Severity : High
Description:
...
This controls identify if AWS Shield feature is enable on the account and member accounts. AWS Shield Standard defends against the most common, frequently occurring network and transport layer DDoS attacks that target your website or applications. AWS Shield advance provides protection against DDoS attacks for resources like CloudFront distribution, Route S3 hosted zones, ELBs, Global accelerator, EIPs etc. To use proactive engagement, configure Shield Advanced health-based detection for a resource needed the SRT to monitor.
Remediation Steps:
Perform following to Subscribe to AWS Shield:
Login to the AWS Management Console at https://console.aws.amazon.com.
Navigate to AWS Shield console.
Choose Getting started, Choose Subscribe to Shield Advanced.
In Overview page, under Proactive engagement and contacts, in the contacts area, choose Edit.
In the Edit contacts, provide the contact information for the people that you want the SRT to contact for proactive engagement.
Choose Save.
Choose Edit proactive engagement feature, choose Enable, and then choose Save.
Choose Add resources to protect.
Choose Protected Resources and then choose Add resources to protect.
In the Choose resources to protect with Shield Advanced, select the Regions and resource types to protect, then choose Load resources.
Select the resources that you want to protect, then choose Protect with Shield Advanced.
In the Configure layer 7 DDoS protections, Create a web ACL. Choose Create web ACL, Enter a name, Choose Create.
For Automatic application layer DDoS mitigation, choose Enable and then select the AWS WAF rule action.
For each web ACL that doesn't have a rate-based rule, add one by choosing Add rate limit rule. Enter a name, rate limit, Set the rule action to count or block requests from IP addresses, Choose Add rule.
Choose Next.
Configure optional configuration for health check based DDoS detection and alarms and notifications.
Choose Finish configuration.
Important:
Shield Advanced protects only resources that have specified either in Shield Advanced or through a Firewall Manager Shield Advanced policy. It doesn't automatically protect resources.
Shield Advanced does not support Amazon EC2 Classic.
to protect an Amazon EC2 instance or a Network Load Balancer, you first must associate an Elastic IP address to it, and then choose the Elastic IP address as the resource to protect.
Reference: