Please note activating the AWS Advanced Shield will cost $3,000 per month with a commitment of 1 year.
Steps required
- Subscribe to AWS Advanced Shield
- Add resources to protect
- Configure layer 7 protection (WAF) Optional (Skipped in this post)
- Configure AWS DDOS response team (DRT) support
- Enable cloudwatch to monitor DDOS activity and get alerted
Step 1 – Subscribing to AWS Advanced DDOS services
- From the AWS console go to the WAF & Shield Service in the Security, Identity, & Compliance, IAM Section
2. From the WAF & Shield menu expand the AWS Shield section
3. Choose Overview
4. Click Subscribe to Shield Advanced
5. Select all the option shown and click subscribe to Shield Advanved
6. Next you need to add resources to protect
7. Choose appropriate region or leave all Regions and the resource type required and click Load Resources
For Cloudfront distribution, Route 53 and global accelerator the region must be set to All regions not a specific ones like in this case
8. Choose resources required and Click protect with Shield Advanced
9. Select a health check based DDOS detection from the drop down and click next. (optional)
10. Next step is to create alarms and notifications (optional step). Choose an existing SNS topic or create a new one
11. The final step is to review the configuration and click the finish configuration button. You also have to modify the previously selected option by click the edit button
12. The last optional step is to enable AWS DRT support. You need to click edit DRT access
13) You need to create or choose an existing role for DRT Access and the S3 bucket name storing the WAF logs and click save