Protecting Your Application with EC2 Instances, ALB, and CloudFront
Question
Your company plans to set up an application that consists of EC2 Instances, an Application Load Balancer and Cloudfront.
Your management is worried about DDOs attacks.
Which of the following can help protect against such network attacks? Choose 3 answers from the options given below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A, B and D.
The AWS Documentation mentions the following.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests forwarded to Amazon CloudFront or an Application Load Balancer.
AWS WAF also lets you control access to your content.
Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront or an Application Load Balancer responds to requests either with the requested content or an HTTP 403 status code (Forbidden).
AWS Shield Advanced provides expanded DDoS attack protection for your Amazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, and Route 53 hosted zones.
AWS Shield Advanced incurs additional charges.
Option C is incorrect since AWS WAF can only be used with the Application Load Balancer and the Cloudfront Distribution.
For more information on AWS WAF, please refer to the below URL.
https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.htmlDistributed Denial of Service (DDoS) attacks are malicious attempts to disrupt the normal traffic of a website, application, or network. These attacks can cause serious problems and lead to system outages, making it difficult for legitimate users to access the application.
To protect your infrastructure against DDoS attacks, Amazon Web Services (AWS) offers various solutions. Here are the three options that can help protect against network attacks in the scenario given in the question:
Place the AWS WAF in front of the Application Load Balancer: AWS WAF (Web Application Firewall) is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. By placing the AWS WAF in front of the Application Load Balancer, it can filter out any malicious traffic before it reaches the EC2 instances. AWS WAF rules can be customized to allow only valid HTTP requests and block requests that match a certain pattern.
Place the AWS WAF in front of the Cloudfront Distribution: CloudFront is a content delivery network (CDN) service that speeds up the distribution of static and dynamic web content, such as HTML, CSS, JavaScript, and images. By placing the AWS WAF in front of the Cloudfront Distribution, it can help protect against DDoS attacks that target your CloudFront distribution. AWS WAF can inspect incoming traffic and block any malicious requests before they reach the origin server.
Consider using AWS Shield Advanced: AWS Shield Advanced is a DDoS protection service that provides additional protection against DDoS attacks. It offers detection and mitigation of large-scale attacks, as well as 24/7 access to AWS DDoS response team. It also provides protection against infrastructure layer attacks, such as UDP floods, SYN floods, and reflection attacks. AWS Shield Advanced can be used in conjunction with other AWS services, such as Elastic Load Balancing, Amazon CloudFront, and Amazon Route 53.
In summary, placing the AWS WAF in front of the Application Load Balancer or Cloudfront Distribution, and considering the use of AWS Shield Advanced can help protect against DDoS attacks. These solutions can filter out any malicious traffic and provide additional layers of security to your infrastructure.
