Enable Shield Advanced Protection for CloudFront Distributions

Overview

This check verifies that your Amazon CloudFront distributions are protected by AWS Shield Advanced. Shield Advanced provides enhanced DDoS (Distributed Denial of Service) protection beyond the basic Shield Standard that comes with all AWS accounts.

When enabled, Shield Advanced gives your CloudFront distributions:

• Advanced attack detection and mitigation
• 24/7 access to the AWS Shield Response Team (SRT)
• Cost protection for scaling charges during attacks
• Real-time visibility into attacks

Risk

Without Shield Advanced protection, your CloudFront distributions are vulnerable to:

• Large-scale DDoS attacks: Layer 3/4 network floods and Layer 7 application-layer attacks can overwhelm your distribution
• Extended downtime: Without expert support, recovery from sophisticated attacks takes longer
• Unexpected costs: Attack traffic can cause significant scaling charges without Shield Advanced cost protection
• Degraded performance: Edge saturation leads to increased latency for legitimate users

Shield Standard provides basic protection, but for business-critical applications, Shield Advanced offers the comprehensive defense needed against sophisticated threats.

Remediation Steps

Prerequisites

• An AWS account with Shield Advanced subscription enabled (Shield Advanced has a monthly fee plus data transfer charges)
• Permissions to manage Shield Advanced protections (shield:CreateProtection)
• The ARN of the CloudFront distribution you want to protect

How to find your CloudFront distribution ARN

The ARN format for CloudFront distributions is:

arn:aws:cloudfront::<account-id>:distribution/<distribution-id>

Via AWS Console:

1. Go to the CloudFront console
2. Click on your distribution
3. The Distribution ID is shown at the top (e.g., E1EXAMPLE12345)
4. Construct the ARN using your account ID and distribution ID

Via AWS CLI:

aws cloudfront list-distributions --region us-east-1 \
  --query "DistributionList.Items[*].{Id:Id,ARN:ARN,Domain:DomainName}" \
  --output table

AWS Console Method

1. Open the AWS WAF & Shield console at https://console.aws.amazon.com/wafv2/shieldv2

2. In the left navigation, click Protected resources

3. Click Add resources to protect

4. For Resource type scope, select Global (CloudFront distributions)

5. You will see a list of your CloudFront distributions. Select the checkbox next to the distribution(s) you want to protect

6. Click Protect with Shield Advanced

7. Review the protection details and click Confirm

Your CloudFront distribution is now protected by Shield Advanced.

AWS CLI (optional)

Add Shield Advanced Protection via CLI

Use the following command to protect a CloudFront distribution:

aws shield create-protection \
  --region us-east-1 \
  --name "MyCloudFrontProtection" \
  --resource-arn "arn:aws:cloudfront::123456789012:distribution/E1EXAMPLE12345"

Parameters:

• --name: A friendly name for this protection (1-128 characters, alphanumeric with underscores, periods, and hyphens)
• --resource-arn: The full ARN of your CloudFront distribution

Example with tags:

aws shield create-protection \
  --region us-east-1 \
  --name "ProductionWebsiteProtection" \
  --resource-arn "arn:aws:cloudfront::123456789012:distribution/E1EXAMPLE12345" \
  --tags Key=Environment,Value=Production Key=Application,Value=Website

Important notes:

• Shield Advanced API calls must be made to the us-east-1 region, even for global resources like CloudFront
• You can only add one resource per create-protection call
• The protection name must be unique within your account

CloudFormation (optional)

CloudFormation Template

AWSTemplateFormatVersion: '2010-09-09'
Description: Shield Advanced protection for CloudFront distribution

Parameters:
  DistributionArn:
    Type: String
    Description: ARN of the CloudFront distribution to protect
    AllowedPattern: '^arn:aws:cloudfront::[0-9]{12}:distribution/[A-Z0-9]+$'
  ProtectionName:
    Type: String
    Description: Friendly name for the Shield Advanced protection
    MaxLength: 128
    MinLength: 1

Resources:
  ShieldProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: !Ref ProtectionName
      ResourceArn: !Ref DistributionArn
      Tags:
        - Key: Environment
          Value: Production

Outputs:
  ProtectionId:
    Description: The ID of the Shield Advanced protection
    Value: !GetAtt ShieldProtection.ProtectionId

Deploy the Stack

aws cloudformation create-stack \
  --region us-east-1 \
  --stack-name cloudfront-shield-protection \
  --template-body file://shield-protection.yaml \
  --parameters \
    ParameterKey=DistributionArn,ParameterValue="arn:aws:cloudfront::123456789012:distribution/E1EXAMPLE12345" \
    ParameterKey=ProtectionName,ParameterValue="MyCloudFrontProtection"

Note: Shield resources must be deployed in the us-east-1 region.

