Shield Advanced Not In Use

Query id: ad7444cf-817a-4765-a79e-2145f7981faf
Query name: Shield Advanced Not In Use
Platform: CloudFormation
Severity: Low
Category: Networking and Firewall
URL: Github

Description¶

AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file

Postitive test num. 2 - json file

Resources: class="w">  HostedZone: Type: AWS::Route53::HostedZone Properties: Name: "HostedZone" QueryLoggingConfig: CloudWatchLogsLogGroupArn: "SomeCloudWatchLogGroupArn" Policy: Type: AWS::FMS::Policy Properties: ExcludeResourceTags: true ResourceTags: - Key: resourceTag1 Value: value - Key: resourceTag2 Value: value IncludeMap: ACCOUNT: - !Ref AWS::AccountId PolicyName: TaggedPolicy RemediationEnabled: false ResourceType: ResourceTypeList ResourceTypeList: - AWS::GlobalAccelerator::Accelerator SecurityServicePolicyData: Type: SHIELD_ADVANCED DeleteAllPolicyResources: false Tags: - Key: tag1 Value: value - Key: tag2 Value: value { "Resources": { class="w">    "HostedZone": { "Properties": { "Name": "HostedZone", "QueryLoggingConfig": { "CloudWatchLogsLogGroupArn": "SomeCloudWatchLogGroupArn" } }, "Type": "AWS::Route53::HostedZone" }, "Policy": { "Properties": { "DeleteAllPolicyResources": false, "ExcludeResourceTags": true, "IncludeMap": { "ACCOUNT": [ "AWS::AccountId" ] }, "PolicyName": "TaggedPolicy", "RemediationEnabled": false, "ResourceTags": [ { "Key": "resourceTag1", "Value": "value" }, { "Key": "resourceTag2", "Value": "value" } ], "ResourceType": "ResourceTypeList", "ResourceTypeList": [ "AWS::GlobalAccelerator::Accelerator" ], "SecurityServicePolicyData": { "Type": "SHIELD_ADVANCED" }, "Tags": [ { "Key": "tag1", "Value": "value" }, { "Key": "tag2", "Value": "value" } ] }, "Type": "AWS::FMS::Policy" } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileResources:
  MyEIP:
    Type: AWS::EC2::EIP
    Properties:
      InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
  Policy2:
    Type: AWS::FMS::Policy
    Properties:
      ExcludeResourceTags: true
      ResourceTags:
        - Key: resourceTag1
          Value: value
        - Key: resourceTag2
          Value: value
      IncludeMap:
        ACCOUNT:
          - !Ref AWS::AccountId
      PolicyName: TaggedPolicy
      RemediationEnabled: false
      ResourceType: ResourceTypeList
      ResourceTypeList:
        - AWS::EC2::EIP
      SecurityServicePolicyData:
        Type: SHIELD_ADVANCED
      DeleteAllPolicyResources: false
      Tags:
        - Key: tag1
          Value: value
        - Key: tag2
          Value: value

Negative test num. 2 - json file{
  "Resources": {
    "MyEIP": {
      "Properties": {
        "InstanceId": "Logical name of an AWS::EC2::Instance resource"
      },
      "Type": "AWS::EC2::EIP"
    },
    "Policy2": {
      "Properties": {
        "DeleteAllPolicyResources": false,
        "ExcludeResourceTags": true,
        "IncludeMap": {
          "ACCOUNT": [
            "AWS::AccountId"
          ]
        },
        "PolicyName": "TaggedPolicy",
        "RemediationEnabled": false,
        "ResourceTags": [
          {
            "Key": "resourceTag1",
            "Value": "value"
          },
          {
            "Key": "resourceTag2",
            "Value": "value"
          }
        ],
        "ResourceType": "ResourceTypeList",
        "ResourceTypeList": [
          "AWS::EC2::EIP"
        ],
        "SecurityServicePolicyData": {
          "Type": "SHIELD_ADVANCED"
        },
        "Tags": [
          {
            "Key": "tag1",
            "Value": "value"
          },
          {
            "Key": "tag2",
            "Value": "value"
          }
        ]
      },
      "Type": "AWS::FMS::Policy"
    }
  }
}