Remediation
Configure SRT Access for AWS Shield Advancedβ
To allow the AWS Shield Response Team (SRT) to assist in mitigating DDoS events, you must create or configure an IAM role that grants the necessary permissions using the managed policy AWSShieldDRTAccessPolicy.
From Command Lineβ
-
Create the IAM Role for the SRT
Create a trust policy document named
trust-policy.jsonwith the following content:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "drt.shield.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}Then create the IAM role using the trust policy:
aws iam create-role \
--role-name AWSShieldDRTRole \
--assume-role-policy-document file://trust-policy.json \
--description "Role granting AWS Shield Response Team (SRT) access to assist with DDoS mitigation" -
Attach the Managed Policy
Attach the AWS-managed policy
AWSShieldDRTAccessPolicyto the role:aws iam attach-role-policy \
--role-name AWSShieldDRTRole \
--policy-arn arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy -
Associate the Role with Shield Advanced
Link the newly created role with Shield Advanced to grant SRT access:
aws shield associate-drt-role \
--role-arn arn:aws:iam::{{account-id}}:role/AWSShieldDRTRole