A Lambda function that manages AWS Shield Application Layer Automatic Response configuration for CloudFront distributions, switching between COUNT and BLOCK modes based on environment configuration.
- Switches from COUNT to BLOCK modes
- Validates protection status before making changes
- Comprehensive error handling with detailed logging
- Environment variable controlled behavior
- AWS Shield Advanced subscription
- CloudFront distribution protected by Shield
- IAM permissions for Shield operations (see below)
- Python 3.8+ runtime
| Variable | Required | Default | Description |
|---|---|---|---|
DISTRIBUTION_ID |
Yes | - | CloudFront distribution ID to manage |
ENABLE_BLOCK |
No | "true" | Set to "false" to skip switching to BLOCK mode |
-
Initialization:
- Validates required environment variables
- Sets up logging with INFO level
-
Protection Lookup:
- Constructs CloudFront ARN from distribution ID
- Lists protections with exact ARN and type filters
- Validates exactly one protection exists
-
Status Check:
- Gets current automatic response configuration
- Logs current status (ENABLED/DISABLED) and action (COUNT/BLOCK)
-
Mode Management:
- DISABLED: Enables automatic response in BLOCK mode
- ENABLED (COUNT): Updates to BLOCK mode
- ENABLED (BLOCK): No changes needed
- ENABLED (Unknown): Logs error and returns 500
- ENABLE_BLOCK=false: Skips all mode changes
| Error Case | Status Code | Response |
|---|---|---|
| Missing DISTRIBUTION_ID | 400 | Error message |
| Protection not found | 404 | Error message |
| Multiple protections | 400 | Error message |
| Unknown state/action | 500 | Error message |
| AWS API errors | 500 | Error details |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"shield:ListProtections",
"shield:DescribeProtection",
"shield:EnableApplicationLayerAutomaticResponse",
"shield:UpdateApplicationLayerAutomaticResponse"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
}
]
}- Package the function:
zip function.zip shield_remediation_switch.py- Create Lambda with:
- Python 3.8+ runtime
- 128MB memory (minimum)
- 1 minute timeout
- Above IAM policy
- Environment variables set
- Recommended triggers:
- CloudWatch Events for scheduled execution
- SNS for on-demand invocation
The function emits detailed CloudWatch logs including:
- Configuration validation results
- Protection status before/after changes
- Any errors encountered
- Execution metrics (duration, memory used)
-
Emergency Block Mode:
- Trigger manually during attacks to switch from COUNT to BLOCK
-
Scheduled Testing:
- Run weekly to verify protection status
-
Automated Response:
- Chain with GuardDuty or Shield alerts
Test scenarios should cover:
- All protection states (ENABLED/DISABLED)
- All action types (COUNT/BLOCK/Unknown)
- Error conditions (missing vars, no protection, etc)
- Environment variable combinations