Shield Advanced Not In Use
- Query id: ad7444cf-817a-4765-a79e-2145f7981faf
- Query name: Shield Advanced Not In Use
- Platform: CloudFormation
- Severity: Low
- Category: Networking and Firewall
- CWE: 665
- URL: Github
Description¶
AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
Resources:
HostedZone:
Type: AWS::Route53::HostedZone
Properties:
Name: "HostedZone"
QueryLoggingConfig:
CloudWatchLogsLogGroupArn: "SomeCloudWatchLogGroupArn"
Policy:
Type: AWS::FMS::Policy
Properties:
ExcludeResourceTags: true
ResourceTags:
- Key: resourceTag1
Value: value
- Key: resourceTag2
Value: value
IncludeMap:
ACCOUNT:
- !Ref AWS::AccountId
PolicyName: TaggedPolicy
RemediationEnabled: false
ResourceType: ResourceTypeList
ResourceTypeList:
- AWS::GlobalAccelerator::Accelerator
SecurityServicePolicyData:
Type: SHIELD_ADVANCED
DeleteAllPolicyResources: false
Tags:
- Key: tag1
Value: value
- Key: tag2
Value: value
Positive test num. 2 - json file
{
"Resources": {
"HostedZone": {
"Properties": {
"Name": "HostedZone",
"QueryLoggingConfig": {
"CloudWatchLogsLogGroupArn": "SomeCloudWatchLogGroupArn"
}
},
"Type": "AWS::Route53::HostedZone"
},
"Policy": {
"Properties": {
"DeleteAllPolicyResources": false,
"ExcludeResourceTags": true,
"IncludeMap": {
"ACCOUNT": [
"AWS::AccountId"
]
},
"PolicyName": "TaggedPolicy",
"RemediationEnabled": false,
"ResourceTags": [
{
"Key": "resourceTag1",
"Value": "value"
},
{
"Key": "resourceTag2",
"Value": "value"
}
],
"ResourceType": "ResourceTypeList",
"ResourceTypeList": [
"AWS::GlobalAccelerator::Accelerator"
],
"SecurityServicePolicyData": {
"Type": "SHIELD_ADVANCED"
},
"Tags": [
{
"Key": "tag1",
"Value": "value"
},
{
"Key": "tag2",
"Value": "value"
}
]
},
"Type": "AWS::FMS::Policy"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
Resources:
MyEIP:
Type: AWS::EC2::EIP
Properties:
InstanceId: !Ref Logical name of an AWS::EC2::Instance resource
Policy2:
Type: AWS::FMS::Policy
Properties:
ExcludeResourceTags: true
ResourceTags:
- Key: resourceTag1
Value: value
- Key: resourceTag2
Value: value
IncludeMap:
ACCOUNT:
- !Ref AWS::AccountId
PolicyName: TaggedPolicy
RemediationEnabled: false
ResourceType: ResourceTypeList
ResourceTypeList:
- AWS::EC2::EIP
SecurityServicePolicyData:
Type: SHIELD_ADVANCED
DeleteAllPolicyResources: false
Tags:
- Key: tag1
Value: value
- Key: tag2
Value: value
Negative test num. 2 - json file
{
"Resources": {
"MyEIP": {
"Properties": {
"InstanceId": "Logical name of an AWS::EC2::Instance resource"
},
"Type": "AWS::EC2::EIP"
},
"Policy2": {
"Properties": {
"DeleteAllPolicyResources": false,
"ExcludeResourceTags": true,
"IncludeMap": {
"ACCOUNT": [
"AWS::AccountId"
]
},
"PolicyName": "TaggedPolicy",
"RemediationEnabled": false,
"ResourceTags": [
{
"Key": "resourceTag1",
"Value": "value"
},
{
"Key": "resourceTag2",
"Value": "value"
}
],
"ResourceType": "ResourceTypeList",
"ResourceTypeList": [
"AWS::EC2::EIP"
],
"SecurityServicePolicyData": {
"Type": "SHIELD_ADVANCED"
},
"Tags": [
{
"Key": "tag1",
"Value": "value"
},
{
"Key": "tag2",
"Value": "value"
}
]
},
"Type": "AWS::FMS::Policy"
}
}
}