Mitigating Critical Attacks on AWS Web Applications

Correct Answer : B.

Option A is incorrect because the solution from AWS Marketplace is not cost-effective.

You can create your own rules in the Web ACL.

Option B is CORRECT because AWS WAF can help to mitigate the OWASP Top 10 threats.

For the details, please check the whitepaper.

Option C is incorrect because AWS Shield Advanced is mainly used to mitigate DDoS attacks.

It cannot remediate all OWASP Top 10 threats.

Option D is incorrect because AWS Inspector is only used for EC2 instances and there is no “OWASP Top 10” rule package in AWS Inspector.

Reference:

https://aws.amazon.com/blogs/aws/prepare-for-the-owasp-top-10-web-application-vulnerabilities-using-aws-waf-and-our-new-white-paper/, https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf

As a DevOps engineer, you need to ensure that the web applications in AWS are protected from the most critical attacks mentioned in OWASP Top 10. These attacks include SQL injection, Cross-Site Scripting (XSS), and other vulnerabilities.

Option A: Create a web ACL in AWS WAF and add a rule from AWS Marketplace that can mitigate and minimize the OWASP Top 10 vulnerabilities and threats.

This option suggests creating a web ACL in AWS WAF and adding a rule from the AWS Marketplace that can mitigate and minimize OWASP Top 10 vulnerabilities and threats. AWS WAF (Web Application Firewall) is a web application firewall that helps protect web applications from common web exploits. This option is a cost-effective and straightforward approach to protect web applications against OWASP Top 10 vulnerabilities. The AWS Marketplace has pre-built rules to mitigate OWASP Top 10 vulnerabilities, making it simple to implement. This option is a suitable choice for this scenario.

Option B: Set up AWS WAF and use a CloudFormation stack to create a Web ACL along with condition types and rules to protect the web applications in AWS.

This option suggests using a CloudFormation stack to create a web ACL along with condition types and rules to protect web applications in AWS. AWS CloudFormation is a service that helps deploy infrastructure as code. This option is a more complex approach than option A, as it requires creating a CloudFormation stack, but it can provide more customization options. If the DevOps team is familiar with AWS CloudFormation, this option can be a suitable choice.

Option C: Enable AWS Shield Advanced, which can protect the AWS EC2 instances and Lambda functions against web attacks that belong to OWASP Top 10.

This option suggests enabling AWS Shield Advanced, which is a managed DDoS protection service that helps protect against attacks that belong to OWASP Top 10. This service is cost-effective and simple to implement, but it only protects against DDoS attacks and not other web vulnerabilities. This option is not the best choice for this scenario, as the security team requested evidence that the web applications are protected against OWASP Top 10 vulnerabilities.

Option D: Set up AWS Inspector and include the “OWASP Top 10” rule package in the assessment to mitigate the major vulnerabilities.

This option suggests setting up AWS Inspector, which is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It includes the “OWASP Top 10” rule package, which can mitigate the major vulnerabilities. However, this option is not the best choice for this scenario, as it requires a more complex setup process and is not as cost-effective as option A.

In conclusion, option A, creating a web ACL in AWS WAF and adding a rule from AWS Marketplace, is the best choice for this scenario. It is a cost-effective and straightforward approach that can mitigate OWASP Top 10 vulnerabilities and threats.