AWScloud~5 mins

AWS Shield for DDoS protection - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

DDoS attacks try to overwhelm your website or app with too much traffic, making it slow or unreachable. AWS Shield helps protect your resources by automatically blocking these attacks so your service stays available.

When you run a website that must stay online even if attacked by many fake visitors.

When you host an online game that needs to prevent cheating or disruption from traffic floods.

When you operate an API that clients rely on and cannot afford downtime from attacks.

When you manage a web application behind a load balancer and want automatic attack protection.

When you want simple, automatic defense without needing to configure complex firewall rules.

Commands

This command enables AWS Shield protection on your load balancer by specifying its ARN. It activates automatic DDoS defense for that resource.

Terminal

aws shield create-protection --name my-web-app-protection --resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188

Expected OutputExpected

{ "ProtectionId": "1234abcd-12ab-34cd-56ef-1234567890ab", "ProtectionArn": "arn:aws:shield::123456789012:protection/1234abcd-12ab-34cd-56ef-1234567890ab" }

→

--name - Sets a friendly name for the protection to identify it later

→

--resource-arn - Specifies the exact AWS resource to protect

This command lists all the resources currently protected by AWS Shield in your account, so you can verify your protections.

Terminal

aws shield list-protections

Expected OutputExpected

{ "Protections": [ { "Id": "1234abcd-12ab-34cd-56ef-1234567890ab", "Name": "my-web-app-protection", "ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188" } ] }

This command removes the AWS Shield protection from the specified resource when you no longer want automatic DDoS defense on it.

Terminal

aws shield delete-protection --protection-id 1234abcd-12ab-34cd-56ef-1234567890ab

Expected OutputExpected

No output (command runs silently)

→

--protection-id - Specifies which protection to delete by its unique ID

Key Concept

If you remember nothing else from this pattern, remember: AWS Shield automatically protects your AWS resources from DDoS attacks by enabling protection on specific resource ARNs.

Common Mistakes

Trying to protect a resource without specifying the correct ARN.

AWS Shield needs the exact ARN to know which resource to protect; without it, the command fails.

Find the resource ARN in the AWS console or CLI and use it exactly in the create-protection command.

Assuming AWS Shield protection is enabled by default on all resources.

AWS Shield Standard protects some services automatically, but advanced protection must be enabled per resource.

Explicitly run the create-protection command for resources needing AWS Shield Advanced protection.

Deleting protection without confirming the protection ID.

Deleting the wrong protection can leave critical resources unprotected or remove protection unintentionally.

Use list-protections to verify the protection ID before deleting.

Summary

Use 'aws shield create-protection' with the resource ARN to enable DDoS protection on that resource.

Verify active protections with 'aws shield list-protections' to see which resources are protected.

Remove protection when no longer needed using 'aws shield delete-protection' with the protection ID.