Using AWS CloudFormation with automatic application layer DDoS mitigation

This page explains how to use AWS CloudFormation to manage your protections and AWS WAF web ACLs.

Enabling or disabling automatic application layer DDoS mitigation

You can enable and disable automatic application layer DDoS mitigation through AWS CloudFormation, using the AWS::Shield::Protection resource. The effect is the same as when you enable or disable the feature through the console or any other interface. For information about the AWS CloudFormation resource, see AWS::Shield::Protection in the AWS CloudFormation user guide.

Managing web ACLs used with automatic mitigation

Shield Advanced manages automatic mitigation for your protected resource using a rule group rule in the protected resource's AWS WAF web ACL. Through the AWS WAF console and APIs, you'll see the rule listed in your web ACL rules, with a name that starts with ShieldMitigationRuleGroup. This rule is dedicated to your automatic application layer DDoS mitigation and it's managed for you by Shield Advanced and AWS WAF. For more information, see Protecting the application layer with the Shield Advanced rule group and How Shield Advanced manages automatic mitigation.

If you use AWS CloudFormation to manage your web ACLs, don't add the Shield Advanced rule group rule to your web ACL template. When you update a web ACL that's being used with your automatic mitigation protections, AWS WAF automatically manages the rule group rule in the web ACL.

You'll see the following differences compared to other web ACLs that you manage through AWS CloudFormation:

Don't manage the Shield Advanced rule in your AWS CloudFormation web ACL template. The web ACL template shouldn't list the Shield Advanced rule. Follow the best practices for web ACL management at Best practices for using automatic application layer DDoS mitigation.