Shield Advanced Not In Use

  • Query id: ad7444cf-817a-4765-a79e-2145f7981faf
  • Query name: Shield Advanced Not In Use
  • Platform: CloudFormation
  • Severity: Low
  • Category: Networking and Firewall
  • CWE: Ongoing
  • URL: Github

Description

AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
Resources:
  HostedZone:
    Type: AWS::Route53::HostedZone
    Properties:
      Name: "HostedZone"
      QueryLoggingConfig:
        CloudWatchLogsLogGroupArn: "SomeCloudWatchLogGroupArn"
  Policy:
    Type: AWS::FMS::Policy
    Properties:
      ExcludeResourceTags: true
      ResourceTags:
        - Key: resourceTag1
          Value: value
        - Key: resourceTag2
          Value: value
      IncludeMap:
        ACCOUNT:
          - !Ref AWS::AccountId
      PolicyName: TaggedPolicy
      RemediationEnabled: false
      ResourceType: ResourceTypeList
      ResourceTypeList:
        - AWS::GlobalAccelerator::Accelerator
      SecurityServicePolicyData:
        Type: SHIELD_ADVANCED
      DeleteAllPolicyResources: false
      Tags:
        - Key: tag1
          Value: value
        - Key: tag2
          Value: value
Positive test num. 2 - json file
{
  "Resources": {
    "HostedZone": {
      "Properties": {
        "Name": "HostedZone",
        "QueryLoggingConfig": {
          "CloudWatchLogsLogGroupArn": "SomeCloudWatchLogGroupArn"
        }
      },
      "Type": "AWS::Route53::HostedZone"
    },
    "Policy": {
      "Properties": {
        "DeleteAllPolicyResources": false,
        "ExcludeResourceTags": true,
        "IncludeMap": {
          "ACCOUNT": [
            "AWS::AccountId"
          ]
        },
        "PolicyName": "TaggedPolicy",
        "RemediationEnabled": false,
        "ResourceTags": [
          {
            "Key": "resourceTag1",
            "Value": "value"
          },
          {
            "Key": "resourceTag2",
            "Value": "value"
          }
        ],
        "ResourceType": "ResourceTypeList",
        "ResourceTypeList": [
          "AWS::GlobalAccelerator::Accelerator"
        ],
        "SecurityServicePolicyData": {
          "Type": "SHIELD_ADVANCED"
        },
        "Tags": [
          {
            "Key": "tag1",
            "Value": "value"
          },
          {
            "Key": "tag2",
            "Value": "value"
          }
        ]
      },
      "Type": "AWS::FMS::Policy"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
Resources:
  MyEIP:
    Type: AWS::EC2::EIP
    Properties:
      InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
  Policy2:
    Type: AWS::FMS::Policy
    Properties:
      ExcludeResourceTags: true
      ResourceTags:
        - Key: resourceTag1
          Value: value
        - Key: resourceTag2
          Value: value
      IncludeMap:
        ACCOUNT:
          - !Ref AWS::AccountId
      PolicyName: TaggedPolicy
      RemediationEnabled: false
      ResourceType: ResourceTypeList
      ResourceTypeList:
        - AWS::EC2::EIP
      SecurityServicePolicyData:
        Type: SHIELD_ADVANCED
      DeleteAllPolicyResources: false
      Tags:
        - Key: tag1
          Value: value
        - Key: tag2
          Value: value
Negative test num. 2 - json file
{
  "Resources": {
    "MyEIP": {
      "Properties": {
        "InstanceId": "Logical name of an AWS::EC2::Instance resource"
      },
      "Type": "AWS::EC2::EIP"
    },
    "Policy2": {
      "Properties": {
        "DeleteAllPolicyResources": false,
        "ExcludeResourceTags": true,
        "IncludeMap": {
          "ACCOUNT": [
            "AWS::AccountId"
          ]
        },
        "PolicyName": "TaggedPolicy",
        "RemediationEnabled": false,
        "ResourceTags": [
          {
            "Key": "resourceTag1",
            "Value": "value"
          },
          {
            "Key": "resourceTag2",
            "Value": "value"
          }
        ],
        "ResourceType": "ResourceTypeList",
        "ResourceTypeList": [
          "AWS::EC2::EIP"
        ],
        "SecurityServicePolicyData": {
          "Type": "SHIELD_ADVANCED"
        },
        "Tags": [
          {
            "Key": "tag1",
            "Value": "value"
          },
          {
            "Key": "tag2",
            "Value": "value"
          }
        ]
      },
      "Type": "AWS::FMS::Policy"
    }
  }
}