Amazon SCS-C02: Protect website from man-in-the-middle attacks by using Amazon CloudFront.

Question

A company wants to protect its website from man-in-the-middle attacks by using Amazon CloudFront. Which solution will meet these requirements with the LEAST operational overhead?

A. Use the SimpleCORS managed response headers policy.
B. Use a Lambda@Edge function to add the Strict-Transport-Security response header.
C. Use the SecurityHeadersPolicy managed response headers policy.
D. Include the X-XSS-Protection header in a custom response headers policy.

Answer

C. Use the SecurityHeadersPolicy managed response headers policy.

Explanation

The correct answer is C. Use the SecurityHeadersPolicy managed response headers policy.

A man-in-the-middle (MitM) attack is a type of cyberattack in which communications between two parties is intercepted, often to steal login credentials or personal information, spy on victims, or alter or tamper with the data. To protect a website from MitM attacks, it is important to use HTTPS and enforce strict transport security (STS) policies that instruct browsers to only communicate with the website over secure connections.

Amazon CloudFront is a content delivery network (CDN) service that can speed up the delivery of web content and improve security by acting as a proxy between users and origin servers. CloudFront supports adding external origins, i.e. domains that are not S3 buckets or ALBs. However, this can also create a potential risk of MitM attacks if someone sets up a new CloudFront domain with a different domain name and points it to the original website as an origin. This way, they can intercept and manipulate the requests and responses between the users and the website.

To prevent this scenario, CloudFront provides several features to enhance security, such as SSL/TLS encryption, origin access identity (OAI), field-level encryption, AWS WAF, AWS Shield, and AWS Certificate Manager (ACM). One of these features is the ability to add custom or managed response headers policies to CloudFront distributions. Response headers are HTTP headers that are sent by the origin server or CloudFront to the browser along with the web content. They can contain information about the content type, encoding, caching, security, and other aspects of the web content.

The SecurityHeadersPolicy managed response headers policy is a predefined policy that adds several security-related headers to the responses sent by CloudFront. These headers include:

• Content-Security-Policy: This header instructs browsers on how to handle different types of content and resources on the website. It can prevent cross-site scripting (XSS) attacks, clickjacking attacks, and other code injection attacks by restricting what sources of content are allowed and what actions are permitted.
• Strict-Transport-Security: This header tells browsers to always use HTTPS when communicating with the website. It can prevent MitM attacks that try to downgrade the connection from HTTPS to HTTP or exploit insecure redirects.
• X-Content-Type-Options: This header prevents browsers from trying to guess or change the content type of the web content. It can prevent MIME sniffing attacks that try to exploit incorrect or missing content types to execute malicious code.
• X-Frame-Options: This header controls whether the web content can be displayed in a frame or an iframe on another website. It can prevent clickjacking attacks that try to trick users into clicking on hidden or disguised elements on a framed website.
• X-XSS-Protection: This header enables a browser’s built-in XSS filter that can detect and block XSS attacks. It can prevent malicious scripts from executing on the website or stealing user data.

By using the SecurityHeadersPolicy managed response headers policy, CloudFront can automatically add these headers to the responses sent to the browsers, without requiring any additional configuration or coding. This can significantly improve the security of the website and protect it from MitM attacks and other common web attacks with the least operational overhead.

The other options are not as effective or efficient as using the SecurityHeadersPolicy managed response headers policy. Option A, using the SimpleCORS managed response headers policy, is not relevant for preventing MitM attacks. CORS stands for cross-origin resource sharing, which is a mechanism that allows web browsers to request resources from different origins (domains) than the one they are currently on. The SimpleCORS managed response headers policy adds headers that enable CORS for all origins and methods. However, this does not prevent MitM attacks, as they can occur regardless of whether CORS is enabled or not. In fact, enabling CORS for all origins may increase the risk of exposing sensitive data to unauthorized parties.

Option B, using a Lambda@Edge function to add the Strict-Transport-Security response header, is partially correct but not optimal. Lambda@Edge is a feature that allows running AWS Lambda functions at CloudFront edge locations to customize and optimize web content delivery. One possible use case of Lambda@Edge is to add custom response headers to CloudFront distributions using a viewer response function. However, this option only adds one header, the Strict-Transport-Security header, which is not enough to protect the website from all types of MitM attacks and other web attacks. Moreover, using Lambda@Edge requires writing and maintaining code, which adds operational overhead and complexity.

Option D, including the X-XSS-Protection header in a custom response headers policy, is also partially correct but not optimal. A custom response headers policy is a policy that allows adding custom headers to CloudFront distributions using the CloudFront console or API. However, this option only adds one header, the X-XSS-Protection header, which is not enough to protect the website from all types of MitM attacks and other web attacks. Moreover, using a custom response headers policy requires creating and managing a policy, which adds operational overhead and complexity.

Therefore, the best solution to protect the website from MitM attacks by using CloudFront is to use the SecurityHeadersPolicy managed response headers policy, as it adds several security-related headers to the responses with the least operational overhead.

Reference

• Using the managed response headers policies – Amazon CloudFront
• Creating response headers policies – Amazon CloudFront
• amazon web services – Can a Man-in-the-Middle-Attack be achieved by adding a cloudfront domain to a domain not owned by me? – Stack Overflow
• aws – Can a Man-in-the-Middle-Attack be achieved by adding a cloudfront distribution origin of a domain not owned by me? – Information Security Stack Exchange
• Man-in-the-middle (MitM) attack definition and examples | CSO Online
• Understanding response headers policies – Amazon CloudFront
• Creating response headers policies – Amazon CloudFront (amazonaws.cn)
• amazon-cloudfront-developer-guide/doc_source/creating-response-headers-policies.md at main · awsdocs/amazon-cloudfront-developer-guide · GitHub
• How to Help Protect Dynamic Web Applications Against DDoS Attacks by Using Amazon CloudFront and Amazon Route 53 | AWS Security Blog
• Managed DDos Protection – AWS Shield – AWS (amazon.com)
• Block common attacks with AWS WAF | AWS re:Post (repost.aws)

Amazon AWS Certified Security – Specialty certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Security – Specialty exam and earn Amazon AWS Certified Security – Specialty certification.