AWS Shield

2021/12/01 - AWS Shield - 3 new 2 updated api methods

Changes  This release adds API support for Automatic Application Layer DDoS Mitigation for AWS Shield Advanced. Customers can now enable automatic DDoS mitigation in count or block mode for layer 7 protected resources.

EnableApplicationLayerAutomaticResponse (new) Link ¶

Enable the Shield Advanced automatic application layer DDoS mitigation for the resource.

Note

This feature is available for Amazon CloudFront distributions only.

This causes Shield Advanced to create, verify, and apply WAF rules for DDoS attacks that it detects for the resource. Shield Advanced applies the rules in a Shield rule group inside the web ACL that you've associated with the resource. For information about how automatic mitigation works and the requirements for using it, see Shield Advanced automatic application layer DDoS mitigation .

Don't use this action to make changes to automatic mitigation settings when it's already enabled for a resource. Instead, use UpdateApplicationLayerAutomaticResponse .

To use this feature, you must associate a web ACL with the protected resource. The web ACL must be created using the latest version of WAF (v2). You can associate the web ACL through the Shield Advanced console at https://console.aws.amazon.com/wafv2/shieldv2#/ . For more information, see Getting Started with Shield Advanced .

You can also do this through the WAF console or the WAF API, but you must manage Shield Advanced automatic mitigation through Shield Advanced. For information about WAF, see WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.enable_application_layer_automatic_response(
    ResourceArn='string',
    Action={
        'Block': {}
        ,
        'Count': {}

    }
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The ARN (Amazon Resource Name) of the resource.

type Action

dict

param Action

[REQUIRED]

Specifies the action setting that Shield Advanced should use in the WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.

  • Block (dict) --

    Specifies that Shield Advanced should configure its WAF rules with the WAF Block action.

    You must specify exactly one action, either Block or Count .

  • Count (dict) --

    Specifies that Shield Advanced should configure its WAF rules with the WAF Count action.

    You must specify exactly one action, either Block or Count .

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DisableApplicationLayerAutomaticResponse (new) Link ¶

Disable the Shield Advanced automatic application layer DDoS mitigation feature for the resource. This stops Shield Advanced from creating, verifying, and applying WAF rules for attacks that it detects for the resource.

See also: AWS API Documentation

Request Syntax

client.disable_application_layer_automatic_response(
    ResourceArn='string'
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The ARN (Amazon Resource Name) of the resource.

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

UpdateApplicationLayerAutomaticResponse (new) Link ¶

Updates an existing Shield Advanced automatic application layer DDoS mitigation configuration for the specified resource.

See also: AWS API Documentation

Request Syntax

client.update_application_layer_automatic_response(
    ResourceArn='string',
    Action={
        'Block': {}
        ,
        'Count': {}

    }
)
type ResourceArn

string

param ResourceArn

[REQUIRED]

The ARN (Amazon Resource Name) of the resource.

type Action

dict

param Action

[REQUIRED]

Specifies the action setting that Shield Advanced should use in the WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.

  • Block (dict) --

    Specifies that Shield Advanced should configure its WAF rules with the WAF Block action.

    You must specify exactly one action, either Block or Count .

  • Count (dict) --

    Specifies that Shield Advanced should configure its WAF rules with the WAF Count action.

    You must specify exactly one action, either Block or Count .

rtype

dict

returns

Response Syntax

{}

Response Structure

  • (dict) --

DescribeProtection (updated) Link ¶
Changes (response)
{'Protection': {'ApplicationLayerAutomaticResponseConfiguration': {'Action': {'Block': {},
                                                                              'Count': {}},
                                                                   'Status': 'ENABLED '
                                                                             '| '
                                                                             'DISABLED'}}}

Lists the details of a Protection object.

See also: AWS API Documentation

Request Syntax

client.describe_protection(
    ProtectionId='string',
    ResourceArn='string'
)
type ProtectionId

string

param ProtectionId

The unique identifier (ID) for the Protection object that is described. When submitting the DescribeProtection request you must provide either the ResourceArn or the ProtectionID , but not both.

type ResourceArn

string

param ResourceArn

The ARN (Amazon Resource Name) of the Amazon Web Services resource for the Protection object that is described. When submitting the DescribeProtection request you must provide either the ResourceArn or the ProtectionID , but not both.

rtype

dict

returns

Response Syntax

{
    'Protection': {
        'Id': 'string',
        'Name': 'string',
        'ResourceArn': 'string',
        'HealthCheckIds': [
            'string',
        ],
        'ProtectionArn': 'string',
        'ApplicationLayerAutomaticResponseConfiguration': {
            'Status': 'ENABLED'|'DISABLED',
            'Action': {
                'Block': {},
                'Count': {}
            }
        }
    }
}

Response Structure

  • (dict) --

    • Protection (dict) --

      The Protection object that is described.

      • Id (string) --

        The unique identifier (ID) of the protection.

