Question #1359
A media company hosts its web application on AWS using Amazon EC2 instances behind an Application Load Balancer (ALB), with data stored in Amazon RDS MySQL. The security team identified vulnerabilities to SQL injection attacks. What should the company do to mitigate this threat?
Deploy AWS WAF in front of the ALB and configure appropriate web ACL rules to filter SQL injection attempts.
Modify the ALB's listener rules to inspect SQL queries and block malicious requests.
Enable AWS Shield Standard to protect against SQL injection attacks at the network layer.
Use AWS Config to monitor and automatically remediate SQL injection vulnerabilities.
Explanation
Answer A is correct because AWS WAF (Web Application Firewall) is specifically designed to protect web applications from common exploits like SQL injection. By deploying AWS WAF in front of the ALB and configuring web ACL rules (e.g., using AWS Managed Rules for SQL injection), the company can inspect and block malicious SQL queries at the application layer.
Why other options are incorrect:
- B: ALB listener rules route traffic but cannot inspect SQL query content or block injection attacks.
- C: AWS Shield Standard protects against DDoS attacks, not application-layer vulnerabilities like SQL injection.
- D: AWS Config monitors resource configurations but does not block real-time attacks like SQL injection.
Key Points:
1. SQL injection is an application-layer attack requiring HTTP/HTTPS traffic inspection.
2. AWS WAF is the primary AWS service for mitigating OWASP Top 10 web vulnerabilities.
3. ALB operates at Layer 7 but lacks built-in SQL injection detection.
4. Shield and Config address different security aspects (DDoS protection and compliance monitoring).
Answer
The correct answer is: A