Skip to content

Shield

Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. Shield provides always-on detection and inline mitigations that minimize application downtime and latency, by protecting users from L4, L7 and most common L3, L4 network and transport layer DDoS attacks. Shield detection and mitigation is designed to protect against threats, including ones that are not known to the service at the time of detection.

LocalStack allows you to use the Shield APIs in your local environment, and provides a simple way to mock and test the Shield service locally. The supported APIs are available on our API Coverage section, which provides information on the extent of Shield’s integration with LocalStack.

This guide is designed for users new to Shield and assumes basic knowledge of the AWS CLI and our awslocal wrapper script.

Start your LocalStack container using your preferred method. We will demonstrate how to create a Shield protection, list all protections, and delete a protection with the AWS CLI.

To create a Shield protection, use the CreateProtection API. The following command creates a Shield protection for a resource:

Terminal window
awslocal shield create-protection \
--name "my-protection" \
--resource-arn "arn:aws:elasticloadbalancing:us-east-1:000000000000:loadbalancer/app/my-alb/1234567890"
Output
{
"ProtectionId": "67908d33-16c0-443d-820a-31c02c4d5976"
}

To list all Shield protections, use the ListProtections API. The following command lists all Shield protections:

Terminal window
awslocal shield list-protections
Output
{
"Protections": [
{
"Id": "67908d33-16c0-443d-820a-31c02c4d5976",
"Name": "my-protection",
"ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:000000000000:loadbalancer/app/my-alb/1234567890",
"ProtectionArn": "arn:aws:shield::000000000000:protection/67908d33-16c0-443d-820a-31c02c4d5976"
}
]
}

To describe a Shield protection, use the DescribeProtection API. The following command describes a Shield protection:

Terminal window
awslocal shield describe-protection \
--protection-id "67908d33-16c0-443d-820a-31c02c4d5976"

Replace the protection ID with the ID of the protection you want to describe.

Output
{
"Protection": {
"Id": "67908d33-16c0-443d-820a-31c02c4d5976",
"Name": "my-protection",
"ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:000000000000:loadbalancer/app/my-alb/1234567890",
"ProtectionArn": "arn:aws:shield::000000000000:protection/67908d33-16c0-443d-820a-31c02c4d5976"
}
}

To delete a Shield protection, use the DeleteProtection API. The following command deletes a Shield protection:

Terminal window
awslocal shield delete-protection \
--protection-id "67908d33-16c0-443d-820a-31c02c4d5976"

Shield Config is currently mocked in LocalStack. You can create, read, update, and delete Shield protections & subscriptions, but the actual protection or subscription is not applied to any resources. If you need this feature, please consider opening a feature request on GitHub.

OperationImplementedImage
Page 1 of 0