A company is planning to host an application that will consist of the following layers. A set of EC2 Instances hosting the web layer. A database set on an RDS Instance. S3 static websites that have global customers. You need to ensure that you use the AWS WAF service as a defensive firewall against your system.
Which of the following would you need to have to ensure this integration is possible? Choose 2 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and C.
This is mentioned in the AWS Documentation.
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to Amazon CloudFront or an Application Load Balancer.
AWS WAF also lets you control access to your content.
Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden)
You also can configure CloudFront to return a custom error page when a request is blocked.
Option B is invalid because the WAF service supports the Application Load Balancer.
Option D is invalid because the CloudFront distribution should be placed in front of the S3 static websites.
For more information on Web Application Firewall, please visit the below URL.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.htmlTo use the AWS WAF service as a defensive firewall for the given system, we need to protect the EC2 instances hosting the web layer from common web exploits that could affect the application, such as SQL injection, cross-site scripting (XSS), and others. To achieve this, we need to place an Application Load Balancer (ALB) in front of the EC2 instances.
Therefore, the correct answers are A and C.
Option B, Network Load Balancer (NLB), is a Layer 4 load balancer that operates at the transport layer, which does not provide the necessary functionality to inspect HTTP traffic and identify web application attacks. Hence, it is not an appropriate choice for this scenario.
Option D, placing a CloudFront distribution in front of the database instance, is not a suitable solution because CloudFront is a content delivery network (CDN) that caches and delivers content from S3 buckets or other origins to end-users with low latency and high data transfer speeds. It is not designed to protect database instances from web exploits. Moreover, exposing the database instance directly to the internet is not recommended for security reasons. Therefore, this option is incorrect.
In contrast, Option C, placing a CloudFront distribution to serve the contents in the S3 bucket, is a suitable solution because it can act as a content delivery network and also provide web application firewall protection by integrating with AWS WAF. AWS WAF allows us to create custom rules to inspect and filter HTTP traffic based on specific conditions, such as IP addresses, geographic locations, HTTP headers, and URI strings. Therefore, using CloudFront with AWS WAF can help us protect the S3 static websites from web exploits and improve the security posture of the application.
In summary, to ensure the integration of AWS WAF as a defensive firewall in the given system, we need to place an Application Load Balancer in front of the EC2 instances hosting the web layer and place a CloudFront distribution to serve the contents in the S3 bucket.