# DDoS response runbook template (Shield Advanced + SRT)

## Roles

| Role | Responsibility |
|------|----------------|
| Incident commander | Declares severity, owns comms |
| Edge owner | CloudFront / ALB / WAF changes |
| SRT liaison | Business/Enterprise Support case + Shield engagement |
| FinOps | Cost protection credit request within 15-day window |

## Detection (automated)

1. CloudWatch alarm: `DDoSDetected` metric on protected resource
2. AWS WAF blocked request spike (&gt;3× 7-day baseline)
3. Cost anomaly detection on CloudFront DTO / ALB LCU

## Triage checklist (first 15 minutes)

- [ ] Confirm attack vs legitimate traffic spike (marketing campaign, bot crawl)
- [ ] Verify resource has **Shield Advanced protection enabled** (not just subscription)
- [ ] Check WAF rate-based rule is **Block** mode, not Count
- [ ] Capture attack window UTC timestamps for credit request

## SRT engagement

1. Open **AWS Support** case — severity per your support plan
2. For Business/Enterprise: request **Shield Response Team** assistance
3. Grant permission for SRT-applied WAF rules if needed (document in change log)
4. Do **not** disable Shield Advanced protection during attack

## Communications template

```
Subject: [SEV-?] DDoS event — [app name] — [UTC start]

Impact: [customer-facing / internal only]
Protected resources: [CloudFront distro IDs / ALB ARNs]
Mitigation: [WAF AMR auto / manual rule / SRT engaged]
Next update: [time UTC]
```

## Post-incident (within 15 days of billing month end)

- [ ] File Shield Advanced **cost protection** credit via Support if scaling charges occurred
- [ ] Attach CloudWatch graphs + WAF sampled requests
- [ ] Update [shield-advanced-decision-matrix.md](./shield-advanced-decision-matrix.md) notes for any misconfigured resource
- [ ] Schedule tabletop with [incident response runbooks](/blog/aws-security-incident-response-runbooks-2026/)

## What SRT does NOT guarantee

- Zero downtime — mitigation reduces impact; design for resiliency
- Credit approval — eligibility depends on pre-attack configuration
- Replacement for WAF tuning on non-Shield-protected resources
