
  "Type" : "AWS::Shield::ProtectionGroup",
  "Properties" : {
      "[Aggregation](#cfn-shield-protectiongroup-aggregation)" : String,
      "[Members](#cfn-shield-protectiongroup-members)" : [ String, ... ],
      "[Pattern](#cfn-shield-protectiongroup-pattern)" : String,
      "[ProtectionGroupId](#cfn-shield-protectiongroup-protectiongroupid)" : String,
      "[ResourceType](#cfn-shield-protectiongroup-resourcetype)" : String,
      "[Tags](#cfn-shield-protectiongroup-tags)" : [ Tag, ... ]
    }
}
```

### YAML
<a name="aws-resource-shield-protectiongroup-syntax.yaml"></a>

```
Type: AWS::Shield::ProtectionGroup
Properties:
  [Aggregation](#cfn-shield-protectiongroup-aggregation): String
  [Members](#cfn-shield-protectiongroup-members): 
    - String
  [Pattern](#cfn-shield-protectiongroup-pattern): String
  [ProtectionGroupId](#cfn-shield-protectiongroup-protectiongroupid): String
  [ResourceType](#cfn-shield-protectiongroup-resourcetype): String
  [Tags](#cfn-shield-protectiongroup-tags): 
    - Tag
```

## Properties
<a name="aws-resource-shield-protectiongroup-properties"></a>

`Aggregation`  <a name="cfn-shield-protectiongroup-aggregation"></a>
Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.  
+ `Sum` - Use the total traffic across the group. This is a good choice for most cases. Examples include Elastic IP addresses for EC2 instances that scale manually or automatically.
+ `Mean` - Use the average of the traffic across the group. This is a good choice for resources that share traffic uniformly. Examples include accelerators and load balancers.
+ `Max` - Use the highest traffic from each resource. This is useful for resources that don't share traffic and for resources that share that traffic in a non-uniform way. Examples include Amazon CloudFront distributions and origin resources for CloudFront distributions.
*Required*: Yes  
*Type*: String  
*Allowed values*: `SUM | MEAN | MAX`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Members`  <a name="cfn-shield-protectiongroup-members"></a>
The ARNs (Amazon Resource Names) of the resources to include in the protection group. You must set this when you set `Pattern` to `ARBITRARY` and you must not set it for any other `Pattern` setting.   
*Required*: No  
*Type*: Array of String  
*Minimum*: `1`  
*Maximum*: `2048 | 10000`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Pattern`  <a name="cfn-shield-protectiongroup-pattern"></a>
The criteria to use to choose the protected resources for inclusion in the group. You can include all resources that have protections, provide a list of resource ARNs (Amazon Resource Names), or include all resources of a specified resource type.  
*Required*: Yes  
*Type*: String  
*Allowed values*: `ALL | ARBITRARY | BY_RESOURCE_TYPE`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`ProtectionGroupId`  <a name="cfn-shield-protectiongroup-protectiongroupid"></a>
The name of the protection group. You use this to identify the protection group in lists and to manage the protection group, for example to update, delete, or describe it.   
*Required*: Yes  
*Type*: String  
*Pattern*: `[a-zA-Z0-9\-]*`  
*Minimum*: `1`  
*Maximum*: `36`  
*Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement)

`ResourceType`  <a name="cfn-shield-protectiongroup-resourcetype"></a>
The resource type to include in the protection group. All protected resources of this type are included in the protection group. You must set this when you set `Pattern` to `BY_RESOURCE_TYPE` and you must not set it for any other `Pattern` setting.   
*Required*: No  
*Type*: String  
*Allowed values*: `CLOUDFRONT_DISTRIBUTION | ROUTE_53_HOSTED_ZONE | ELASTIC_IP_ALLOCATION | CLASSIC_LOAD_BALANCER | APPLICATION_LOAD_BALANCER | GLOBAL_ACCELERATOR`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Tags`  <a name="cfn-shield-protectiongroup-tags"></a>
Key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.  
*Required*: No  
*Type*: Array of [Tag](aws-properties-shield-protectiongroup-tag.md)  
*Maximum*: `200`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

## Return values
<a name="aws-resource-shield-protectiongroup-return-values"></a>

### Ref
<a name="aws-resource-shield-protectiongroup-return-values-ref"></a>

When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ARN (Amazon Resource Name) of the protection group. 

For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html).

### Fn::GetAtt
<a name="aws-resource-shield-protectiongroup-return-values-fn--getatt"></a>

The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html).

#### 
<a name="aws-resource-shield-protectiongroup-return-values-fn--getatt-fn--getatt"></a>

`ProtectionGroupArn`  <a name="ProtectionGroupArn-fn::getatt"></a>
The ARN (Amazon Resource Name) of the new protection group.

## Examples
<a name="aws-resource-shield-protectiongroup--examples"></a>



**Topics**
+ [Create a protection group for all protected resources](#aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_all_protected_resources)
+ [Create a protection group for protected Elastic IP address resources](#aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_protected_Elastic_IP_address_resources)

### Create a protection group for all protected resources
<a name="aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_all_protected_resources"></a>

The following shows an example protection group configuration for all protected resources. 

#### YAML
<a name="aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_all_protected_resources--yaml"></a>

```
Resources:
  ProtectionGroup:
    Type: AWS::Shield::ProtectionGroup
    Properties:
      ProtectionGroupId: 'ProtectionGroupForAllResources'
      Aggregation: SUM
      Pattern: ALL
```

#### JSON
<a name="aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_all_protected_resources--json"></a>

```
{
    "Resources": {
        "ProtectionGroup": {
            "Type": "AWS::Shield::ProtectionGroup",
            "Properties": {
                "ProtectionGroupId": "ProtectionGroupForAllResources",
                "Aggregation": "SUM",
                "Pattern": "ALL"
            }
        }
    }
}
```

### Create a protection group for protected Elastic IP address resources
<a name="aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_protected_Elastic_IP_address_resources"></a>

The following shows an example protection group configuration for all Elastic IP address resources that have AWS Shield Advanced protection. 

#### YAML
<a name="aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_protected_Elastic_IP_address_resources--yaml"></a>

```
Resources:
  ProtectionGroup:
    Type: AWS::Shield::ProtectionGroup
    Properties:
      ProtectionGroupId: 'ProtectionGroupForAllEIPResources'
      Aggregation: SUM
      Pattern: BY_RESOURCE_TYPE
      ResourceType: ELASTIC_IP_ALLOCATION
```

#### JSON
<a name="aws-resource-shield-protectiongroup--examples--Create_a_protection_group_for_protected_Elastic_IP_address_resources--json"></a>

```
{
    "Resources": {
        "ProtectionGroup": {
            "Type": "AWS::Shield::ProtectionGroup",
            "Properties": {
                "ProtectionGroupId": "ProtectionGroupForAllEIPResources",
                "Aggregation": "SUM",
                "Pattern": "BY_RESOURCE_TYPE",
                "ResourceType": "ELASTIC_IP_ALLOCATION"
            }
        }
    }
}
```

# AWS::Shield::ProtectionGroup Tag
<a name="aws-properties-shield-protectiongroup-tag"></a>

A tag associated with an AWS resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as "environment", and the tag value represents a specific value within that category, such as "test," "development," or "production". Or you might set the tag key to "customer" and the value to the customer name or ID. You can specify one or more tags to add to each AWS resource, up to 50 tags for a resource.

## Syntax
<a name="aws-properties-shield-protectiongroup-tag-syntax"></a>

To declare this entity in your CloudFormation template, use the following syntax:

### JSON
<a name="aws-properties-shield-protectiongroup-tag-syntax.json"></a>

```
{
  "[Key](#cfn-shield-protectiongroup-tag-key)" : String,
  "[Value](#cfn-shield-protectiongroup-tag-value)" : String
}
```

### YAML
<a name="aws-properties-shield-protectiongroup-tag-syntax.yaml"></a>

```
  [Key](#cfn-shield-protectiongroup-tag-key): String
  [Value](#cfn-shield-protectiongroup-tag-value): String
```

## Properties
<a name="aws-properties-shield-protectiongroup-tag-properties"></a>

`Key`  <a name="cfn-shield-protectiongroup-tag-key"></a>
Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.  
*Required*: Yes  
*Type*: String  
*Minimum*: `1`  
*Maximum*: `128`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)

`Value`  <a name="cfn-shield-protectiongroup-tag-value"></a>
Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.  
*Required*: Yes  
*Type*: String  
*Minimum*: `0`  
*Maximum*: `256`  
*Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)