      • Name (string) --

        The name of the protection. For example, My CloudFront distributions .

      • ResourceArn (string) --

        The ARN (Amazon Resource Name) of the Amazon Web Services resource that is protected.

      • HealthCheckIds (list) --

        The unique identifier (ID) for the Route 53 health check that's associated with the protection.

        • (string) --

      • ProtectionArn (string) --

        The ARN (Amazon Resource Name) of the protection.

      • ApplicationLayerAutomaticResponseConfiguration (dict) --

        The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.

        • Status (string) --

          Indicates whether automatic application layer DDoS mitigation is enabled for the protection.

        • Action (dict) --

          Specifies the action setting that Shield Advanced should use in the WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.

          • Block (dict) --

            Specifies that Shield Advanced should configure its WAF rules with the WAF Block action.

            You must specify exactly one action, either Block or Count .

          • Count (dict) --

            Specifies that Shield Advanced should configure its WAF rules with the WAF Count action.

            You must specify exactly one action, either Block or Count .

ListProtections (updated) Link ¶
Changes (response)
{'Protections': {'ApplicationLayerAutomaticResponseConfiguration': {'Action': {'Block': {},
                                                                               'Count': {}},
                                                                    'Status': 'ENABLED '
                                                                              '| '
                                                                              'DISABLED'}}}

Lists all Protection objects for the account.

See also: AWS API Documentation

Request Syntax

client.list_protections(
    NextToken='string',
    MaxResults=123
)
type NextToken

string

param NextToken

When you request a list of objects from Shield Advanced, if the response does not include all of the remaining available objects, Shield Advanced includes a NextToken value in the response. You can retrieve the next batch of objects by requesting the list again and providing the token that was returned by the prior call in your request.

You can indicate the maximum number of objects that you want Shield Advanced to return for a single call with the MaxResults setting. Shield Advanced will not return more than MaxResults objects, but may return fewer, even if more objects are still available.

Whenever more objects remain that Shield Advanced has not yet returned to you, the response will include a NextToken value.

On your first call to a list operation, leave this setting empty.

type MaxResults

integer

param MaxResults

The greatest number of objects that you want Shield Advanced to return to the list request. Shield Advanced might return fewer objects than you indicate in this setting, even if more objects are available. If there are more objects remaining, Shield Advanced will always also return a NextToken value in the response.

The default setting is 20.

rtype

dict

returns

Response Syntax

{
    'Protections': [
        {
            'Id': 'string',
            'Name': 'string',
            'ResourceArn': 'string',
            'HealthCheckIds': [
                'string',
            ],
            'ProtectionArn': 'string',
            'ApplicationLayerAutomaticResponseConfiguration': {
                'Status': 'ENABLED'|'DISABLED',
                'Action': {
                    'Block': {},
                    'Count': {}
                }
            }
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • Protections (list) --

      The array of enabled Protection objects.

      • (dict) --

        An object that represents a resource that is under DDoS protection.

        • Id (string) --

          The unique identifier (ID) of the protection.

        • Name (string) --

          The name of the protection. For example, My CloudFront distributions .

        • ResourceArn (string) --

          The ARN (Amazon Resource Name) of the Amazon Web Services resource that is protected.

        • HealthCheckIds (list) --

          The unique identifier (ID) for the Route 53 health check that's associated with the protection.

          • (string) --

        • ProtectionArn (string) --

          The ARN (Amazon Resource Name) of the protection.

        • ApplicationLayerAutomaticResponseConfiguration (dict) --

          The automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.

          • Status (string) --

            Indicates whether automatic application layer DDoS mitigation is enabled for the protection.

          • Action (dict) --

            Specifies the action setting that Shield Advanced should use in the WAF rules that it creates on behalf of the protected resource in response to DDoS attacks. You specify this as part of the configuration for the automatic application layer DDoS mitigation feature, when you enable or update automatic mitigation. Shield Advanced creates the WAF rules in a Shield Advanced-managed rule group, inside the web ACL that you have associated with the resource.

            • Block (dict) --

              Specifies that Shield Advanced should configure its WAF rules with the WAF Block action.

              You must specify exactly one action, either Block or Count .

            • Count (dict) --

              Specifies that Shield Advanced should configure its WAF rules with the WAF Count action.

              You must specify exactly one action, either Block or Count .

    • NextToken (string) --

      When you request a list of objects from Shield Advanced, if the response does not include all of the remaining available objects, Shield Advanced includes a NextToken value in the response. You can retrieve the next batch of objects by requesting the list again and providing the token that was returned by the prior call in your request.

      You can indicate the maximum number of objects that you want Shield Advanced to return for a single call with the MaxResults setting. Shield Advanced will not return more than MaxResults objects, but may return fewer, even if more objects are still available.

      Whenever more objects remain that Shield Advanced has not yet returned to you, the response will include a NextToken value.