Setting up AWS Advanced Shield

Please note activating the AWS Advanced Shield will cost $3,000 per month with a commitment of 1 year.

Steps required

  1. Subscribe to AWS Advanced Shield
  2. Add resources to protect
  3. Configure layer 7 protection (WAF) Optional (Skipped in this post)
  4. Configure AWS DDOS response team (DRT) support
  5. Enable cloudwatch to monitor DDOS activity and get alerted

Step 1 – Subscribing to AWS Advanced DDOS services

  1. From the AWS console go to the WAF & Shield Service in the Security, Identity, & Compliance, IAM Section
AWS services Menu

2. From the WAF & Shield menu expand the AWS Shield section

3. Choose Overview

4. Click Subscribe to Shield Advanced

activate advanced shield

5. Select all the option shown and click subscribe to Shield Advanved

Disclaimer: Once subscribing you are committing for $3,000 per month for a year –

6. Next you need to add resources to protect

7. Choose appropriate region or leave all Regions and the resource type required and click Load Resources

For Cloudfront distribution, Route 53 and global accelerator the region must be set to All regions not a specific ones like in this case

8. Choose resources required and Click protect with Shield Advanced

9. Select a health check based DDOS detection from the drop down and click next. (optional)

10. Next step is to create alarms and notifications (optional step). Choose an existing SNS topic or create a new one

11. The final step is to review the configuration and click the finish configuration button. You also have to modify the previously selected option by click the edit button

12. The last optional step is to enable AWS DRT support. You need to click edit DRT access

13) You need to create or choose an existing role for DRT Access and the S3 bucket name storing the WAF logs and click save


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.