Authorizes the Shield Response Team (SRT) using the specified role, to access your Amazon Web Services account to assist with DDoS attack mitigation during potential attacks. This enables the SRT to inspect your WAF configuration and create or update WAF rules and web ACLs.
You can associate only one RoleArn
with your subscription. If you submit an AssociateDRTRole
request for an account that already has an associated role, the new RoleArn
will replace the existing RoleArn
.
Prior to making the AssociateDRTRole
request, you must attach the AWSShieldDRTAccessPolicy
managed policy to the role that you’ll specify in the request. You can access this policy in the IAM console at AWSShieldDRTAccessPolicy . For more information see Adding and removing IAM identity permissions . The role must also trust the service principal drt.shield.amazonaws.com
. For more information, see IAM JSON policy elements: Principal .
The SRT will have access only to your WAF and Shield resources. By submitting this request, you authorize the SRT to inspect your WAF and Shield configuration and create and update WAF rules and web ACLs on your behalf. The SRT takes these actions only if explicitly authorized by you.
You must have the iam:PassRole
permission to make an AssociateDRTRole
request. For more information, see Granting a user permissions to pass a role to an Amazon Web Services service .
To use the services of the SRT and make an AssociateDRTRole
request, you must be subscribed to the Business Support plan or the Enterprise Support plan .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
associate-drt-role
--role-arn <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--role-arn
(string)
The Amazon Resource Name (ARN) of the role the SRT will use to access your Amazon Web Services account.
Prior to making the
AssociateDRTRole
request, you must attach the AWSShieldDRTAccessPolicy managed policy to this role. For more information see `Attaching and Detaching IAM Policies < https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html>`__ .
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.
See ‘aws help’ for descriptions of global parameters.
Note
To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.
Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .
To authorize the DRT to mitigate potential attacks on your behalf
The following associate-drt-role
example creates an association between the DRT and the specified role. The DRT can use the role to access and manage the account.
aws shield associate-drt-role \
--role-arn arn:aws:iam::123456789012:role/service-role/DrtRole
This command produces no output.
For more information, see Authorize the DDoS Response Team in the AWS Shield Advanced Developer Guide.
None