Question #712
A company hosts its web application using Amazon ECS tasks on AWS Fargate, which are fronted by an Application Load Balancer (ALB). The service uses ECS Service Auto Scaling based on CPU utilization to handle traffic fluctuations.
Recently, the application became unresponsive due to a surge in traffic. Investigation revealed that the traffic spike was caused by numerous SQL injection attacks, which also triggered the service to scale out to its maximum limit.
The solutions architect must design a solution to prevent SQL injection attacks from reaching the ECS tasks. The solution must ensure legitimate traffic is unaffected and maintain operational efficiency.
Which solution meets these requirements?
Configure an AWS WAF web ACL with a rule that inspects and blocks requests matching the SQL injection rules from the AWS Managed Rules. Attach the web ACL to the ALB and set the default action to allow all other traffic.
Implement AWS WAF Bot Control to identify and block automated bots sending malicious requests. Attach the managed rule group to the ALB's web ACL and allow all other traffic.
Create an AWS WAF web ACL with a rate-based rule to block IP addresses exceeding a threshold of requests per minute. Associate the web ACL with the ALB to mitigate high request volumes.
Set up an AWS Lambda function that analyzes ALB access logs for SQL injection patterns and updates an AWS WAF IP set to block offending IPs. Attach the web ACL with this rule to the ALB.
Explanation
Answer A is correct because:
1. AWS WAF Managed Rules: The AWS Managed Rules include pre-configured SQL injection detection rules, which block malicious requests before they reach the ECS tasks.
2. ALB Integration: Attaching the web ACL to the ALB ensures all traffic is inspected before reaching the backend, stopping SQL injection attacks at the edge.
3. Default Allow Action: Setting the default action to 'allow' ensures legitimate traffic is unaffected.
Why other options are incorrect:
- B (Bot Control): Bot Control targets automated bots, not SQL injection attacks specifically. Legitimate traffic might still include SQLi from non-bot sources.
- C (Rate-Based Rule): Rate-based rules block high-volume IPs but do not inspect request content, allowing low-volume SQL injection attacks to pass.
- D (Lambda + Log Analysis): This approach is reactive (based on logs) and introduces latency, making it less efficient than real-time WAF inspection.
Key Points:
- Use AWS WAF with managed rules for real-time protection against SQL injection.
- Attach WAF to ALB to filter traffic before it impacts backend resources.
- Managed rules minimize operational overhead and ensure up-to-date threat detection.
Answer
The correct answer is: A