AWS Shield
AWS Shield / Shield Advanced on fakecloud: the full 36-operation control plane -- protections and protection groups, the annual Shield Advanced subscription, emergency contacts, DRT access, proactive engagement, application-layer automatic response, health-check association, and tags -- with account-partitioned persistence and honest (non-synthetic) attack surfacing.
fakecloud implements AWS Shield and Shield Advanced (shield), the AWS managed DDoS protection service. All 36 operations from the AWS Smithy model ship now, backed by account-partitioned state that persists across restarts in persistent mode. The wire protocol is awsJson1.1 (x-amz-target AWSShield_20160616.<Op>), signing as shield. Shield is a global service, so its ARNs carry an empty region field (arn:aws:shield::<account>:...).
This is a faithful control plane: every operation is real, validated, persisted CRUD -- no stubbed success responses. Requests are validated against the model's required / length / range / enum constraints before any handler runs, and errors are AWS-shaped and drawn from each operation's declared Smithy error set (ResourceNotFoundException, InvalidParameterException, ResourceAlreadyExistsException, LockedSubscriptionException, InvalidResourceException, LimitsExceededException, NoAssociatedRoleException, ...).
Attack surfacing is honest: with no real DDoS traffic to observe, ListAttacks returns an empty attack list and DescribeAttackStatistics returns a zeroed time-series over the requested window. No synthetic attacks are fabricated.
Supported features
- Protections (
CreateProtection,DescribeProtection,DeleteProtection,ListProtections).CreateProtectionregisters a protection for a supported resource ARN (CloudFront distribution, Route 53 hosted zone, Elastic IP, Classic / Application load balancer, Global Accelerator), mints a 36-charProtectionIdand anarn:aws:shield::<account>:protection/<id>ARN, and round-trips viaDescribe(byProtectionIdorResourceArn) andList(withInclusionFilterson resource ARN / name / type). A resource may carry at most one protection (ResourceAlreadyExistsException); a value that is not an ARN is rejected withInvalidResourceException. - Protection groups (
CreateProtectionGroup,UpdateProtectionGroup,DeleteProtectionGroup,DescribeProtectionGroup,ListProtectionGroups,ListResourcesInProtectionGroup) withAggregation(SUM/MEAN/MAX),Pattern(ALL/ARBITRARY/BY_RESOURCE_TYPE), an optionalResourceType, and member resource ARNs. - Subscription (
CreateSubscription,DescribeSubscription,UpdateSubscription,DeleteSubscription,GetSubscriptionState).CreateSubscriptionstarts a one-year auto-renewing Shield Advanced subscription;GetSubscriptionStatereturnsACTIVE/INACTIVE;DescribeSubscriptionreturns the fullSubscriptionLimits(per-resource-type protection limits + protection-group limits) and the subscription time range.UpdateSubscriptiontogglesAutoRenew. The subscription is locked by its one-year commitment, soDeleteSubscriptionreturnsLockedSubscriptionException(orResourceNotFoundExceptionwhen the account was never subscribed), matching the live service. - Emergency contacts (
UpdateEmergencyContactSettings,DescribeEmergencyContactSettings) -- the email / phone / notes list the DDoS Response Team (DRT) can reach during an incident. - DRT access (
AssociateDRTRole,DisassociateDRTRole,AssociateDRTLogBucket,DisassociateDRTLogBucket,DescribeDRTAccess). A DRT role must be associated before granting log-bucket access (NoAssociatedRoleException), and at most 10 log buckets are allowed (LimitsExceededException). - Proactive engagement (
AssociateProactiveEngagementDetails,EnableProactiveEngagement,DisableProactiveEngagement) -- the status is reflected onto the stored subscription. - Application-layer automatic response (
EnableApplicationLayerAutomaticResponse,UpdateApplicationLayerAutomaticResponse,DisableApplicationLayerAutomaticResponse) with theBlock/Countresponse action, persisted on the protection for the resource. - Health-check association (
AssociateHealthCheck,DisassociateHealthCheck) -- attaches Route 53 health-check ids to a protection. - Attacks (
ListAttacks,DescribeAttack,DescribeAttackStatistics) -- honest empty surfacing (see above). - Tags (
TagResource,UntagResource,ListTagsForResource), keyed by resource ARN.
Example
import boto3
shield = boto3.client("shield", endpoint_url="http://localhost:8080")
# Shield Advanced subscription.
shield.create_subscription()
print(shield.get_subscription_state()["SubscriptionState"]) # ACTIVE
# Protect a CloudFront distribution.
resp = shield.create_protection(
Name="web-frontend",
ResourceArn="arn:aws:cloudfront::123456789012:distribution/E1EXAMPLE",
)
protection_id = resp["ProtectionId"]
protection = shield.describe_protection(ProtectionId=protection_id)["Protection"]
print(protection["ProtectionArn"])
# Group protections for aggregated detection.
shield.create_protection_group(
ProtectionGroupId="frontend",
Aggregation="SUM",
Pattern="ALL",
)
# No real DDoS traffic -> empty attack list.
print(shield.list_attacks()["AttackSummaries"]) # []
shield.delete_protection(ProtectionId=protection_id)