protections
Creates, updates, deletes or gets a protection resource or lists protections in a region
Overview
| Name | protections |
| Type | Resource |
| Description | Enables AWS Shield Advanced for a specific AWS resource. The resource can be an Amazon CloudFront distribution, Amazon Route 53 hosted zone, AWS Global Accelerator standard accelerator, Elastic IP Address, Application Load Balancer, or a Classic Load Balancer. You can protect Amazon EC2 instances and Network Load Balancers by association with protected Amazon EC2 Elastic IP addresses. |
| Id | awscc.shield.protections |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
protection_id | string | The unique identifier (ID) of the protection. |
protection_arn | string | The ARN (Amazon Resource Name) of the protection. |
name | string | Friendly name for the Protection. |
resource_arn | string | The ARN (Amazon Resource Name) of the resource to be protected. |
health_check_arns | array | The Amazon Resource Names (ARNs) of the health check to associate with the protection. |
application_layer_automatic_response_configuration | object | The automatic application layer DDoS mitigation settings for a Protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks. |
tags | array | One or more tag key-value pairs for the Protection object. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
protection_arn | string | The ARN (Amazon Resource Name) of the protection. |
region | string | AWS region. |
For more information, see AWS::Shield::Protection.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | protections | INSERT | Name, ResourceArn, region |
delete_resource | protections | DELETE | Identifier, region |
update_resource | protections | UPDATE | Identifier, PatchDocument, region |
list_resources | protections_list_only | SELECT | region |
get_resource | protections | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual protection.
SELECT
region,
protection_id,
protection_arn,
name,
resource_arn,
health_check_arns,
application_layer_automatic_response_configuration,
tags
FROM awscc.shield.protections
WHERE
region = 'us-east-1' AND
Identifier = '{{ protection_arn }}';
Lists all protections in a region.
SELECT
region,
protection_arn
FROM awscc.shield.protections_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new protection resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.shield.protections (
Name,
ResourceArn,
region
)
SELECT
'{{ name }}',
'{{ resource_arn }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.shield.protections (
Name,
ResourceArn,
HealthCheckArns,
ApplicationLayerAutomaticResponseConfiguration,
Tags,
region
)
SELECT
'{{ name }}',
'{{ resource_arn }}',
'{{ health_check_arns }}',
'{{ application_layer_automatic_response_configuration }}',
'{{ tags }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: protection
props:
- name: name
value: '{{ name }}'
- name: resource_arn
value: '{{ resource_arn }}'
- name: health_check_arns
value:
- '{{ health_check_arns[0] }}'
- name: application_layer_automatic_response_configuration
value:
action: {}
status: '{{ status }}'
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
UPDATE example
Use the following StackQL query and manifest file to update a protection resource, using stack-deploy.
/*+ update */
UPDATE awscc.shield.protections
SET PatchDocument = string('{{ {
"HealthCheckArns": health_check_arns,
"ApplicationLayerAutomaticResponseConfiguration": application_layer_automatic_response_configuration,
"Tags": tags
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ protection_arn }}';
DELETE example
/*+ delete */
DELETE FROM awscc.shield.protections
WHERE
Identifier = '{{ protection_arn }}' AND
region = 'us-east-1';
Permissions
To operate on the protections resource, the following permissions are required:
- Create
- Delete
- Read
- Update
- List
shield:CreateProtection,
shield:DeleteProtection,
shield:DescribeProtection,
shield:ListProtections,
shield:EnableApplicationLayerAutomaticResponse,
shield:AssociateHealthCheck,
shield:TagResource,
ec2:DescribeAddresses,
elasticloadbalancing:DescribeLoadBalancers,
route53:GetHealthCheck,
iam:GetRole,
iam:CreateServiceLinkedRole,
wafv2:GetWebACLForResource,
wafv2:GetWebACL
shield:DeleteProtection,
shield:UntagResource
shield:DescribeProtection,
shield:ListTagsForResource
shield:DescribeProtection,
shield:AssociateHealthCheck,
shield:DisassociateHealthCheck,
shield:EnableApplicationLayerAutomaticResponse,
shield:UpdateApplicationLayerAutomaticResponse,
shield:DisableApplicationLayerAutomaticResponse,
shield:ListTagsForResource,
shield:TagResource,
shield:UntagResource,
route53:GetHealthCheck,
iam:GetRole,
iam:CreateServiceLinkedRole,
wafv2:GetWebACLForResource,
wafv2:GetWebACL
shield:ListProtections