Enable Shield Advanced Protection for Global Accelerators

Overview

This check verifies that your AWS Global Accelerator resources are protected by AWS Shield Advanced. Shield Advanced provides enhanced DDoS (Distributed Denial of Service) protection beyond the basic Shield Standard that comes free with all AWS accounts.

Global Accelerators route traffic to your applications through the AWS global network, making them a critical component of your infrastructure. Protecting them with Shield Advanced ensures you have access to advanced DDoS mitigation, 24/7 access to the AWS Shield Response Team (SRT), and cost protection for scaling during attacks.

Risk

Without Shield Advanced protection on your Global Accelerators:

• Increased vulnerability to DDoS attacks: Your accelerators may be overwhelmed by volumetric or protocol-based attacks, causing service disruptions
• Longer incident response times: You won't have access to the AWS Shield Response Team for expert assistance during attacks
• Unexpected costs: Malicious traffic spikes could result in higher-than-expected AWS bills without the cost protection Shield Advanced provides
• Limited visibility: You'll miss out on advanced attack diagnostics and near real-time metrics during DDoS events

Remediation Steps

Prerequisites

• An active AWS Shield Advanced subscription (Shield Advanced has a monthly fee of $3,000 plus data transfer charges)
• IAM permissions to manage Shield resources (shield:CreateProtection, shield:DescribeProtection)
• At least one Global Accelerator in your account

How to subscribe to Shield Advanced

If you haven't subscribed to Shield Advanced yet:

1. Open the AWS WAF & Shield console
2. In the navigation pane, choose Getting started
3. Choose Subscribe to Shield Advanced
4. Review the pricing and terms, then choose Subscribe

Note: Shield Advanced requires a 1-year commitment. The subscription fee is $3,000/month plus data transfer fees for protected resources.

AWS Console Method

1. Open the AWS WAF & Shield console
2. In the left navigation pane, under AWS Shield, choose Protected resources
3. Choose Add resources to protect
4. For Region, select Global (CloudFront, Global Accelerator, Route 53)
5. For Resource type, select Global Accelerator
6. Select the checkbox next to the Global Accelerator you want to protect
7. Choose Protect with Shield Advanced
8. Review the protection details and choose Add protection

Your Global Accelerator is now protected by Shield Advanced. The protection takes effect immediately.

AWS CLI (optional)

Step 1: List your Global Accelerators

First, identify the ARN of the Global Accelerator you want to protect:

aws globalaccelerator list-accelerators \
    --region us-east-1 \
    --query 'Accelerators[*].[Name,AcceleratorArn]' \
    --output table

Step 2: Enable Shield Advanced Protection

Replace <accelerator-arn> with your Global Accelerator's ARN and <protection-name> with a descriptive name:

aws shield create-protection \
    --name "<protection-name>" \
    --resource-arn "<accelerator-arn>" \
    --region us-east-1

Example:

aws shield create-protection \
    --name "MyApp-GlobalAccelerator-Protection" \
    --resource-arn "arn:aws:globalaccelerator::123456789012:accelerator/1234abcd-5678-90ef-ghij-klmnopqrstuv" \
    --region us-east-1

The command returns a ProtectionId on success:

{
    "ProtectionId": "abc123de-4567-89fg-hijk-lmnopqrstuvw"
}

Step 3: Add Tags (optional)

You can add tags to your protection for better organization:

aws shield tag-resource \
    --resource-arn "arn:aws:shield::123456789012:protection/abc123de-4567-89fg-hijk-lmnopqrstuvw" \
    --tags Key=Environment,Value=Production Key=Team,Value=Security \
    --region us-east-1

CloudFormation (optional)

Use this CloudFormation template to enable Shield Advanced protection for a Global Accelerator:

AWSTemplateFormatVersion: '2010-09-09'
Description: Enable Shield Advanced protection for AWS Global Accelerator

Parameters:
  GlobalAcceleratorArn:
    Type: String
    Description: The ARN of the Global Accelerator to protect
    AllowedPattern: arn:aws:globalaccelerator::[0-9]{12}:accelerator/[a-z0-9-]+
  ProtectionName:
    Type: String
    Description: Friendly name for the Shield Advanced protection
    Default: GlobalAccelerator-Shield-Protection
    MaxLength: 128

Resources:
  ShieldProtection:
    Type: AWS::Shield::Protection
    Properties:
      Name: !Ref ProtectionName
      ResourceArn: !Ref GlobalAcceleratorArn
      Tags:
        - Key: Environment
          Value: production
        - Key: ManagedBy
          Value: cloudformation

