Add Resource to AWS Shield and associate with WAF policy

[timckt]

Background

Shield advanced is enabled using AWS Firewall Manager policies. This is managed in the aws-root-account Terraform code. Our both Cloud Platform and Cloud Platform Ephemeral Test AWS Account have already enabled AWS Shield but there are no resource to be protected for Cloud Platform AWS account at the moment.

We need to add the resource to AWS Shield Advanced and associate an WAF policy to these resources if applicable.

It seems only Application load balancer can be associated with AWS WAF web ACL and Automatic application layer DDoS mitigation. Its not applicate for EIP.

AWS document here

Proposed user journey

• Ask Dave to help add CP production account into the local.shield_advanced_auto_remediate.accounts),
• EIP
• NLB (Block by https://github.com/ministryofjustice/cloud-platform/issues/6000)
• Route 53
• Associate WAF policy to each resource if applicable

Refer to #5644 comment for more detail

Approach

Which part of the user docs does this impact

Communicate changes

• [ ] post for #cloud-platform-update
• [ ] Weeknotes item
• [ ] Show the Thing/P&A All Hands/User CoP
• [ ] Announcements channel

Questions / Assumptions

Definition of done

• [ ] Add EIP to Shield
• [ ] Add R53 to Shield
• [ ] Add NLB through EIP to Shield
• [ ] Associate WAF policy to each resource if applicable
• [ ] Integration tests are green
• [ ] Prepare demo for the team

Reference

How to write good user stories