Class CfnDRTAccess
- All Implemented Interfaces:
IConstruct
,IDependable
,IInspectable
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
AWS::Shield::DRTAccess
.
Provides permissions for the AWS Shield Advanced Shield response team (SRT) to access your account and your resource protections, to help you mitigate potential distributed denial of service (DDoS) attacks.
To configure this resource through AWS CloudFormation , you must be subscribed to AWS Shield Advanced . You can subscribe through the Shield Advanced console and through the APIs. For more information, see Subscribe to AWS Shield Advanced .
See example templates for Shield Advanced in AWS CloudFormation at aws-samples/aws-shield-advanced-examples .
Example:
// The code below shows an example of how to instantiate this type. // The values are placeholders you should change. import software.amazon.awscdk.services.shield.*; CfnDRTAccess cfnDRTAccess = CfnDRTAccess.Builder.create(this, "MyCfnDRTAccess") .roleArn("roleArn") // the properties below are optional .logBucketList(List.of("logBucketList")) .build();
-
Nested Class Summary
Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IConstruct
IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.core.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The CloudFormation resource type name for this resource class. -
Constructor Summary
ModifierConstructorDescriptionCfnDRTAccess
(Construct scope, String id, CfnDRTAccessProps props) Create a newAWS::Shield::DRTAccess
.protected
CfnDRTAccess
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
CfnDRTAccess
(software.amazon.jsii.JsiiObjectRef objRef) -
Method Summary
Modifier and TypeMethodDescriptionThe ID of the account that submitted the template.Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources.Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks.void
inspect
(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties
(Map<String, Object> props) void
setLogBucketList
(List<String> value) Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources.void
setRoleArn
(String value) Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks.Methods inherited from class software.amazon.awscdk.core.CfnResource
addDeletionOverride, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, isCfnResource, shouldSynthesize, toString, validateProperties
Methods inherited from class software.amazon.awscdk.core.CfnRefElement
getRef
Methods inherited from class software.amazon.awscdk.core.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
Methods inherited from class software.amazon.awscdk.core.Construct
getNode, isConstruct, onPrepare, onSynthesize, onValidate, prepare, synthesize, validate
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnDRTAccess
protected CfnDRTAccess(software.amazon.jsii.JsiiObjectRef objRef) -
CfnDRTAccess
protected CfnDRTAccess(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnDRTAccess
@Stability(Stable) public CfnDRTAccess(@NotNull Construct scope, @NotNull String id, @NotNull CfnDRTAccessProps props) Create a newAWS::Shield::DRTAccess
.- Parameters:
scope
-- scope in which this resource is defined.
id
-- scoped id of the resource.
props
-- resource properties.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspect
in interfaceIInspectable
- Parameters:
inspector
-- tree inspector to collect and process attributes.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderProperties
in classCfnResource
- Parameters:
props
- This parameter is required.
-
getAttrAccountId
The ID of the account that submitted the template. -
getCfnProperties
- Overrides:
getCfnProperties
in classCfnResource
-
getRoleArn
Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks.This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.
You can associate only one
RoleArn
with your subscription. If you submit this update for an account that already has an associated role, the newRoleArn
will replace the existingRoleArn
.This change requires the following:
- You must be subscribed to the Business Support plan or the Enterprise Support plan .
- You must have the
iam:PassRole
permission. For more information, see Granting a user permissions to pass a role to an AWS service . - The
AWSShieldDRTAccessPolicy
managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at AWSShieldDRTAccessPolicy . For information, see Adding and removing IAM identity permissions . - The role must trust the service principal
drt.shield.amazonaws.com
. For information, see IAM JSON policy elements: Principal .
The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
-
setRoleArn
Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks.This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.
You can associate only one
RoleArn
with your subscription. If you submit this update for an account that already has an associated role, the newRoleArn
will replace the existingRoleArn
.This change requires the following:
- You must be subscribed to the Business Support plan or the Enterprise Support plan .
- You must have the
iam:PassRole
permission. For more information, see Granting a user permissions to pass a role to an AWS service . - The
AWSShieldDRTAccessPolicy
managed policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at AWSShieldDRTAccessPolicy . For information, see Adding and removing IAM identity permissions . - The role must trust the service principal
drt.shield.amazonaws.com
. For information, see IAM JSON policy elements: Principal .
The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
-
getLogBucketList
Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources.You can associate up to 10 Amazon S3 buckets with your subscription.
Use this to share information with the SRT that's not available in AWS WAF logs.
To use the services of the SRT, you must be subscribed to the Business Support plan or the Enterprise Support plan .
-
setLogBucketList
Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources.You can associate up to 10 Amazon S3 buckets with your subscription.
Use this to share information with the SRT that's not available in AWS WAF logs.
To use the services of the SRT, you must be subscribed to the Business Support plan or the Enterprise Support plan .
-