AWS::Shield::DRTAccess - AWS CloudFormation

AWS::Shield::DRTAccess

Provides permissions for the AWS Shield Advanced Shield response team (SRT) to access your account and your resource protections, to help you mitigate potential distributed denial of service (DDoS) attacks.

Configure AWS::Shield::DRTAccess for one account

To configure this resource through AWS CloudFormation, you must be subscribed to AWS Shield Advanced. You can subscribe through the Shield Advanced console and through the APIs. For more information, see Subscribe to AWS Shield Advanced.

See example templates for Shield Advanced in AWS CloudFormation at aws-samples/aws-shield-advanced-examples.

Configure Shield Advanced using AWS CloudFormation and AWS Firewall Manager

You might be able to use Firewall Manager with AWS CloudFormation to configure Shield Advanced across multiple accounts and protected resources. To do this, your accounts must be part of an organization in AWS Organizations. You can use Firewall Manager to configure Shield Advanced protections for any resource types except for Amazon RouteĀ 53 or AWS Global Accelerator.

For an example of this, see the one-click configuration guidance published by the AWS technical community at One-click deployment of Shield Advanced.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::Shield::DRTAccess", "Properties" : { "LogBucketList" : [ String, ... ], "RoleArn" : String } }

YAML

Type: AWS::Shield::DRTAccess Properties: LogBucketList: - String RoleArn: String

Properties

LogBucketList

Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.

Use this to share information with the SRT that's not available in AWS WAF logs.

To use the services of the SRT, you must be subscribed to the Business Support plan or the Enterprise Support plan.

Required: No

Type: Array of String

Minimum: 3 | 0

Maximum: 63 | 10

Update requires: No interruption

RoleArn

Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.

You can associate only one RoleArn with your subscription. If you submit this update for an account that already has an associated role, the new RoleArn will replace the existing RoleArn.

This change requires the following:

The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.

Required: Yes

Type: String

Maximum: 2048

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the account that submitted the template.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

AccountId

The ID of the account that submitted the template.

Examples

Configure access for the Shield response team

The following shows an example configuration to provide access to the Shield response team (SRT).

YAML

Resources: DRTAccess: Type: AWS::Shield::DRTAccess Properties: RoleArn: !GetAtt DRTAccessRole.Arn # support resources DRTAccessRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - 'drt.shield.amazonaws.com' Action: - 'sts:AssumeRole'

JSON

{ "Resources": { "DRTAccess": { "Type": "AWS::Shield::DRTAccess", "Properties": { "RoleArn": { "Fn::GetAtt": [ "DRTAccessRole", "Arn" ] } } }, "DRTAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "drt.shield.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } } } } }

Configure access for the Shield response team with additional data access

The following shows an example configuration to provide access to the Shield response team (SRT), including granting access to additional data that's outside of the web ACL logs. The SRT is automatically granted access to the web ACL logs based on the provided RoleArn.

YAML

Resources: DRTAccess: Type: AWS::Shield::DRTAccess Properties: LogBucketList: - !Ref DRTLogBucket1 - !Ref DRTLogBucket2 RoleArn: !GetAtt DRTAccessRole.Arn # support resources DRTLogBucket1: Type: AWS::S3::Bucket Properties: AccessControl: BucketOwnerFullControl DRTLogBucket2: Type: AWS::S3::Bucket Properties: AccessControl: BucketOwnerFullControl DRTAccessRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - 'drt.shield.amazonaws.com' Action: - 'sts:AssumeRole'

JSON

{ "Resources": { "DRTAccess": { "Type": "AWS::Shield::DRTAccess", "Properties": { "LogBucketList": [ { "Ref": "DRTLogBucket1" }, { "Ref": "DRTLogBucket2" } ], "RoleArn": { "Fn::GetAtt": [ "DRTAccessRole", "Arn" ] } } }, "DRTLogBucket1": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "BucketOwnerFullControl" } }, "DRTLogBucket2": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "BucketOwnerFullControl" } }, "DRTAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "drt.shield.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } } } } }