AWS::Shield::DRTAccess
Provides permissions for the AWS Shield Advanced Shield response team (SRT) to access your account and your resource protections, to help you mitigate potential distributed denial of service (DDoS) attacks.
Configure AWS::Shield::DRTAccess for one account
To configure this resource through AWS CloudFormation, you must be subscribed to AWS Shield Advanced. You can subscribe
through the Shield Advanced console
See example templates for Shield Advanced in AWS CloudFormation at aws-samples/aws-shield-advanced-examples
Configure Shield Advanced using AWS CloudFormation and AWS Firewall Manager
You might be able to use Firewall Manager with AWS CloudFormation to configure Shield Advanced across multiple accounts and protected resources. To do this, your accounts must be part of an organization in AWS Organizations. You can use Firewall Manager to configure Shield Advanced protections for any resource types except for Amazon RouteĀ 53 or AWS Global Accelerator.
For an example of this, see the one-click configuration guidance published by the AWS technical community at
One-click deployment of Shield Advanced
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::Shield::DRTAccess", "Properties" : { "LogBucketList" :[ String, ... ], "RoleArn" :String} }
YAML
Type: AWS::Shield::DRTAccess Properties: LogBucketList:- StringRoleArn:String
Properties
LogBucketList-
Authorizes the Shield Response Team (SRT) to access the specified Amazon S3 bucket containing log data such as Application Load Balancer access logs, CloudFront logs, or logs from third party sources. You can associate up to 10 Amazon S3 buckets with your subscription.
Use this to share information with the SRT that's not available in AWS WAF logs.
To use the services of the SRT, you must be subscribed to the Business Support plan
or the Enterprise Support plan . Required: No
Type: Array of String
Minimum:
3 | 0Maximum:
63 | 10Update requires: No interruption
RoleArn-
Authorizes the Shield Response Team (SRT) using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your AWS WAF configuration and logs and to create or update AWS WAF rules and web ACLs.
You can associate only one
RoleArnwith your subscription. If you submit this update for an account that already has an associated role, the newRoleArnwill replace the existingRoleArn.This change requires the following:
-
You must be subscribed to the Business Support plan
or the Enterprise Support plan . -
The
AWSShieldDRTAccessPolicymanaged policy must be attached to the role that you specify in the request. You can access this policy in the IAM console at AWSShieldDRTAccessPolicy. For information, see Adding and removing IAM identity permissions. -
The role must trust the service principal
drt.shield.amazonaws.com. For information, see IAM JSON policy elements: Principal.
The SRT will have access only to your AWS WAF and Shield resources. By submitting this request, you provide permissions to the SRT to inspect your AWS WAF and Shield configuration and logs, and to create and update AWS WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
Required: Yes
Type: String
Maximum:
2048Update requires: No interruption
-
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the account that submitted the template.
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
AccountId-
The ID of the account that submitted the template.
Examples
Configure access for the Shield response team
The following shows an example configuration to provide access to the Shield response team (SRT).
YAML
Resources: DRTAccess: Type: AWS::Shield::DRTAccess Properties: RoleArn: !GetAtt DRTAccessRole.Arn # support resources DRTAccessRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - 'drt.shield.amazonaws.com' Action: - 'sts:AssumeRole'
JSON
{ "Resources": { "DRTAccess": { "Type": "AWS::Shield::DRTAccess", "Properties": { "RoleArn": { "Fn::GetAtt": [ "DRTAccessRole", "Arn" ] } } }, "DRTAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "drt.shield.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } } } } }
Configure access for the Shield response team with additional data access
The following shows an example configuration to provide access to the Shield response team (SRT), including
granting access to additional data that's outside of the web ACL logs. The SRT is automatically granted access to the web ACL logs based on the provided RoleArn.
YAML
Resources: DRTAccess: Type: AWS::Shield::DRTAccess Properties: LogBucketList: - !Ref DRTLogBucket1 - !Ref DRTLogBucket2 RoleArn: !GetAtt DRTAccessRole.Arn # support resources DRTLogBucket1: Type: AWS::S3::Bucket Properties: AccessControl: BucketOwnerFullControl DRTLogBucket2: Type: AWS::S3::Bucket Properties: AccessControl: BucketOwnerFullControl DRTAccessRole: Type: AWS::IAM::Role Properties: ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy' AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - 'drt.shield.amazonaws.com' Action: - 'sts:AssumeRole'
JSON
{ "Resources": { "DRTAccess": { "Type": "AWS::Shield::DRTAccess", "Properties": { "LogBucketList": [ { "Ref": "DRTLogBucket1" }, { "Ref": "DRTLogBucket2" } ], "RoleArn": { "Fn::GetAtt": [ "DRTAccessRole", "Arn" ] } } }, "DRTLogBucket1": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "BucketOwnerFullControl" } }, "DRTLogBucket2": { "Type": "AWS::S3::Bucket", "Properties": { "AccessControl": "BucketOwnerFullControl" } }, "DRTAccessRole": { "Type": "AWS::IAM::Role", "Properties": { "ManagedPolicyArns": [ "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy" ], "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "drt.shield.amazonaws.com" ] }, "Action": [ "sts:AssumeRole" ] } ] } } } } }
