Skip to content

AwsShieldBuilder Class

Purpose

The AwsShieldBuilder is a concrete implementation of the AbstractAWSResourceBuilder designed to create AWS Shield Advanced DDoS protection for critical infrastructure components. This builder orchestrates the deployment of enterprise-grade DDoS mitigation covering CloudFront distributions and Route53 hosted zones with automatic response capabilities, 24/7 DDoS Response Team support, and cost protection against attack-related scaling charges. Provides comprehensive protection against volumetric, state-exhaustion, and application layer attacks.

Dependencies

This builder requires the following AWS resources and permissions:

Required AWS Permissions

  • AWS Shield Management: Create and configure Shield Advanced protections for AWS resources
  • CloudFront Integration: Access CloudFront distribution ARNs for Shield protection enrollment
  • Route53 Integration: Access Route53 hosted zone ARNs for DNS protection coverage
  • Application Layer Response: Configure automatic response rules for DDoS mitigation
  • Resource Tagging: Apply organizational tags to Shield protection resources
  • DDoS Response Team: Access to AWS DDoS Response Team for incident support
  • Cost Protection: Shield Advanced cost protection against DDoS-related charges

Foundation Dependencies

  • AWS Shield Advanced Subscription: Active Shield Advanced subscription required for protection
  • CloudFront Distributions: Existing CloudFront distributions requiring DDoS protection
  • Route53 Hosted Zones: DNS zones requiring protection against DNS-based attacks
  • Global Infrastructure: Shield Advanced provides global protection across AWS edge locations
  • Environment Configuration: Account and region mappings for multi-environment deployments
  • Naming Standards: Organizational resource naming conventions following company patterns
  • Tagging Strategy: Consistent tagging for cost allocation, security policies, and operational categorization

Configuration

The builder validates all configuration through the AwsShieldConfig model, which becomes the authoritative source for all AWS Shield Advanced protection settings.

CDK Configuration Structure

{
  "cloudfront_distribution": "cloudfront_distribution_object",
  "route53": {
    "hosted_zone_id": "Z1D633PJN98FT9",
    "domain_name": "example.com"
  }
}

Configuration Parameters

Parameter Mandatory Type Default Description
cloudfront_distribution Yes cloudfront.Distribution CloudFront distribution CDK construct requiring Shield protection
route53 Yes Dict Route53 configuration with hosted_zone_id and domain_name

Usage

Here’s an example of how to use the AwsShieldBuilder to build AWS Shield Advanced protection in a CDK stack:

shield_builder = AwsShieldBuilder()
shield_builder.set_application_helper(app_helper) \
              .set_cloudfront_distribution(cloudfront_distribution) \
              .set_route53_config({
                  "hosted_zone_id": "Z1D633PJN98FT9",
                  "domain_name": "myapp.example.com"
              }) \
              .build(scope_from_stack)

Behavior and Features

Automatic DDoS Protection Configuration

CloudFront Protection

  • Application Layer Automatic Response: Automatically detects and blocks DDoS attacks
  • Global Edge Protection: Protection across all CloudFront edge locations worldwide
  • Real-time Mitigation: Immediate response to detected threats without manual intervention
  • Block Action Configuration: Automatic blocking of malicious traffic patterns
  • Enhanced Monitoring: Advanced CloudWatch metrics for attack visibility

Route53 Protection

  • DNS Infrastructure Security: Protection against DNS-based DDoS attacks
  • Authoritative DNS Protection: Shields hosted zone from volumetric attacks
  • Global Anycast Network: Leverages AWS global DNS infrastructure for resilience
  • Query Response Protection: Maintains DNS resolution availability during attacks
  • Zone-level Coverage: Comprehensive protection for all records within the hosted zone

Protection Coverage Types

  • Volumetric Attacks: Protection against high-volume traffic floods
  • State-Exhaustion Attacks: Mitigation of connection state exhaustion attempts
  • Application Layer Attacks: Defense against sophisticated Layer 7 attacks
  • Protocol Attacks: Protection against TCP SYN floods and other protocol exploits

Naming Convention

Shield protection resources follow the pattern: {resource-type}-shield-protection-{environment}

The builder automatically:

  • Applies organizational naming standards for Shield protection resources
  • Includes environment context for multi-stage deployment identification
  • Truncates names to respect AWS Shield naming limits (128 characters)
  • Generates unique CloudFormation logical IDs for protection resources

Shield Advanced Features

Automatic Response Configuration

  • Enabled Status: Automatic response activated for immediate threat mitigation
  • Block Action: Detected attacks are automatically blocked without manual intervention
  • Real-time Analysis: Continuous traffic analysis for threat detection
  • False Positive Reduction: Advanced algorithms minimize legitimate traffic blocking

Cost Protection

  • Scaling Charges: Protection against DDoS-related AWS service scaling costs
  • Usage Spike Coverage: Shield Advanced covers legitimate usage spikes during attacks
  • Cost Monitoring: Detailed cost impact analysis for DDoS incidents
  • Automatic Claims: Streamlined process for cost protection claims

Security and Compliance

Enhanced Monitoring

  • Attack Visibility: Detailed CloudWatch metrics for attack patterns
  • Traffic Analysis: Real-time traffic flow analysis and reporting
  • Threat Intelligence: Integration with AWS threat intelligence feeds
  • Historical Data: Attack history and trend analysis for security planning

Compliance Benefits

  • Regulatory Requirements: Helps meet DDoS protection compliance requirements
  • Security Frameworks: Aligns with enterprise security frameworks
  • Audit Trail: Complete audit trail of protection configuration and actions
  • Risk Mitigation: Demonstrates proactive security posture for compliance audits

Resource Management

Protection Lifecycle

  • Automatic Enrollment: Resources are automatically enrolled in Shield Advanced protection
  • Configuration Management: Centralized configuration through CDK infrastructure as code
  • Update Management: Configuration changes deployed through standard CDK processes
  • Deletion Handling: Proper cleanup of Shield protections during stack deletion

Integration Patterns

  • CloudFront Integration: Seamless integration with existing CloudFront distributions
  • Route53 Integration: Direct integration with hosted zone infrastructure
  • Multi-Resource Protection: Single builder can protect multiple resource types
  • Cross-Stack References: Support for protecting resources created in different stacks

Monitoring and Alerting

CloudWatch Integration

  • Protection Metrics: Detailed metrics for each protected resource
  • Attack Detection: Real-time attack detection and alerting
  • Mitigation Status: Monitoring of automatic response effectiveness
  • Traffic Patterns: Analysis of normal vs. attack traffic patterns

Operational Visibility

  • Dashboard Integration: Shield metrics available in CloudWatch dashboards
  • Alert Configuration: Custom alerts for attack detection and mitigation
  • Reporting Capabilities: Automated reporting of protection status and incidents
  • Integration Points: API access for custom monitoring and automation tools

Notes

  • The set_builder_config method from the abstract class should not be used in this builder.
  • The set_usage method from the abstract class should not be used in this builder.
  • AWS Shield Advanced requires an active subscription before protection can be enabled
  • Shield Advanced subscription includes cost protection against DDoS-related scaling charges
  • CloudFront automatic response uses machine learning to minimize false positives
  • Route53 protection covers all records within the specified hosted zone
  • Shield Advanced provides access to 24/7 DDoS Response Team support
  • Application layer automatic response is only available for CloudFront distributions
  • Protection configuration is applied at the resource level, not account level
  • Shield protection names must be unique within the AWS account
  • Both CloudFront distribution and Route53 configuration are mandatory for this builder