Authorizes the DDoS Response Team (DRT), using the specified role, to access your AWS account to assist with DDoS attack mitigation during potential attacks. This enables the DRT to inspect your AWS WAF configuration and create or update AWS WAF rules and web ACLs.
You can associate only one RoleArn
with your subscription. If you submit an AssociateDRTRole
request for an account that already has an associated role, the new RoleArn
will replace the existing RoleArn
.
Prior to making the AssociateDRTRole
request, you must attach the AWSShieldDRTAccessPolicy managed policy to the role you will specify in the request. For more information see `Attaching and Detaching IAM Policies < https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`__ . The role must also trust the service principal drt.shield.amazonaws.com
. For more information, see IAM JSON Policy Elements: Principal .
The DRT will have access only to your AWS WAF and Shield resources. By submitting this request, you authorize the DRT to inspect your AWS WAF and Shield configuration and create and update AWS WAF rules and web ACLs on your behalf. The DRT takes these actions only if explicitly authorized by you.
You must have the iam:PassRole
permission to make an AssociateDRTRole
request. For more information, see Granting a User Permissions to Pass a Role to an AWS Service .
To use the services of the DRT and make an AssociateDRTRole
request, you must be subscribed to the Business Support plan or the Enterprise Support plan .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
associate-drt-role
--role-arn <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--role-arn
(string)
The Amazon Resource Name (ARN) of the role the DRT will use to access your AWS account.
Prior to making the
AssociateDRTRole
request, you must attach the AWSShieldDRTAccessPolicy managed policy to this role. For more information see `Attaching and Detaching IAM Policies < https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`__ .
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To authorize the DRT to mitigate potential attacks on your behalf
The following associate-drt-role
example creates an association between the DRT and the specified role. The DRT can use the role to access and manage the account.
aws shield associate-drt-role \
--role-arn arn:aws:iam::123456789012:role/service-role/DrtRole
This command produces no output.
For more information, see Authorize the DDoS Response Team in the AWS Shield Advanced Developer Guide.
None