AWScloud~30 mins

AWS Shield for DDoS protection - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

AWS Shield for DDoS Protection

📖 Scenario: You are managing a web application hosted on AWS. To protect your application from Distributed Denial of Service (DDoS) attacks, you want to enable AWS Shield Advanced for enhanced security.

🎯 Goal: Set up AWS Shield Advanced protection for your AWS resource by creating a protection resource and associating it with your web application's Elastic Load Balancer (ELB).

📋 What You'll Learn

Create a protection resource in AWS Shield named MyWebAppProtection

Associate the protection with an existing Elastic Load Balancer named MyWebAppELB

Use AWS CloudFormation syntax for the configuration

Follow AWS best practices for resource naming and configuration

💡 Why This Matters

🌍 Real World

Protecting web applications and APIs from DDoS attacks is critical to maintain availability and performance. AWS Shield Advanced provides enhanced detection and mitigation.

💼 Career

Cloud engineers and security specialists often configure AWS Shield to safeguard infrastructure and ensure business continuity.

Progress0 / 4 steps

Create the AWS Shield Protection Resource

Create a CloudFormation resource of type AWS::Shield::Protection with the name MyWebAppProtection. Set the Name property to MyWebAppProtection. Do not add any other properties yet.

AWS

# Define AWS Shield Protection resource with name MyWebAppProtection
# Your code here

Need a hint?

Use the Resources section to define the Shield protection resource with the exact name MyWebAppProtection.

Add the Resource ARN for the Elastic Load Balancer

Add the ResourceArn property to the MyWebAppProtection resource. Set its value to the ARN of the Elastic Load Balancer named MyWebAppELB using the CloudFormation intrinsic function !Sub with the pattern arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/MyWebAppELB/1234567890abcdef.

AWS

Resources:
  MyWebAppProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: MyWebAppProtection
      # Add ResourceArn property here
      # Your code here

Need a hint?

Use !Sub to build the ARN dynamically with region and account ID.

Add the Protection Group for Better Management

Create a new resource of type AWS::Shield::ProtectionGroup named MyWebAppProtectionGroup. Set the Aggregation property to SUM, the Pattern property to ARBITRARY, and the ProtectionGroupId to MyWebAppGroup. Then, update the MyWebAppProtection resource to include the ProtectionGroupId property set to MyWebAppGroup.

AWS

Resources:
  MyWebAppProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: MyWebAppProtection
      ResourceArn: !Sub arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/MyWebAppELB/1234567890abcdef
      # Add ProtectionGroupId here
  # Define ProtectionGroup resource here
  # Your code here

Need a hint?

Define the protection group first, then link it in the protection resource.

Enable Automatic Response with Shield Advanced

Add the HealthCheckArns property to the MyWebAppProtection resource. Set it to a list containing the ARN of a health check with the value arn:aws:route53:::healthcheck/abcdef12-3456-7890-abcd-ef1234567890. This enables AWS Shield to monitor your resource health automatically.

AWS

Resources:
  MyWebAppProtectionGroup:
    Type: AWS::Shield::ProtectionGroup
    Properties:
      Aggregation: SUM
      Pattern: ARBITRARY
      ProtectionGroupId: MyWebAppGroup
  MyWebAppProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: MyWebAppProtection
      ResourceArn: !Sub arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/app/MyWebAppELB/1234567890abcdef
      ProtectionGroupId: MyWebAppGroup
      # Add HealthCheckArns property here
      # Your code here

Need a hint?

Use a list for HealthCheckArns even if it contains only one ARN.