Enable Shield Advanced Protection for Elastic IP Addresses

Overview

This check verifies that your Elastic IP addresses (EIPs) are protected by AWS Shield Advanced. Shield Advanced provides enhanced DDoS (Distributed Denial of Service) protection beyond the basic Shield Standard that comes with all AWS accounts.

When you have internet-facing resources using Elastic IPs, they can be targets for DDoS attacks. Shield Advanced adds extra layers of protection, faster attack detection, and access to the AWS DDoS Response Team (DRT) when you need help.

Risk

Without Shield Advanced protection on your Elastic IPs:

• Service outages: DDoS attacks can overwhelm your resources, making them unavailable to legitimate users
• Unexpected costs: Bandwidth spikes during attacks can lead to significant cost increases
• Slower response: You lack access to AWS DDoS experts who can help mitigate sophisticated attacks
• Limited visibility: You miss out on detailed attack diagnostics and real-time metrics

Shield Advanced is especially important for EC2 instances and Network Load Balancers, which are protected through their associated Elastic IP addresses.

Remediation Steps

Prerequisites

• AWS account with Shield Advanced subscription (this is a paid service with a monthly fee)
• Permissions to manage Shield protections (shield:CreateProtection)
• The allocation ID of your Elastic IP address (looks like eipalloc-12345678)

How to find your Elastic IP allocation ID

1. Go to the EC2 Console > Elastic IPs
2. Find your Elastic IP in the list
3. The Allocation ID is shown in one of the columns (e.g., eipalloc-0abc123def456789)

Or use the CLI:

aws ec2 describe-addresses --region us-east-1 \
  --query "Addresses[*].[PublicIp,AllocationId]" \
  --output table

How to subscribe to Shield Advanced

If you have not yet subscribed to Shield Advanced:

1. Go to the AWS WAF & Shield Console
2. Click AWS Shield in the left navigation
3. Click Subscribe to Shield Advanced
4. Review the pricing and terms, then complete the subscription

Note: Shield Advanced has a monthly subscription fee plus data transfer charges. Review the pricing page before subscribing.

AWS Console Method

1. Open the AWS WAF & Shield Console at https://console.aws.amazon.com/wafv2/shieldv2
2. In the left navigation, click Protected resources
3. Click the Add resources to protect button
4. Under Resource type, select EC2 Elastic IP addresses
5. Select the checkbox next to the Elastic IP address(es) you want to protect
6. Click Protect with Shield Advanced
7. Enter a friendly name for the protection (e.g., production-web-server-eip)
8. Click Add protection

Your Elastic IP is now protected by Shield Advanced.

AWS CLI (optional)

Use the following command to add Shield Advanced protection to an Elastic IP:

aws shield create-protection \
  --name "my-eip-protection" \
  --resource-arn "arn:aws:ec2:us-east-1:123456789012:eip-allocation/eipalloc-0abc123def456789" \
  --region us-east-1

Replace the following placeholders:

• my-eip-protection - A friendly name for this protection
• 123456789012 - Your AWS account ID
• eipalloc-0abc123def456789 - Your Elastic IP allocation ID

To protect multiple Elastic IPs, run the command once for each EIP:

# Example: Protect multiple EIPs
for ALLOC_ID in eipalloc-111111111 eipalloc-222222222 eipalloc-333333333; do
  aws shield create-protection \
    --name "eip-protection-${ALLOC_ID}" \
    --resource-arn "arn:aws:ec2:us-east-1:123456789012:eip-allocation/${ALLOC_ID}" \
    --region us-east-1
done

CloudFormation (optional)

Use this CloudFormation template to add Shield Advanced protection to an Elastic IP:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable AWS Shield Advanced protection for Elastic IP addresses

Parameters:
  ElasticIPAllocationId:
    Type: String
    Description: The allocation ID of the Elastic IP address (e.g., eipalloc-12345678)
    AllowedPattern: "eipalloc-[a-z0-9]+"
  ProtectionName:
    Type: String
    Description: A friendly name for this Shield Advanced protection
    MaxLength: 128
    MinLength: 1

Resources:
  ShieldProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: !Ref ProtectionName
      ResourceArn: !Sub "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip-allocation/${ElasticIPAllocationId}"

Outputs:
  ProtectionId:
    Description: The ID of the Shield Advanced protection
    Value: !Ref ShieldProtection

Deploy the stack:

aws cloudformation create-stack \
  --stack-name shield-eip-protection \
  --template-body file://shield-eip-protection.yaml \
  --parameters \
    ParameterKey=ElasticIPAllocationId,ParameterValue=eipalloc-0abc123def456789 \
    ParameterKey=ProtectionName,ParameterValue=my-eip-protection \
  --region us-east-1

Terraform (optional)

Use this Terraform configuration to add Shield Advanced protection to an Elastic IP:

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "elastic_ip_allocation_id" {
  description = "The allocation ID of the Elastic IP address (e.g., eipalloc-12345678)"
  type        = string

  validation {
    condition     = can(regex("^eipalloc-[a-z0-9]+$", var.elastic_ip_allocation_id))
    error_message = "The elastic_ip_allocation_id must be a valid EIP allocation ID (e.g., eipalloc-12345678)."
  }
}

variable "protection_name" {
  description = "A friendly name for this Shield Advanced protection"
  type        = string
}

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

resource "aws_shield_protection" "eip" {
  name         = var.protection_name
  resource_arn = "arn:aws:ec2:${data.aws_region.current.id}:${data.aws_caller_identity.current.account_id}:eip-allocation/${var.elastic_ip_allocation_id}"

  tags = {
    ManagedBy = "Terraform"
  }
}

output "protection_id" {
  description = "The ID of the Shield Advanced protection"
  value       = aws_shield_protection.eip.id
}

Apply the configuration:

terraform init
terraform apply \
  -var="elastic_ip_allocation_id=eipalloc-0abc123def456789" \
  -var="protection_name=my-eip-protection"

Verification

After adding protection, verify it is active:

1. Go to the AWS WAF & Shield Console
2. Click Protected resources in the left navigation
3. Find your Elastic IP in the list - it should show as Protected

CLI verification

List all Shield Advanced protections:

aws shield list-protections --region us-east-1

Check protection for a specific Elastic IP:

aws shield describe-protection \
  --resource-arn "arn:aws:ec2:us-east-1:123456789012:eip-allocation/eipalloc-0abc123def456789" \
  --region us-east-1

If the command returns protection details, the EIP is protected. If it returns an error, the EIP is not yet protected.

Additional Resources

• AWS Shield Advanced Overview
• Shield Advanced Pricing
• Getting Started with Shield Advanced
• Adding Shield Advanced Protection to Resources
• AWS Shield Best Practices

Notes

• Shield Advanced is a paid service: It has a monthly subscription fee (currently $3,000/month) plus data transfer charges. Ensure this fits your budget before enabling.

• Protection scope: EC2 instances and Network Load Balancers are protected indirectly through their associated Elastic IP addresses. Make sure your EIPs are associated with the resources you want to protect.

• Regional consideration: Shield Advanced protections are regional for EC2 resources. You need to create protections in each region where you have Elastic IPs.

• Defense in depth: Shield Advanced is one layer of protection. Also consider:

  • Using AWS WAF for application-layer protection
  • Implementing rate limiting
  • Minimizing public exposure where possible
  • Regularly reviewing your protected resources

• DDoS Response Team access: With Shield Advanced, you can engage the AWS DDoS Response Team (DRT) during attacks. Consider setting up proactive engagement for critical workloads.