40. WAF

WAF = Web Application Firewall
i. WAF allows to monitor HTTP & HTTPS request that are forwarded to Cloud Front, ALB or API Gateway.
ii. Lets you to control access to your content.
iii. HTTP & HTTPS happens at application layer (layer 7)
iv. WAF is layer 7 web firewall
v. We can configure conditions such as what IP addresses are allowed to make this request or what query string parameters need to be passed for the request to be allowed.
vi. Then the ALB or Cloud Front or API gateway will either allow this content to be recovered or to give a http 403 status code.

AWS WAF is a web application firewall service that lets you monitor web requests and protect your web applications from malicious requests. Use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses. You can also use AWS WAF preconfigured protections to block common attacks like SQL injection or cross-site scripting.

WAF allows three different behaviours:
i. Allow all requests except the ones you specify
ii. Block all requests except the ones you specify
iii. Count the requests that match the properties you specify

Extra protection against web attacks using conditions you specify. You can define conditions by using characteristics of web requests such as:
i. IP addresses that requests originate from
ii. Country that requests originate from
iii. Values in request headers
iv. Strings that appear in requests, either specific strings or string that match regular expression patterns
v. Length of requests
vi. Presence of SQL code that is likely to be malicious (known as SQL injection)
vii. Presence of script that is likely to be malicious (known as cross site scripting)

Question 1:
A media company runs a photo-sharing web application that is accessed across three different countries. The application is deployed on several Amazon EC2 instances running behind an Application Load Balancer. With new government regulations, the company has been asked to block access from two countries and allow access only from the home country of the company. Which configuration should be used to meet this changed requirement?
Answer: Configure AWS WAF on the ALB in a VPC
Explanation: You can use AWS WAF with your Application Load Balancer to allow or block requests based on the rules in a web access control list (web ACL). Geographic (Geo) Match Conditions in AWS WAF allows you to use AWS WAF to restrict application access based on the geographic location of your viewers. With geo match conditions you can choose the countries from which AWS WAF should allow access.
Geo match conditions are important for many customers. For example, legal and licensing requirements restrict some customers from delivering their applications outside certain countries. These customers can configure a whitelist that allows only viewers in those countries. Other customers need to prevent the downloading of their encrypted software by users in certain countries. These customers can configure a blacklist so that end-users from those countries are blocked from downloading their software.

Question 2:
Your company uses S3 as storage for data and runs an application that provides S3 objects to users. As an application administrator, you recently discovered that the URL links for the data provided by this application are being used without permission. You need to address this issue by making external links permanently unavailable.
Select the service you need for this requirement.
Options:
A. Deliver data as an object with a pre-signed URL
B. Apply Referrer restrictions for links provided by AWS WAF
C. Deliver data as an object with signed cookies
D. Restrict delivery by encrypting access processing to S3
Answer: B
Explanation
You can configure content delivery with CloudFront on S3 and leverage AWS WAF to implement Referrer limits. AWS WAF is a web application firewall that monitors HTTP and HTTPS requests forwarded to CloudFront and allows you to control access to your content. You can restrict the direct reference of URL links by the Referrer restriction of AWS WAF. Therefore, option 2 is the correct answer.
Options 1 and 3 are incorrect. CloudFront signed URLs and signed cookies provide much the same functionality and give you control over who can access your content. However, it is not correct because you cannot permanently prohibit direct links.
Option 4 is incorrect. It is not possible to restrict distribution by encrypting the access process to S3.

Question 3:
A media company runs a photo-sharing web application that is accessed across three different countries. The application is deployed on several Amazon EC2 instances running behind an Application Load Balancer. With new government regulations, the company has been asked to block access from two countries and allow access only from the home country of the company.
Which configuration should be used to meet this changed requirement?
Options:
A. Use Geo Restriction feature of Amazon CloudFront in a VPC
B. Configure the security group for the EC2 instances
C. Configure the security group on the Application Load Balancer
D. Configure AWS WAF on the Application Load Balancer in a VPC
Answer: D
Explanation
Correct option:
AWS WAF is a web application firewall service that lets you monitor web requests and protect your web applications from malicious requests. Use AWS WAF to block or allow requests based on conditions that you specify, such as the IP addresses. You can also use AWS WAF preconfigured protections to block common attacks like SQL injection or cross-site scripting.
Configure AWS WAF on the Application Load Balancer in a VPC
You can use AWS WAF with your Application Load Balancer to allow or block requests based on the rules in a web access control list (web ACL). Geographic (Geo) Match Conditions in AWS WAF allows you to use AWS WAF to restrict application access based on the geographic location of your viewers. With geo match conditions you can choose the countries from which AWS WAF should allow access.
Geo match conditions are important for many customers. For example, legal and licensing requirements restrict some customers from delivering their applications outside certain countries. These customers can configure a whitelist that allows only viewers in those countries. Other customers need to prevent the downloading of their encrypted software by users in certain countries. These customers can configure a blacklist so that end-users from those countries are blocked from downloading their software.
Incorrect options:
Use Geo Restriction feature of Amazon CloudFront in a VPC – Geo Restriction feature of CloudFront helps in restricting traffic based on the user’s geographic location. But, CloudFront works from edge locations and doesn’t belong to a VPC. Hence, this option itself is incorrect and given only as a distractor.
Configure the security group on the Application Load Balancer
Configure the security group for the EC2 instances
Security Groups cannot restrict access based on the user’s geographic location.

Question 4:
To improve the performance and security of the application, the engineering team at a company has created a CloudFront distribution with an Application Load Balancer as the custom origin. The team has also set up a Web Application Firewall (WAF) with CloudFront distribution. The security team at the company has noticed a surge in malicious attacks from a specific IP address to steal sensitive data stored on the EC2 instances.
As a solutions architect, which of the following actions would you recommend to stop the attacks?
A• Create a ticket with AWS support to take action against the malicious IP
B• Create a deny rule for the malicious IP in the NACL associated with each of the instances
C• Create a deny rule for the malicious IP in the Security Groups associated with each of the instances
D• Create an IP match condition in the WAF to block the malicious IP address
Answer: D
Explanation
Correct option:
Create an IP match condition in the WAF to block the malicious IP address
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define.
If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. So, this option is correct.
Incorrect options:
Create a deny rule for the malicious IP in the NACL associated with each of the instances – NACLs are not associated with instances. So this option is also ruled out.
Create a deny rule for the malicious IP in the Security Groups associated with each of the instances – You cannot deny rules in Security Groups. So this option is ruled out.
Create a ticket with AWS support to take action against the malicious IP – Managing the security of your application is your responsibility, not that of AWS, so you cannot raise a ticket for this issue.