Question #626
A company is deploying a new web application on Amazon EC2 instances behind an Application Load Balancer. They want to implement AWS WAF to protect against common web exploits while ensuring legitimate users are not blocked. The solution must minimize disruption during the initial deployment phase.
How should the solutions architect configure the web ACLs to meet these requirements?
Set the action of the web ACL rules to Count. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Count to Block.
Use rate-based rules in the web ACLs with a high throttle limit. Temporarily block requests exceeding the limit. Define nested conditions to refine the rate-tracking scope.
Set the action of the web ACL rules to Block. Use AWS managed rule groups exclusively. Evaluate the rules using Amazon CloudWatch metrics and AWS WAF logs.
Create custom rule groups with Allow actions. Enable AWS WAF logging. Analyze requests for false positives, adjust rules, and gradually change the action from Allow to Block.
Explanation
Answer A is correct because:
1. Count Action: Initially setting rules to 'Count' mode logs requests matching WAF rules without blocking them, ensuring no legitimate users are accidentally blocked during deployment.
2. Log Analysis: AWS WAF logging helps identify false positives by analyzing which requests would have been blocked.
3. Gradual Enforcement: After refining rules to eliminate false positives, switching to 'Block' ensures protection without disruption.
Other options are incorrect because:
- B: Rate-based rules focus on request volume, not exploit patterns, and blocking during initial deployment risks false positives.
- C: Blocking immediately with AWS managed rules risks blocking legitimate traffic without prior testing.
- D: 'Allow' actions do not protect against exploits; WAF rules should focus on blocking malicious traffic.
Key Points: Use 'Count' mode first to test WAF rules, analyze logs, then enforce blocking after validation.
Answer
The correct answer is: A