Skip to main content

πŸ›‘οΈ AWS Shield Advanced SRT access is not configured🟒

Logic​

Description​

Open File

Description​

This policy identifies AWS Accounts that use Shield Advanced but do not grant access for the SRT.

AWS Shield Advanced provides enhanced protections against Distributed Denial of Service (DDoS) attacks. The Shield Response Team (SRT) offers 24/7 support to help customers respond to and mitigate DDoS events. To allow the SRT to access your account and assist during an incident, you must create an IAM role with the AWSShieldDRTAccessPolicy managed policy.

Rationale​

Creating a dedicated IAM role for the SRT is a critical step in preparing for a DDoS attack. Without this role, the SRT cannot access your account to analyze traffic, apply mitigations, or assist in your response efforts. Proactively configuring this access ensures that if a DDoS event occurs, the SRT can engage immediately, minimizing downtime and potential impact on your applications.

Audit​

This policy flags an AWS Account as INCOMPLIANT if Shield Advanced: State is set to ACTIVE and Shield Advanced: SRT Support Configured is set to No.

... see more

Remediation​

Open File

Remediation​

Configure SRT Access for AWS Shield Advanced​

To allow the AWS Shield Response Team (SRT) to assist in mitigating DDoS events, you must create or configure an IAM role that grants the necessary permissions using the managed policy AWSShieldDRTAccessPolicy.

From Command Line​

  1. Create the IAM Role for the SRT

    Create a trust policy document named trust-policy.json with the following content:

    {
        "Version": "2012-10-17",
        "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
            "Service": "drt.shield.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
        ]
    }

    Then create the IAM role using the trust policy:

    aws iam create-role \
        --role-name AWSShieldDRTRole \
        --assume-role-policy-document file://trust-policy.json \
        --description "Role granting AWS Shield Response Team (SRT) access to assist with DDoS mitigation"

  2. Attach the Managed Policy

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC10-BP05 Pre-provision access1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Role-Based Access Control (RBAC) Management15no data