AWS::Shield::Protection

Shield Protection

Enables AWS Shield Advanced for a specific AWS resource. The resource can be an Amazon CloudFront distribution, Amazon Route 53 hosted zone, AWS Global Accelerator standard accelerator, Elastic IP Address, Application Load Balancer, or a Classic Load Balancer. You can protect Amazon EC2 instances and Network Load Balancers by association with protected Amazon EC2 Elastic IP addresses.

Properties

5 configurable properties. 2 required. Click a row to see details.

Filter:

Property	Type	Flags
`Name`	`string`	RequiredCreate-only
`ResourceArn`	`string`	RequiredCreate-only
`ApplicationLayerAutomaticResponseConfiguration`	`ApplicationLayerAutomaticResponseConfiguration`
`HealthCheckArns`	`Array<string>`
`Tags`	`Array<Tag>`

Return Values

Values returned after the resource is created. Access these with Fn::GetAtt.

Attribute	Type	Description
`ProtectionArn`	`string`	The ARN (Amazon Resource Name) of the protection.
`ProtectionId`	`string`	The unique identifier (ID) of the protection.

Sample CloudFormation Template

A minimal template with required properties and common optional ones.

template.yaml

AWSTemplateFormatVersion: "2010-09-09"
Description: Sample template for AWS::Shield::Protection

Resources:
  MyResource:
    Type: AWS::Shield::Protection
    Properties:
      Name: "my-name"
      ResourceArn: "arn:aws:service:region:account:resource"
      Tags:
        - Key: Environment
          Value: Production

Required IAM Permissions

Permissions CloudFormation needs in your IAM role to manage this resource.

create

shield:CreateProtectionshield:DeleteProtectionshield:DescribeProtectionshield:ListProtectionsshield:EnableApplicationLayerAutomaticResponseshield:AssociateHealthCheckshield:TagResourceec2:DescribeAddresses

delete

shield:DeleteProtectionshield:UntagResource

read

shield:DescribeProtectionshield:ListTagsForResource

update

shield:DescribeProtectionshield:AssociateHealthCheckshield:DisassociateHealthCheckshield:EnableApplicationLayerAutomaticResponseshield:UpdateApplicationLayerAutomaticResponseshield:DisableApplicationLayerAutomaticResponseshield:ListTagsForResourceshield:TagResource

list

shield:ListProtections

Learn AWS the Practical Way

Our bi-weekly newsletter teaches hands-on AWS fundamentals. No certification fluff - just practical knowledge.

Subscribe to Newsletter

Quick Facts

ServiceShield

Properties7

Required2

TaggingSupported

Primary IDProtectionArn

Supported Operations

CreateDeleteReadUpdateList

Immutable After Creation

These properties cannot be changed after the resource is created. Updating them triggers a replacement.

NameResourceArn

Related Resources

External Links

AWS Documentation