Step 4: Configure Amazon SNS notifications and Amazon CloudWatch alarms
You can continue from this step without configuring Amazon SNS notifications or CloudWatch alarms. However, configuring these alarms and notifications significantly increases your visibility into possible DDoS events.
You can monitor your protected resources for potential DDoS activity using Amazon SNS. To receive notification of possible attacks, create an Amazon SNS topic for each Region.
Important
Amazon SNS notifications of potential DDoS activity are not sent in real time and can be delayed.
To enable real-time notifications of potential DDoS activity, you can use a CloudWatch alarm. Your alarm must be based on the DDoSDetected
metric from the account
in which the protected resource exists.
To create an Amazon SNS topic in Firewall Manager (console)
-
Sign in to the AWS Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at https://console.aws.amazon.com/wafv2/fmsv2
. For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites. Note
For information about setting up a Firewall Manager administrator account, see AWS Firewall Manager prerequisites.
-
In the navigation pane, under AWS FMS, choose Settings.
Choose Create new topic.
Enter a topic name.
Enter an email address that the Amazon SNS messages will be sent to, and then choose Add email address.
Choose Update SNS configuration.
Configure Amazon CloudWatch alarms
Shield Advanced records detection, mitigation, and top contributor metrics
in CloudWatch that you can monitor. For more information, see AWS Shield Advanced metrics. CloudWatch incurs
additional costs. For CloudWatch pricing, see
Amazon CloudWatch Pricing
To create a CloudWatch alarm, follow the instructions in Using Amazon CloudWatch Alarms. By default, Shield Advanced configures CloudWatch to alert you after just one indicator of a potential DDoS event. If needed, you can use the CloudWatch console to change this setting to alert you only after multiple indicators are detected.
Note
In addition to the alarms, you can also use a CloudWatch dashboard to monitor potential DDoS activity. The dashboard collects and processes raw data from Shield Advanced into readable, near real-time metrics. You can use statistics in Amazon CloudWatch to gain a perspective on how your web application or service is performing. For more information, see What is CloudWatch in the Amazon CloudWatch User Guide.
For instructions about creating a CloudWatch dashboard, see Monitoring with Amazon CloudWatch. For information about specific Shield Advanced metrics that you can add to your dashboard, see AWS Shield Advanced metrics.