Skip to main content
Latest Documentation
This is the latest documentation for the Cloud Posse Reference Architecture. To determine which version you're currently using, please see Version Identification.
Version: Latest
Sponsor @cloudposse

AWS Shield Advanced

AWS Shield Advanced provides enhanced DDoS protection for your AWS resources, including ALBs, CloudFront distributions, Route53 hosted zones, and Elastic IPs, with access to the AWS DDoS Response Team (DRT).

Overview

AWS Shield has two tiers:

FeatureShield StandardShield Advanced
CostFree (included with AWS)$3,000/month per organization
ProtectionLayer 3/4 (network/transport)Layer 3/4/7 (includes application layer)
DRT AccessNoYes (24/7 DDoS Response Team)
Cost ProtectionNoYes (credits for DDoS-related scaling)
Advanced MetricsNoYes (CloudWatch metrics)
WAF IntegrationBasicAdvanced (custom rules during attacks)

Protected Resources

Shield Advanced protects:

Resource TypeStack LevelDescription
Route53 Hosted ZonesGlobalDNS infrastructure protection
CloudFront DistributionsGlobalCDN and web application protection
Application Load BalancersRegionalApplication endpoint protection
Elastic IPsRegionalNAT Gateway and EC2 protection

Architecture

Deployment

Shield Advanced uses a per-resource deployment model (no delegated administrator pattern).

Prerequisites

Subscription Required:

Shield Advanced subscription must be activated before deploying this component.

# Subscribe via AWS CLI
aws shield create-subscription

# Or subscribe via AWS Console:
# AWS Shield → Getting started → Subscribe to Shield Advanced

Global Resources Configuration

# plat-gbl-prod
components:
  terraform:
    aws-shield:
      metadata:
        component: aws-shield
      vars:
        enabled: true
        # Route53 hosted zones
        route53_zone_names:
          - example.com
          - api.example.com
        # CloudFront distributions
        cloudfront_distribution_ids:
          - E1ABCDEFG12345
          - E2BCDEFGH23456
atmos terraform apply aws-shield -s plat-gbl-prod

Regional Resources Configuration

# plat-ue1-prod
components:
  terraform:
    aws-shield:
      metadata:
        component: aws-shield
      vars:
        enabled: true
        region: us-east-1
        # Application Load Balancers
        alb_protection_enabled: true
        alb_names:
          - k8s-common-2c5f23ff99
          - api-gateway-alb
        # Elastic IPs (NAT Gateways, EC2 instances)
        eips:
          - 3.214.128.240    # NAT Gateway AZ-a
          - 35.172.208.150   # NAT Gateway AZ-b
atmos terraform apply aws-shield -s plat-ue1-prod

Complete Example (All Resources)

components:
  terraform:
    aws-shield:
      metadata:
        component: aws-shield
      vars:
        enabled: true
        # Global resources
        route53_zone_names:
          - example.com
          - api.example.com
        cloudfront_distribution_ids:
          - E1ABCDEFG12345
        # Regional resources
        alb_protection_enabled: true
        alb_names:
          - k8s-common-2c5f23ff99
        eips:
          - 3.214.128.240
          - 35.172.208.150

Auto-Discovery from EKS

When alb_protection_enabled: true and alb_names is empty, the component auto-discovers ALBs from the EKS ALB controller:

components:
  terraform:
    aws-shield:
      vars:
        enabled: true
        alb_protection_enabled: true
        # alb_names is empty - auto-discovers from EKS ALB controller

Key Variables

VariableDescriptionDefault
route53_zone_namesList of Route53 hosted zone names to protect[]
cloudfront_distribution_idsList of CloudFront distribution IDs to protect[]
alb_protection_enabledEnable ALB protectionfalse
alb_namesList of ALB names to protect[]
eipsList of Elastic IPs to protect[]

Finding Resources

Use these AWS CLI commands to find resource identifiers:

# List ALB names
aws elbv2 describe-load-balancers --query 'LoadBalancers[*].LoadBalancerName' --output table

# List Elastic IPs
aws ec2 describe-addresses --query 'Addresses[*].[PublicIp,AllocationId]' --output table

# List Route53 hosted zones
aws route53 list-hosted-zones --query 'HostedZones[*].[Name,Id]' --output table

# List CloudFront distributions
aws cloudfront list-distributions --query 'DistributionList.Items[*].[Id,DomainName]' --output table

Verifying Protection

# List all protected resources
aws shield list-protections --query 'Protections[*].[Name,ResourceArn]' --output table

# Check subscription status
aws shield describe-subscription

See Also

References