Shield / Client / create_protection



Enables Shield Advanced for a specific Amazon Web Services resource. The resource can be an Amazon CloudFront distribution, Amazon Route 53 hosted zone, Global Accelerator standard accelerator, Elastic IP Address, Application Load Balancer, or a Classic Load Balancer. You can protect Amazon EC2 instances and Network Load Balancers by association with protected Amazon EC2 Elastic IP addresses.

You can add protection to only a single resource with each CreateProtection request. You can add protection to multiple resources at once through the Shield Advanced console at For more information see Getting Started with Shield Advanced and Adding Shield Advanced protection to Amazon Web Services resources.

See also: AWS API Documentation

Request Syntax

response = client.create_protection(
            'Key': 'string',
            'Value': 'string'
  • Name (string) –


    Friendly name for the Protection you are creating.

  • ResourceArn (string) –


    The ARN (Amazon Resource Name) of the resource to be protected.

    The ARN should be in one of the following formats:

    • For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id

    • For an Elastic Load Balancer (Classic Load Balancer): arn:aws:elasticloadbalancing:region:account-id:loadbalancer/load-balancer-name

    • For an Amazon CloudFront distribution: arn:aws:cloudfront::account-id:distribution/distribution-id

    • For an Global Accelerator standard accelerator: arn:aws:globalaccelerator::account-id:accelerator/accelerator-id

    • For Amazon Route 53: arn:aws:route53:::hostedzone/hosted-zone-id

    • For an Elastic IP address: arn:aws:ec2:region:account-id:eip-allocation/allocation-id

  • Tags (list) –

    One or more tag key-value pairs for the Protection object that is created.

    • (dict) –

      A tag associated with an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as “environment”, and the tag value represents a specific value within that category, such as “test,” “development,” or “production”. Or you might set the tag key to “customer” and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.

      • Key (string) –

        Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as “customer.” Tag keys are case-sensitive.

      • Value (string) –

        Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as “companyA” or “companyB.” Tag values are case-sensitive.

Return type:



Response Syntax

    'ProtectionId': 'string'

Response Structure

  • (dict) –

    • ProtectionId (string) –

      The unique identifier (ID) for the Protection object that is created.


  • Shield.Client.exceptions.InternalErrorException

  • Shield.Client.exceptions.InvalidResourceException

  • Shield.Client.exceptions.InvalidOperationException

  • Shield.Client.exceptions.LimitsExceededException

  • Shield.Client.exceptions.ResourceAlreadyExistsException

  • Shield.Client.exceptions.OptimisticLockException

  • Shield.Client.exceptions.ResourceNotFoundException

  • Shield.Client.exceptions.InvalidParameterException