Best Practices for Securing EC2, S3, ELB-Classic, and CloudFront Configurations

Answer - B and C.

The NACL would not be the right approach to block all ports , because then the application hosted on the instances in the subnet might not work with this approach.

WAF are supported on the Application Load Balancer and not the classic load balancer.

For more information on the web application firewall please refer to the below URL:

For more information on bucket policies please refer to the below URL:

To secure the EC2, S3, ELB-Classic, and CloudFront configuration, we need to take care of each component and implement the appropriate security measures. Two answers that can be correct are:

B. A restricted bucket policy on S3: S3 is a highly secure object storage service, and it provides many security features like encryption, access control, and bucket policies. A bucket policy allows us to control who can access our S3 bucket and what they can do with the objects inside it. With the restricted bucket policy, we can allow only specific IAM users or roles to access the S3 bucket and perform specific actions on it. For example, we can allow only read-only access to specific IAM users or roles and block all other actions. This will ensure that only authorized users can access the S3 bucket and its contents.

C. A WAF on your CloudFront distribution: CloudFront is a content delivery network that accelerates the delivery of our website content to end-users. A Web Application Firewall (WAF) can be used to protect CloudFront from common web attacks like SQL injection, cross-site scripting, and other common web-based exploits. By deploying a WAF on CloudFront, we can add an extra layer of security to our website and protect it from malicious traffic.

A. An NACL that blocks all ports to your subnets: This option is not a good fit for this scenario because it will block all ports to the subnets, which will prevent any traffic from entering or leaving the subnets. This means that the website will not be accessible to end-users, and it will not function as intended.

D. A WAF on the load balancer: ELB-Classic is a load balancer that distributes incoming traffic across multiple EC2 instances. While a WAF can be deployed on a load balancer, in this case, ELB-Classic does not support WAF integration. Therefore, this option is not a suitable solution for securing the website. Instead, we can use a WAF on CloudFront, as mentioned earlier.

In conclusion, implementing a restricted bucket policy on S3 and a WAF on the CloudFront distribution are the right security measures for securing the EC2, S3, ELB-Classic, and CloudFront configuration.