AWS WAF – Networking and Connectivity – SOA-C02 Study Guide

AWS WAF

This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:

5.1 Implement networking features and connectivity

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

1. Which security solution can apply rate-based rules to stop DDoS or bruteforce attacks?

2. On which services can the AWS WAF be deployed?

Answers

1. Answer: AWS WAF

2. Answer: CloudFront, Application Load Balancer, AppSync, and the API gateway

AWS WAF

The AWS Web Application Firewall (WAF) is a managed firewall service allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. The AWS WAF can be deployed on Application Load Balancers (ALBs), the API gateway, AppSync, and CloudFront. It protects your resources and stops malicious traffic. Rules can be created based on conditions like HTTP headers, HTTP body, URI strings, SQL injection, and cross-site scripting. When used with CloudFront, AWS WAF can support custom origins outside of AWS such as on-premises web servers.

AWS WAF also supports rate-based rules that can help protect against DDoS and brute-force attacks. Rate-based rules are triggered when the number of requests from an IP address exceed a defined threshold. If an IP address exceeds the configured limit, additional requests are blocked.

AWS WAF managed rules provide preconfigured rules to protect against common threats. These rules are managed by AWS. Third-party provider rules from the AWS Marketplace can also be used. You can subscribe to these third-party rules, and they will be available for you to add to an AWS WAF web ACL. You can also create your own custom rules.

ExamAlert

The exam may describe certain types of attacks such as port scanning and DDoS. You should be able to identify the capabilities of different AWS security options to protect against these attacks.

Cram Quiz

Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.

1. VPC flow logs contain the following record:

Click here to view code image

2 123456789010 eni-1234a5aa123456789 17.14.10.2

172.16.10.12 49754 3389 6 20 4249 1418123456

1418123456 REJECT OK

Which statements regarding this flow log are correct?

A. The traffic is being blocked by the AWS WAF at CloudFront.

B. The destination port is 3389, and 17.14.10.12 is the source IP address.

C. The source port is 3389, and 17.14.10.12 is the source IP address.

D. The traffic is being rejected by either a security group or a network ACL.

2. A DDoS attack from many different source IP addresses is reaching web servers running on EC2. You cannot create firewall rules for every source IP address because there are too many to manually track. How can you mitigate this attack?

A. Use a rate limit rule on the AWS WAF.

B. Use a dynamic rule in a security group that matches the attack pattern.

C. Create a dynamic NACL list based on the contents of VPC flow logs.

D. Block entire malicious subnets in the necessary security groups.

Cram Quiz Answers

1. Answer: B and D are correct. You can configure the AWS WAF to send logging information using Kinesis. AWS WAF logs do not show up in your flow logs. Flow logs contain traffic flows through the NACL and security groups.

2. Answer: A is correct. Rate-based rules track the number of requests from incoming IP addresses. When the configured limit is exceeded, the rule action is enforced on the offending IP addresses.