AWS Shield Basic Protection
π¦ Overviewβ
This Terraform module enables AWS Shield Basic protection for a specified AWS resource, such as an Application Load Balancer, CloudFront distribution, or Route 53 hosted zone.
Shield Basic provides automatic, always-on protection against common DDoS attacksβideal for safeguarding internet-facing infrastructure.
β Key Featuresβ
- Activates AWS Shield Basic in a target region
- Applies protection to one specified AWS resource by ARN
- Adds environmental tagging for tracking
- Provides output of the protection ID for auditing
πΌ Use Casesβ
- Protecting public-facing ALBs, CloudFront distributions, or Route 53 zones
- Adding default DDoS protection to production workloads
- Establishing minimum security posture before deploying advanced controls
- Deploying baseline infrastructure security for web applications
π₯ Input Variablesβ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region where the resource and protection are applied |
| resource_arn | string | ARN of the AWS resource to be protected by AWS Shield Basic |
| environment | string | Tag to specify the deployment environment (e.g., dev, staging, prod) |
π€ Outputsβ
| Name | Description |
|---|---|
| protection_id | The ID of the Shield protection instance |
| resource_arn | The ARN of the protected AWS resource |
π Deployment Readinessβ
- β Compatible with Terraform 1.0+
- β Tested with AWS provider 5.x
- π§ͺ Requires IAM permissions for
shield:CreateProtectionand related actions
π οΈ Example Usageβ
module "shield_basic_protection" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//security/shield-basic-protection?ref=v1.0.0"
region = "us-east-1"
resource_arn = "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188"
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
π§Ή Cleanup Optionsβ
Terraform Destroy (for test environments):
terraform destroy
or
tofu destroy
Manual Deletion (for production):
Remove protection manually in the AWS Console or via CLI to avoid disruptions:
aws shield delete-protection --protection-id "protection_id"
π‘οΈ Notesβ
This is a Level 1 security module focused on baseline DDoS protection using AWS Shield Basic.
Shield Basic is free for supported AWS services, but protection must be explicitly enabled via Terraform for monitoring and DDoS reporting to function.
For automatic mitigation and response support, consider AWS Shield Advanced.
π Deployment Package Noticeβ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.