You've been hired to enhance the overall security posture for a large e-commerce site.
They have a well-architected, multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3
They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR.
They are concerned because they found questionable log entries and a flood of superfluous requests for accessing the resources.
You suspect that someone is performing a DDoS attack.
How would you mitigate this kind of attack in the easiest and most cost-efficient way?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer - C.
In such scenarios where you are designing a solution to prevent the DDoS attack, you can use a Web Application Firewall (WAF).
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
AWS WAF gives you control over which traffic to allow or block your web applications by defining customizable web security rules.
You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules designed for your specific application.
New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns.
Option A is incorrect because, although this option could work, the setup is very complex and is not a cost-effective solution.
Option B is incorrect because (a) even though blocking certain IPs will mitigate the risk, the attacker could maneuver the IP address and circumvent the IP check by NACL, and (b) it does not prevent the attack from the new source of threat.
Option C is CORRECT because you can use AWS WAF web access control lists (web ACLs) to help minimize the effects of a distributed denial of service (DDoS) attack.
Reference can be found in https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html.
Option D is incorrect because there is no such thing as the Advanced Protocol Filtering feature for ELB.For more information on WAF, please visit the below URL-
https://aws.amazon.com/waf/The scenario presented in this question is focused on enhancing the security posture of a large e-commerce site. The site uses a multi-tier application running in a Virtual Private Cloud (VPC) with Elastic Load Balancers (ELBs) in front of the web and app tiers, with static assets being served directly from Amazon S3. Dynamic data is stored in a combination of Amazon RDS and DynamoDB, with nightly archiving to Amazon S3 for further processing with Amazon EMR. The company is concerned about the possibility of a Distributed Denial of Service (DDoS) attack due to questionable log entries and an excess of requests for accessing resources.
There are multiple ways to mitigate a DDoS attack in AWS. However, the question is asking for the easiest and most cost-efficient solution, so we must evaluate each answer choice to determine which solution best fits the criteria.
Answer choice A recommends that the company lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC. While this would provide a dedicated and reliable connection to the VPC, it is not the easiest or most cost-efficient solution for mitigating a DDoS attack.
Answer choice B suggests establishing internet connectivity into the space and filtering traffic with a hardware Web Application Firewall (WAF) before passing traffic through the DirectConnect connection into the application. This solution is more complex and expensive than necessary and therefore not the easiest or most cost-efficient.
Answer choice C proposes adding previously identified host file source IPs as an explicit inbound deny network access control list (NACL) to the web tier subnet. While this could help to block traffic from known sources of the attack, it is not an effective solution for mitigating a DDoS attack since the attacker could easily change the source IP addresses.
Answer choice D is the best answer for mitigating a DDoS attack in the easiest and most cost-efficient way. It recommends enabling AWS WAF to protect the application from the DDoS attack. AWS WAF is a web application firewall that helps protect web applications from common web exploits and attacks. It can be easily deployed with Amazon CloudFront and Application Load Balancer (ALB) to protect web applications running on EC2 instances or running on AWS services like S3.
Finally, answer choice E recommends removing all but TLS 1 and 2 from the web tier ELB and enabling advanced protocol filtering. While this solution can help to protect against certain types of attacks, it is not as effective as using AWS WAF for mitigating a DDoS attack.
In summary, the best and easiest way to mitigate a DDoS attack in this scenario is to enable AWS WAF to protect the application from the attack.