AWS Cloud Practitioner Exam: Mitigating Internet Attacks with AWS Services

Mitigating Internet Attacks with AWS Services

Question

Your company is planning to host a large e-commerce application on the AWS Cloud.

One of their major concerns is Internet attacks such as DDoS attacks.

Which of the following services can help mitigate this concern? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and B.

The AWS Documentation mentions the following on DDoS attacks.

AWS Services for DDoS Attack Mitigation.

AWS offers globally distributed, high network bandwidth and resilient services that, when used in conjunction with application-specific strategies, are key to mitigating DDoS attacks.

For more information on how to leverage each of these services and details on how their various features help protect against DDoS attacks, see the whitepaper AWS Best Practices for DDoS Resiliency.

AWS Shield.

AWS Shield is a managed DDoS protection service that is available in two tiers: Standard and Advanced.

AWS Shield Standard applies always-on detection and inline mitigation techniques, such as deterministic packet filtering and priority-based traffic shaping, to minimize application downtime and latency.

AWS Shield Standard is included automatically and transparently to your Elastic Load Balancing load balancers, Amazon CloudFront distributions, and Amazon Route 53 resources at no additional cost.

When you use these services that include AWS Shield Standard, you receive comprehensive availability protection against all known infrastructure layer attacks.

Customers who have the technical expertise to manage their own monitoring and mitigation of application layer attacks can use AWS Shield together with AWS WAF rules to create a comprehensive DDoS attack mitigation strategy.

AWS Shield Advanced provides enhanced DDoS attack detection and monitoring for application-layer traffic to your Elastic Load Balancing load balancers, CloudFront distributions, Amazon Route 53 hosted zones and resources attached to an Elastic IP address, such Amazon EC2 instances.

AWS Shield Advanced uses additional techniques to provide granular detection of DDoS attacks, such as resource-specific traffic monitoring to detect HTTP floods or DNS query floods.

AWS Shield Advanced includes 24x7 access to the AWS DDoS Response Team (DRT), support experts who apply manual mitigations for more complex and sophisticated DDoS attacks, directly create or update AWS WAF rules, and can recommend improvements to your AWS architectures.

AWS WAF is included at no additional cost for resources that you protect with AWS Shield Advanced.

AWS Shield Advanced includes access to near real-time metrics and reports, for extensive visibility into infrastructure layer and application layer DDoS attacks.

You can combine AWS Shield Advanced metrics with additional, fine-tuned AWS WAF metrics for a more comprehensive CloudWatch monitoring and alarming strategy.

Customers subscribed to AWS Shield Advanced can also apply for a credit for charges that result from scaling during a DDoS attack on protected Amazon EC2, Amazon CloudFront, Elastic Load Balancing, or Amazon Route 53 resources.

See the AWS Shield Developer Guide for a detailed comparison of the two AWS Shield offerings.

AWS WAF.

AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

You can use AWS WAF to define customizable web security rules that control which traffic accesses your web applications.

If you use AWS Shield Advanced, you can use AWS WAF at no extra cost for those protected resources and can engage the DRT to create WAF rules.

AWS WAF rules use conditions to target specific requests and trigger an action, allowing you to identify and block common DDoS request patterns and effectively mitigate a DDoS attack.

These include size constraint conditions to block a web request based on the length of its query string or request body, and geographic match conditions to implement geo restriction (also known as geoblocking) on requests that originate from specific countries.

For a complete list of conditions, see the AWS WAF Developer Guide.

With AWS WAF, you can also create rate-based rules that automatically block requests from a single IP address if they exceed a customer-defined rate limit.

One benefit of rate-based rules is that you can block requests from an IP address while it exceeds the threshold, and then automatically allow requests from that same client once they drop to an acceptable rate.

This helps ensure that regular viewers are not held in a persistent block list.

You can also combine the rate limit with conditions to trigger different actions for distinct scenarios.

Amazon Route 53

One of the most common targets of DDoS attacks is the Domain Name System (DNS)

Amazon Route 53 is a highly available and scalable DNS service designed to route end users to infrastructure running inside or outside of AWS.

Route 53 makes it possible to manage traffic globally through a variety of routing types, and provides out-of-the-box shuffle sharding and Anycast routing capabilities to protect domain names from DNS-based DDoS attacks.

Amazon CloudFront.

Amazon CloudFront distributes traffic across multiple edge locations and filters requests to ensure that only valid HTTP(S) requests will be forwarded to backend hosts.

CloudFront also supports geoblocking, which you can use to prevent requests from particular geographic locations from being served.

Elastic Load Balancing.

Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, and IP addresses, and multiple Availability Zones, which minimizes the risk of overloading a single resource.

Elastic Load Balancing, like CloudFront, only supports valid TCP requests, so DDoS attacks such as UDP and SYN floods are not able to reach EC2 instances.

It also offers a single point of management and can serve as a line of defense between the internet and your backend, private EC2 instances.

Elastic Load Balancing includes the Application Load Balancer, which is best suited for load balancing of HTTP and HTTPS traffic and also directly supports AWS WAF.VPCs and Security Groups.

Amazon Virtual Private Cloud (Amazon VPC) allows customers to configure subnet routes, public IP addresses, security groups, and network access control lists in order to minimize application attack surfaces.

You can configure load balancers and EC2 instance security groups to allow traffic that originates from specific IP addresses only, such as that from CloudFront or AWS WAF, protecting backend application components from a direct attack.

For more information on DDoS attack prevention, please refer to the below URL:

https://aws.amazon.com/answers/networking/aws-ddos-attack-mitigation/

The two services that can help mitigate DDoS attacks in AWS are CloudFront and AWS Shield.

  1. CloudFront: CloudFront is a content delivery network (CDN) that distributes content, such as webpages, videos, and images, to servers located worldwide. It has the capability to mitigate DDoS attacks by using a feature called "Shield Advanced". This feature uses real-time monitoring and inline mitigation to detect and mitigate attacks against your applications.

  2. AWS Shield: AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It provides protection against common network and transport layer DDoS attacks. There are two types of AWS Shield: AWS Shield Standard and AWS Shield Advanced.

  • AWS Shield Standard provides automatic protection for all AWS customers at no additional cost, safeguarding web applications running on Amazon EC2, Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon Route 53.

  • AWS Shield Advanced provides enhanced protections against sophisticated DDoS attacks, with 24/7 access to DDoS response experts, and integration with AWS WAF, a web application firewall that allows you to create custom rules to block or allow traffic to your web applications.

  1. AWS EC2: Amazon Elastic Compute Cloud (EC2) is a web service that provides resizable compute capacity in the cloud. While EC2 instances themselves do not offer DDoS protection, they can be configured with security groups and network access control lists (ACLs) to provide additional security and prevent attacks.

  2. AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. While it does not provide DDoS protection, it can help you identify potential security risks and ensure that your AWS resources are properly configured to prevent attacks.