Outputs:
  ProtectionId:
    Description: The ID of the Shield Advanced protection
    Value: !Ref ShieldProtection

Deploy the stack:

aws cloudformation create-stack \
    --stack-name global-accelerator-shield-protection \
    --template-body file://shield-protection.yaml \
    --parameters \
        ParameterKey=GlobalAcceleratorArn,ParameterValue="arn:aws:globalaccelerator::123456789012:accelerator/your-accelerator-id" \
        ParameterKey=ProtectionName,ParameterValue="MyApp-GlobalAccelerator-Protection" \
    --region us-east-1

Terraform (optional)

Use this Terraform configuration to enable Shield Advanced protection:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

# Variable for the Global Accelerator ARN
variable "global_accelerator_arn" {
  type        = string
  description = "The ARN of the Global Accelerator to protect"
}

variable "protection_name" {
  type        = string
  description = "Friendly name for the Shield Advanced protection"
  default     = "GlobalAccelerator-Shield-Protection"
}

# Shield Advanced protection for Global Accelerator
resource "aws_shield_protection" "global_accelerator" {
  name         = var.protection_name
  resource_arn = var.global_accelerator_arn

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

output "protection_id" {
  description = "The ID of the Shield Advanced protection"
  value       = aws_shield_protection.global_accelerator.id
}

Deploy with Terraform:

# Initialize Terraform
terraform init

# Preview changes
terraform plan \
    -var="global_accelerator_arn=arn:aws:globalaccelerator::123456789012:accelerator/your-accelerator-id" \
    -var="protection_name=MyApp-GlobalAccelerator-Protection"

# Apply changes
terraform apply \
    -var="global_accelerator_arn=arn:aws:globalaccelerator::123456789012:accelerator/your-accelerator-id" \
    -var="protection_name=MyApp-GlobalAccelerator-Protection"

If you're referencing an existing Global Accelerator:

# Data source to get existing Global Accelerator by ARN
data "aws_globalaccelerator_accelerator" "existing" {
  arn = "arn:aws:globalaccelerator::123456789012:accelerator/your-accelerator-id"
}

# Shield Advanced protection using the data source
resource "aws_shield_protection" "global_accelerator" {
  name         = "GlobalAccelerator-Shield-Protection"
  resource_arn = data.aws_globalaccelerator_accelerator.existing.id

  tags = {
    Environment = "production"
    ManagedBy   = "terraform"
  }
}

Verification

After enabling Shield Advanced protection, verify it's working:

1. Go to the AWS WAF & Shield console
2. Under Protected resources, find your Global Accelerator
3. Confirm it shows as Protected with the Shield Advanced icon

Verify using AWS CLI

List all Shield protections:

aws shield list-protections \
    --region us-east-1 \
    --query 'Protections[?contains(ResourceArn, `globalaccelerator`)]' \
    --output table

Check protection for a specific Global Accelerator:

aws shield describe-protection \
    --resource-arn "arn:aws:globalaccelerator::123456789012:accelerator/your-accelerator-id" \
    --region us-east-1

A successful response confirms protection is enabled:

{
    "Protection": {
        "Id": "abc123de-4567-89fg-hijk-lmnopqrstuvw",
        "Name": "MyApp-GlobalAccelerator-Protection",
        "ResourceArn": "arn:aws:globalaccelerator::123456789012:accelerator/your-accelerator-id"
    }
}

Re-run the Prowler check:

prowler aws --check shield_advanced_protection_in_global_accelerators

Additional Resources

• AWS Shield Advanced Overview
• Getting Started with AWS Shield Advanced
• AWS Shield Advanced Pricing
• AWS Global Accelerator Documentation
• Shield Response Team (SRT) Support
• Terraform aws_shield_protection Resource
• CloudFormation AWS::Shield::Protection

Notes

• Shield Advanced Subscription Required: You must have an active Shield Advanced subscription before you can create protections. The service costs $3,000/month plus data transfer fees.

• One-Year Commitment: Shield Advanced requires a 1-year subscription commitment. Plan accordingly before subscribing.

• Global Service: Global Accelerator is a global service, so you must use the us-east-1 region when making Shield API calls for Global Accelerator resources.

• Protection Limits: There's a default limit of 1,000 protections per account. Contact AWS Support if you need more.

• Cost Protection: Once protected, Shield Advanced provides cost protection, meaning AWS will credit charges that result from DDoS-related scaling of protected resources.

• Health-Based Detection: Consider enabling health-based detection for your protected Global Accelerator to improve attack detection accuracy. This requires configuring a Route 53 health check.

• Proactive Engagement: After enabling protection, consider setting up proactive engagement so the Shield Response Team can contact you during detected events.