v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Steampipe logo 
Hub
Plugins
turbot/aws
Overview
504Tables
Versions
PowerpipeMods
GitHub
steampipe plugin install aws

Table: aws_shield_protection - Query AWS Shield Advanced Protections using SQL

AWS Shield Advanced Protections are safeguards provided by AWS to protect AWS resources against Distributed Denial of Service (DDoS) attacks.

Table Usage Guide

The aws_shield_protection table in Steampipe allows you to query AWS Shield Advanced Protections and retrieve detailed information about each protection's settings. This table provides you with insights into the protections that are currently active in your AWS environment, including the ARN of the resource that is protected and the automatic application layer DDoS mitigation setting. You can use this table to monitor the status of your AWS Shield Advanced Protections and ensure that your resources are protected against DDoS attacks. For more information about the individual fields, please refer to the AWS Shield Advanced API documentation.

Note: The column resource_type only has a value when it was part of the where clause. For a list of valid values for filtering by resource_type, please refer to the AWS documentation.

Examples

Basic info

Discover the protections that are currently active in your account and what kind of resources they are protecting.

select
  name,
  resource_arn
from
  aws_shield_protection;
select
  name,
  resource_arn
from
  aws_shield_protection;

Identify Protections without Route 53 Health Checks

Identify the protections that are missing Route 53 Health Checks. This information can be useful to see which protections still need Health Checks in order to be covered by the proactive engagement of the Shield Response Team.

select
  name,
  resource_arn
from
  aws_shield_protection
where
  health_check_ids is null;
select
  name,
  resource_arn
from
  aws_shield_protection
where
  health_check_ids is null;

List Protections for Route 53 Hosted Zones

select
  name,
  resource_arn
from
  aws_shield_protection
where
  resource_type = 'ROUTE_53_HOSTED_ZONE';
select
  name,
  resource_arn
from
  aws_shield_protection
where
  resource_type = 'ROUTE_53_HOSTED_ZONE';

Identify Protections with automatic Application Layer DDoS Mitigation enabled

select
  title,
  resource_arn
from
  aws_shield_protection
where
  application_layer_automatic_response_configuration ->> 'Status' = 'ENABLED'
  and application_layer_automatic_response_configuration -> 'Action' -> 'Block' is not null;
select
  title,
  resource_arn
from
  aws_shield_protection
where
  application_layer_automatic_response_configuration ->> 'Status' = 'ENABLED'
  and application_layer_automatic_response_configuration -> 'Action' -> 'Block' is not null;

Check if all Shield protected CloudFront distributions are protected by Shield's automatic Application-Layer-DDoS-Mitigation

select
  protection.name as protection_name,
  distribution.arn,
  distribution.aliases ->> 'Items' as aliases,
  web_acl_id is not null as has_web_acl,
  protection.application_layer_automatic_response_configuration ->> 'Status' = 'ENABLED' as auto_mitigation_enabled
from
  aws_shield_protection as protection
  join aws_cloudfront_distribution as distribution on protection.resource_arn = distribution.arn;
select
  protection.name as protection_name,
  distribution.arn,
  distribution.aliases ->> 'Items' as aliases,
  web_acl_id is not null as has_web_acl,
  protection.application_layer_automatic_response_configuration ->> 'Status' = 'ENABLED' as auto_mitigation_enabled
from
  aws_shield_protection as protection
  join aws_cloudfront_distribution as distribution on protection.resource_arn = distribution.arn;

Schema for aws_shield_protection

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
account_idtext=, !=, ~~, ~~*, !~~, !~~*The AWS Account ID in which the resource is located.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
application_layer_automatic_response_configurationjsonbThe automatic application layer DDoS mitigation settings for the protection. This configuration determines whether Shield Advanced automatically manages rules in the web ACL in order to respond to application layer events that Shield Advanced determines to be DDoS attacks.
arntextThe ARN (Amazon Resource Name) of the protection.
health_check_idsjsonbThe unique identifier (ID) for the Route 53 health check that's associated with the protection.
idtext=The unique identifier (ID) of the protection.
nametext=The name of the protection.
partitiontextThe AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov).
regiontextThe AWS Region in which the resource is located.
resource_arntext=The ARN (Amazon Resource Name) of the Amazon Web Services resource that is protected.
resource_typetext=The type of protected resource whose protections you want to retrieve.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
tagsjsonbA map of tags for the resource.
tags_srcjsonbThe list of tags associated with the protection.
titletextTitle of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws

You can pass the configuration to the command with the --config argument:

steampipe_export_aws --config '<your_config>' aws_shield_protection