Amazon SAP-C02: Solution to prevents SQL injection attacks

Question

A company’s public API runs as tasks on Amazon Elastic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months.

Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount.

A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency. Which solution meets these requirements?

A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.
B. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.
C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.
D. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks.

Answer

C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.

Explanation

The question you asked is about how to implement a solution that prevents SQL injection attacks from reaching the ECS API service that runs on AWS Fargate behind an ALB. The solution must allow legitimate traffic through and must maximize operational efficiency. The solution that will meet these requirements is C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.

AWS WAF is a web application firewall service that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications or APIs.

A web ACL is a collection of rules that you can use to filter web requests based on conditions that you define. You can associate a web ACL with one or more AWS resources such as an ALB, an Amazon CloudFront distribution, or an Amazon API Gateway API stage.

A rule group is a set of rules that have a common purpose or belong to a common category. You can use rule groups to reuse rules across multiple web ACLs or share them with other AWS accounts. AWS WAF provides several managed rule groups that are created and maintained by AWS or AWS Marketplace sellers. One of these managed rule groups is the SQL database rule group, which contains rules that help protect against SQL injection attacks.

SQL injection attacks are a type of web exploit where attackers send malicious SQL statements to a database server through a web application or API. These attacks can result in unauthorized access to sensitive data, data corruption, or denial of service.

You can create a new AWS WAF web ACL and add a new rule that blocks requests that match the SQL database rule group. This way, you can prevent SQL injection attacks from reaching your ECS API service. You can set the web ACL to allow all other traffic that does not match those rules. This way, you can allow legitimate traffic through your ECS API service. You can attach the web ACL to the ALB in front of your ECS tasks. This way, you can filter traffic at the load balancer level before it reaches your ECS tasks.

The other options are not correct because:

A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks. This option is not correct because it does not prevent SQL injection attacks from reaching your ECS API service. Monitoring mode is a feature of AWS WAF that allows you to observe how your rules would evaluate incoming requests without actually blocking them. Monitoring mode is useful for testing and debugging your rules before applying them in blocking mode, but it does not provide any protection against web exploits.

B. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks. This option is not correct because it does not prevent SQL injection attacks from reaching your ECS API service. Bot Control is a feature of AWS WAF that helps you identify and manage requests coming from bots such as crawlers, scrapers, scanners, or scripts. Bot Control provides a managed rule group that contains rules for detecting and categorizing different types of bots based on their characteristics and behaviors. However, Bot Control does not provide any rules for detecting and blocking SQL injection attacks specifically.

D. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks. This option is not correct because it does not prevent SQL injection attacks from reaching your ECS API service efficiently or reliably. Using an IP set is a way of filtering requests based on their source IP addresses, but it has several limitations and challenges such as: – It requires creating and maintaining an AWS Lambda function to scrape the API logs and update the IP set periodically – It may not be able to catch all malicious requests as attackers can use proxies or spoof their IP addresses – It may block legitimate requests from users who share the same IP address as attackers – It may incur additional costs for using Lambda and storing IP addresses

Reference

• Using AWS WAF to protect your APIs – Amazon API Gateway
• AWS WAF adds sensitivity levels for SQL injection rule statements (amazon.com)
• Working with SQL injection match conditions – AWS WAF, AWS Firewall Manager, and AWS Shield Advanced (amazon.com)
• Service load balancing – Amazon Elastic Container Service

Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.