Enable AWS Shield Advanced Protection for Classic Load Balancers

Overview

This check verifies that your internet-facing Classic Load Balancers are protected by AWS Shield Advanced. Shield Advanced provides enhanced DDoS protection, real-time attack visibility, and access to the AWS DDoS Response Team (DRT).

When you have an active Shield Advanced subscription, all public-facing resources should be enrolled for protection to get the full benefit of your subscription.

Risk

Without Shield Advanced protection, your Classic Load Balancers are vulnerable to:

• DDoS attacks: Layer 3/4 attacks like SYN floods and UDP floods can overwhelm your load balancer
• Service disruption: Attacks can exhaust connections and cause health check failures
• Unexpected costs: Attack traffic may trigger unintended auto-scaling or data transfer charges
• Longer recovery time: Without DRT access, you must handle attacks on your own

Remediation Steps

Prerequisites

• An active AWS Shield Advanced subscription (this is a paid service)
• Permission to modify Shield Advanced protections
• The name or ARN of your Classic Load Balancer

How to check if you have Shield Advanced

1. Go to the AWS WAF & Shield Console
2. In the left navigation, click Overview
3. If you see "Shield Advanced is active," you have a subscription
4. If not, you will need to subscribe first (Shield Advanced has a monthly fee plus data transfer charges)

AWS Console Method

1. Open the AWS WAF & Shield Console
2. In the left navigation, click Protected resources
3. Click the Add resources to protect button
4. For Region, select US East (N. Virginia) (us-east-1) or your load balancer's region
5. For Resource type, select Classic Load Balancer
6. Click Load resources
7. Select the checkbox next to your Classic Load Balancer
8. Click Protect with Shield Advanced
9. Review the protection details and click Protect

Your Classic Load Balancer is now protected by Shield Advanced.

AWS CLI (optional)

Step 1: Find your Classic Load Balancer ARN

First, list your Classic Load Balancers to get the name:

aws elb describe-load-balancers \
    --region us-east-1 \
    --query 'LoadBalancerDescriptions[*].[LoadBalancerName,Scheme]' \
    --output table

The ARN format for a Classic Load Balancer is:

arn:aws:elasticloadbalancing:<region>:<account-id>:loadbalancer/<load-balancer-name>

Step 2: Create the Shield Advanced protection

Replace <your-account-id> and <your-load-balancer-name> with your values:

aws shield create-protection \
    --name "ClassicELB-<your-load-balancer-name>-Protection" \
    --resource-arn "arn:aws:elasticloadbalancing:us-east-1:<your-account-id>:loadbalancer/<your-load-balancer-name>" \
    --region us-east-1

Note: Shield Advanced API calls must be made to the us-east-1 region, even if your load balancer is in a different region.

Example

For a load balancer named my-web-app-elb in account 123456789012:

aws shield create-protection \
    --name "ClassicELB-my-web-app-elb-Protection" \
    --resource-arn "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-web-app-elb" \
    --region us-east-1

CloudFormation (optional)

Use this CloudFormation template to enable Shield Advanced protection for a Classic Load Balancer:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable AWS Shield Advanced protection for a Classic Load Balancer

Parameters:
  LoadBalancerName:
    Type: String
    Description: Name of the Classic Load Balancer to protect
  ProtectionName:
    Type: String
    Description: Friendly name for the Shield Advanced protection
    Default: ClassicELB-Shield-Protection

Resources:
  ShieldProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: !Ref ProtectionName
      ResourceArn: !Sub 'arn:aws:elasticloadbalancing:${AWS::Region}:${AWS::AccountId}:loadbalancer/${LoadBalancerName}'

Outputs:
  ProtectionId:
    Description: The ID of the Shield Advanced protection
    Value: !Ref ShieldProtection

Deploy the template

aws cloudformation create-stack \
    --stack-name shield-classic-elb-protection \
    --template-body file://shield-protection.yaml \
    --parameters \
        ParameterKey=LoadBalancerName,ParameterValue=<your-load-balancer-name> \
        ParameterKey=ProtectionName,ParameterValue=<your-protection-name> \
    --region us-east-1

Terraform (optional)

Use this Terraform configuration to enable Shield Advanced protection:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "load_balancer_arn" {
  description = "ARN of the Classic Load Balancer to protect"
  type        = string
}

variable "protection_name" {
  description = "Friendly name for the Shield Advanced protection"
  type        = string
  default     = "ClassicELB-Shield-Protection"
}

resource "aws_shield_protection" "classic_elb" {
  name         = var.protection_name
  resource_arn = var.load_balancer_arn

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

output "protection_id" {
  description = "The ID of the Shield Advanced protection"
  value       = aws_shield_protection.classic_elb.id
}

output "protection_arn" {
  description = "The ARN of the Shield Advanced protection"
  value       = aws_shield_protection.classic_elb.arn
}

Deploy with Terraform

terraform init
terraform plan -var="load_balancer_arn=arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-web-app-elb"
terraform apply -var="load_balancer_arn=arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/my-web-app-elb"

Verification

After enabling protection, verify it was applied successfully:

1. Go to the AWS WAF & Shield Console
2. Click Protected resources in the left navigation
3. Look for your Classic Load Balancer in the list
4. The Protection status should show as Active

Verify using AWS CLI

List all Shield Advanced protections:

aws shield list-protections \
    --region us-east-1 \
    --query 'Protections[?contains(ResourceArn, `loadbalancer/`)].[Name,ResourceArn]' \
    --output table

Or check a specific load balancer:

aws shield describe-protection \
    --resource-arn "arn:aws:elasticloadbalancing:us-east-1:<your-account-id>:loadbalancer/<your-load-balancer-name>" \
    --region us-east-1

A successful response shows the protection details. An error indicates the resource is not protected.

Additional Resources

• AWS Shield Advanced Overview
• Adding Shield Advanced Protection to Resources
• Shield Advanced Pricing
• AWS Shield Best Practices
• Classic Load Balancer Documentation

Notes

• Shield Advanced is a paid service: There is a monthly subscription fee plus data transfer charges. Review the pricing page before subscribing.

• Classic Load Balancers are legacy: AWS recommends migrating to Application Load Balancers (ALB) or Network Load Balancers (NLB) for new workloads. These can also be protected by Shield Advanced.

• Regional considerations: Shield Advanced API calls must be made to us-east-1, but you can protect resources in any region.

• Protection groups: Consider adding your protected resources to a Shield Advanced protection group for aggregated metrics and coordinated response.

• Health-based detection: Enable health-based detection for more accurate attack identification by associating Route 53 health checks with your protected resources.