Learn the steps to prevent SQL injection attacks on an internal web application running on EC2 instances behind a load balancer. Prepare for the AWS Certified Advanced Networking – Specialty ANS-C01 Exam.
Table of Contents
Question
A company has an internal web-based application that employees use. The company hosts the application over a VPN in the company’s on-premises network. The application runs on a fleet of Amazon EC2 instances in a private subnet behind a Network Load Balancer (NLB) in the same subnet. The instances are in an Amazon EC2 Auto Scaling group.
During a recent security incident, SQL injection occurred on the application. A network engineer must implement a solution to prevent SQL injection attacks in the future.
Which combination of steps will meet these requirements? (Choose three.)
A. Create an AWS WAF web ACL that includes rules to block SQL injection attacks.
B. Create an Amazon CloudFront distribution. Specify the EC2 instances as the origin.
C. Replace the NLB with an Application Load Balancer.
D. Associate the AWS WAF web ACL with the NLB.
E. Associate the AWS WAF web ACL with the Application Load Balancer.
F. Associate the AWS WAF web ACL with the Amazon CloudFront distribution.
Answer
The correct combination of steps to prevent SQL injection attacks on the internal web-based application is:
A. Create an AWS WAF web ACL that includes rules to block SQL injection attacks.
C. Replace the Network Load Balancer (NLB) with an Application Load Balancer (ALB).
E. Associate the AWS WAF web ACL with the Application Load Balancer.
Explanation
AWS WAF (Web Application Firewall) is a service that helps protect web applications from common web exploits, such as SQL injection attacks. By creating a web ACL (Access Control List) with rules to block SQL injection patterns, you can prevent these attacks from reaching your application.
However, you cannot associate a web ACL directly with a Network Load Balancer (NLB). NLBs operate at the transport layer (Layer 4) and do not have the ability to inspect the content of the traffic. To use AWS WAF, you need to replace the NLB with an Application Load Balancer (ALB), which operates at the application layer (Layer 7) and supports content inspection.
After creating the web ACL and replacing the NLB with an ALB, you must associate the web ACL with the ALB. This ensures that the incoming traffic is inspected by AWS WAF before reaching the EC2 instances.
Using Amazon CloudFront (Option B) is not necessary in this case, as the application is internal and accessed over a VPN. CloudFront is primarily used for content delivery and caching for public-facing applications.
In summary, creating an AWS WAF web ACL, replacing the NLB with an ALB, and associating the web ACL with the ALB will provide the necessary protection against SQL injection attacks for the internal web-based application.
Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn Amazon AWS Certified Advanced Networking – Specialty ANS-C01 certification.