Managing automatic application layer DDoS mitigation
Use the guidance in this section to manage your automatic application layer DDoS mitigation configurations. For information about how automatic mitigation works, see the preceding topics.
Note
Follow the best practices described at Best practices for using automatic mitigation.
Topics
Viewing the automatic application layer DDoS mitigation configuration for a resource
You can view the automatic application layer DDoS mitigation configuration for a resource in the Protected resources page and in the individual protections pages.
To view the automatic application layer DDoS mitigation configuration
Sign in to the AWS Management Console and open the AWS WAF & Shield console at https://console.aws.amazon.com/wafv2/
. -
In the AWS Shield navigation pane, choose Protected resources. In the list of protected resources, the column Automatic application layer DDoS mitigation indicates whether automatic mitigation is enabled and, where enabled, the action that Shield Advanced is to use in its mitigations.
You can also select any application layer resource to see the same information listed on the protections page for the resource.
Enabling and disabling automatic application layer DDoS mitigation
The following procedure shows how to enable or disable automatic response for a protected resource.
To enable or disable automatic application layer DDoS mitigation for a single resource
Sign in to the AWS Management Console and open the AWS WAF & Shield console at https://console.aws.amazon.com/wafv2/
. -
In the AWS Shield navigation pane, choose Protected resources.
-
In the Protections tab, select the application layer resource that you want to enable automatic mitigation for. The protections page opens for the resource.
-
In the resource's protections page, choose Edit.
-
In the page Configure layer 7 DDoS mitigation for global resources - optional, for Automatic application layer DDoS mitigation, choose the option that you want to use for automatic mitigations. The options in the console are the following:
-
Keep current settings – Make no changes to the automatic mitigation settings of the protected resource.
-
Enable – Enable automatic mitigation for the protected resource. When you choose this, also select the rule action that you want the automatic mitigations to use in the web ACL rules. For information about rule action settings, see Rule action.
If your protected resource doesn’t yet have a history of normal application traffic, enable automatic mitigation in Count mode until Shield Advanced can establish a baseline. Shield Advanced begins to collect information for its baseline when you associate a web ACL with your protected resource, and it can take 24 hour to 30 days to establish a good baseline of normal traffic.
-
Disable – Disable automatic mitigation for the protected resource.
-
-
Walk through the rest of the pages until you finish and save the configuration.
In the Protections page, the automatic mitigation settings are updated for the resource.
Changing the action used for automatic application layer DDoS mitigation
You can change the action that Shield Advanced uses for its application layer automatic response in multiple locations in the console:
Automatic mitigation configuration – Change the action when you configure automatic mitigation for your resource. For the procedure, see the preceding section Enabling and disabling automatic application layer DDoS mitigation.
Event details page – Change the action in the event details page, when you're viewing the event information in the console. For information, see AWS Shield Advanced event details.
If you have two protected resources that share a web ACL, and you set the action to
Count for one and Block for the other, Shield Advanced sets the action
for the rule group's rate-based rule
ShieldKnownOffenderIPRateBasedRule
to Block.
Using AWS CloudFormation with automatic application layer DDoS mitigation
Understand how to use AWS CloudFormation to manage your protections and AWS WAF web ACLs.
Enabling or disabling automatic application layer DDoS mitigation
You can enable and disable automatic application layer DDoS mitigation through AWS CloudFormation, using the
AWS::Shield::Protection
resource. The effect is the same as
when you enable or disable the feature through the console or any other
interface. For information about the AWS CloudFormation resource, see AWS::Shield::Protection in the AWS CloudFormation user guide.
Managing web ACLs used with automatic mitigation
Shield Advanced manages automatic mitigation for your protected resource using a rule
group rule in the protected resource's AWS WAF web ACL. Through
the AWS WAF console and APIs, you'll see the rule listed
in your web ACL rules, with a name that starts with
ShieldMitigationRuleGroup
. This rule
is dedicated to your automatic application layer DDoS mitigation and it's
managed for you by Shield Advanced and AWS WAF. For more information, see The Shield Advanced rule group and How Shield Advanced manages automatic mitigation.
If you use AWS CloudFormation to manage your web ACLs, don't add the Shield Advanced rule group rule to your web ACL template. When you update a web ACL that's being used with your automatic mitigation protections, AWS WAF automatically manages the rule group rule in the web ACL.
You'll see the following differences compared to other web ACLs that you manage through AWS CloudFormation:
AWS CloudFormation won't report any drift in the stack drift status between the actual configuration of the web ACL, with the Shield Advanced rule group rule, and your web ACL template, without the rule. The Shield Advanced rule won't appear in the actual listing for the resource in the drift details.
You will be able to see the Shield Advanced rule group rule in web ACL listings that you retrieve from AWS WAF, such as through the AWS WAF console or AWS WAF APIs.
-
If you modify the web ACL template in a stack, AWS WAF and Shield Advanced automatically maintain the Shield Advanced automatic mitigation rule in the updated web ACL. The automatic mitigation protections provided by Shield Advanced are not interrupted by your update to the web ACL.
Don't manage the Shield Advanced rule in your AWS CloudFormation web ACL template. The web ACL template shouldn't list the Shield Advanced rule. Follow the best practices for web ACL management at Best practices for using automatic mitigation.