Terraform (optional)

Terraform Configuration

terraform {
  required_version = ">= 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

variable "distribution_arn" {
  description = "ARN of the CloudFront distribution to protect"
  type        = string

  validation {
    condition     = can(regex("^arn:aws:cloudfront::[0-9]{12}:distribution/[A-Z0-9]+$", var.distribution_arn))
    error_message = "The distribution_arn must be a valid CloudFront distribution ARN."
  }
}

variable "protection_name" {
  description = "Friendly name for the Shield Advanced protection"
  type        = string
}

variable "tags" {
  description = "Tags to apply to the Shield protection"
  type        = map(string)
  default     = {}
}

resource "aws_shield_protection" "cloudfront" {
  name         = var.protection_name
  resource_arn = var.distribution_arn
  tags         = var.tags
}

output "protection_id" {
  description = "The ID of the Shield Advanced protection"
  value       = aws_shield_protection.cloudfront.id
}

output "protection_arn" {
  description = "The ARN of the Shield Advanced protection"
  value       = aws_shield_protection.cloudfront.arn
}

Example Usage

Create a terraform.tfvars file:

distribution_arn = "arn:aws:cloudfront::123456789012:distribution/E1EXAMPLE12345"
protection_name  = "MyCloudFrontProtection"
tags = {
  Environment = "Production"
  Application = "Website"
}

Apply the configuration:

terraform init
terraform plan
terraform apply

Note: The AWS provider must be configured for the us-east-1 region for Shield resources.

Verification

After adding Shield Advanced protection, verify it is active:

1. Go to the AWS WAF & Shield console
2. Click Protected resources in the left navigation
3. Confirm your CloudFront distribution appears in the list with an active protection status

Verify via AWS CLI

List all Shield Advanced protections:

aws shield list-protections --region us-east-1

Check protection for a specific CloudFront distribution:

aws shield describe-protection \
  --region us-east-1 \
  --resource-arn "arn:aws:cloudfront::123456789012:distribution/E1EXAMPLE12345"

If the distribution is protected, you will see output containing the protection details. If not protected, you will receive a ResourceNotFoundException error.

Re-run the Prowler check:

prowler aws --check shield_advanced_protection_in_cloudfront_distributions

Additional Resources

• AWS Shield Advanced Documentation
• Getting Started with AWS Shield Advanced
• AWS Shield Pricing
• AWS Shield Response Team (SRT) Support
• CloudFormation AWS::Shield::Protection
• Terraform aws_shield_protection Resource

Notes

• Cost consideration: AWS Shield Advanced has a monthly subscription fee (currently $3,000/month) plus data transfer out charges. Evaluate whether your application requires this level of protection.

• Subscription required: Before you can add Shield Advanced protection to resources, you must first subscribe to Shield Advanced in your account. Go to the Shield console and click "Subscribe to Shield Advanced" if you haven't already.

• Regional requirement: All Shield Advanced API calls and CloudFormation deployments must target the us-east-1 region, regardless of where your other resources are located.

• Layered defense: Shield Advanced works best as part of a layered security approach. Consider also using:

  • AWS WAF for application-layer protection
  • Rate limiting rules to prevent abuse
  • CloudWatch alarms for DDoS detection
  • A documented DDoS response runbook

• Protection groups: For multiple CloudFront distributions, consider using Shield Advanced protection groups to manage and monitor them collectively.

• Automatic application layer DDoS mitigation: For CloudFront distributions associated with AWS WAF web ACLs, you can enable automatic application layer DDoS mitigation, which automatically responds to detected attacks.