Step 2: Add resources to protect - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Step 2: Add resources to protect

After you subscribe to AWS Shield Advanced, as described in Step 1: Subscribe to AWS Shield Advanced, you specify the resources that you want to protect.

If you are using AWS Firewall Manager to create a Firewall Manager Shield Advanced policy, you don't need to do this step. You already specified your resources in the Firewall Manager policy.

If you aren't using a Firewall Manager Shield Advanced policy, you can also specify resources later if you want, using the procedure at Adding AWS Shield Advanced protection to AWS resources.

Note

Shield Advanced protects only resources that you have specified either in Shield Advanced or through a Firewall Manager Shield Advanced policy. It doesn't automatically protect your resources.

Note

The console guidance provided here is for the latest version of the AWS Shield console, released in 2020. In the console, you can switch between versions.

To choose the resources to protect with Shield Advanced

  1. Do one of the following, depending on your starting point:

    • From the subscription confirmation page at the end of the procedure Step 1: Subscribe to AWS Shield Advanced, choose Add resources to protect.

    • From the console navigation bar, choose Protected Resources and then choose Add resources to protect.

  2. In the Choose resources to protect with Shield Advanced page, select the Regions and resource types that you want to protect, then choose Load resources.

    Note
    • If you want to protect an Amazon EC2 instance or a Network Load Balancer (NLB), you first must associate an Elastic IP address to it, and then choose the Elastic IP address as the resource to protect.

    • If you choose an Elastic IP address as the resource to protect, Shield Advanced protects whatever resource is associated with that Elastic IP address. Shield Advanced automatically identifies the type of resource that is associated with the Elastic IP address and applies the appropriate mitigations for that resource. This includes configuring network ACLs that are specific to the Elastic IP address. For more information about using Elastic IP addresses with your AWS resources, see the appropriate guide: Amazon Elastic Compute Cloud Documentation or Elastic Load Balancing Documentation.

    • Shield Advanced does not support EC2-Classic.

    • Some scaling tools, like AWS Elastic Beanstalk, do not let you automatically attach an Elastic IP to a Network Load Balancer. For those cases, you need to manually associate the Elastic IP.

  3. Select the resources that you want to protect, then choose Protect with Shield Advanced.

You can now go to Step 3: Configure layer 7 DDoS mitigation.