AWS Shield (IAM)

aws security

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Common permissions

shield:ListAttacksshield:DescribeAttackshield:ListProtectionsshield:DescribeProtectionshield:CreateProtectionshield:DeleteProtectionshield:DescribeSubscriptionshield:GetSubscriptionState

Least-privilege example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "shield:ListAttacks",
        "shield:DescribeAttack",
        "shield:ListProtections",
        "shield:DescribeProtection",
        "shield:CreateProtection",
        "shield:DeleteProtection",
        "shield:DescribeSubscription",
        "shield:GetSubscriptionState"
      ],
      "Resource": "*"
    }
  ]
}

Warnings

Avoid shield:* — grants full control including delete and modify operations.
Avoid shield:DeleteProtection — can remove DDoS protection from resources.

Resources

AWS referenceservicereference.us-east-1.amazonaws.com/v1/shield/shield.json ↗

API

full doc /v1/iam/shield