How do I protect my AWS resources from DDoS attacks?

3 minute read

I want to verify whether AWS Shield Advanced is protecting my AWS resources from distributed denial-of-service (DDoS) attacks.

Short description

AWS Shield Advanced is a service that helps you protect your application against external threats, like DDoS attacks. To verify whether Shield Advanced is protecting your resources, use the AWSPremiumSupport-DDoSResiliencyAssessment runbook to automate a resource check.

The runbook generates a report that shows whether Shield Advanced is activated and configured based on best practices for your specific resources.

Note: The runbook publishes a file in the Amazon Simple Storage Service (Amazon S3) bucket, and might incur charges. For more information, see Amazon S3 pricing.


To run the AWSPremiumSupport-DDoSResiliencyAssessment runbook, complete the following steps:

  1. Access the AWSPremiumSupport-DDoSResiliencyAssessment runbook in the AWS Systems Manager console.
  2. Choose the AWS Region for the account where you want to run the automation.
  3. Choose Execute Automation.
  4. Enter the following values for the input parameters:
    (Optional) AutomationAssumeRole: The ARN of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If you don't specify a role, then Systems Manager Automation uses the permissions of the user that started the runbook.
    (Optional) AssessmentType: The type of resources to evaluate for the DDoS resiliency assessment. By default, the runbook evaluates global and AWS Regional resources.
    S3BucketName: The name of the Amazon S3 bucket where you want to save the assessment report.
    S3BucketOwnerAccount: The ID of the AWS account that owns the Amazon S3 bucket. This is required only if the Amazon S3 belongs to an account other than the account that runs the automation.
    (Optional) S3BucketPrefix: The prefix for the path in the Amazon S3 bucket where you want to store the report.
    (Optional) S3BucketOwnerRoleArn: The ARN of an IAM role that has permissions to describe the Amazon S3 bucket. If the bucket is in a different account, then this role can also control the public access configuration. If you don't specify this parameter, then the runbook uses the AutomationAssumeRole or the IAM user that started the runbook.
  5. Choose Execute.
  6. Locate the Amazon S3 bucket URL in the Output section of the report.
  7. Open the URL in a web browser to view the HTML assessment report file.
  8. On the report, view the information about resources that have Shield Advanced Protection activated. To see additional information, choose a resource from the list.

To turn on Shield Advanced protection for resources, select Add Resources to Shield Protected List for the resource on the report.

Related information

AWS best practices for DDoS resiliency

Run an automation

Setting up Automation

AWS Support Automation Workflows (SAW)