Shield Advanced Not In Use
- Query id: 084c6686-2a70-4710-91b1-000393e54c12
- Query name: Shield Advanced Not In Use
- Platform: Terraform
- Severity: Low
- Category: Networking and Firewall
- CWE: 665
- URL: Github
Description¶
AWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing, and Amazon CloudFront Distribution to protect these resources against robust DDoS attacks
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
resource "aws_eip" "positive1" {
vpc = true
}
resource "aws_shield_protection" "positive1" {
name = "example"
resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.positive.id}"
tags = {
Environment = "Dev"
}
}
Positive test num. 2 - tf file
resource "aws_route53_zone" "positive2" {
name = "example.com"
}
resource "aws_shield_protection" "positive2" {
name = "example"
resource_arn = aws_route53_zone.positive.arn
tags = {
Environment = "Dev"
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
data "aws_availability_zones" "available" {}
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
resource "aws_eip" "negative1" {
vpc = true
}
resource "aws_shield_protection" "negative1" {
name = "example"
resource_arn = "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:eip-allocation/${aws_eip.negative1.id}"
tags = {
Environment = "Dev"
}
}