Learn how to efficiently protect your web applications from overwhelming failed login attempts by leveraging AWS Web Application Firewall (WAF) and IP set match rules.
Table of Contents
Question
An education company is running a web application used by college students around the world. The application runs in an Amazon Elastic Container Service (Amazon ECS) cluster in an Auto Scaling group behind an Application Load Balancer (ALB). A system administrator detects a weekly spike in the number of failed login attempts, which overwhelm the application’s authentication service. All the failed login attempts originate from about 500 different IP addresses that change each week. A solutions architect must prevent the failed login attempts from overwhelming the authentication service.
Which solution meets these requirements with the MOST operational efficiency?
A. Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses.
B. Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB.
C. Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges.
D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB.
Answer
D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB.
Explanation
The solution that meets the requirements with the MOST operational efficiency is:
D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB.
AWS Web Application Firewall (WAF) is a fully managed service that provides protection against common web exploits and bots that target web applications. By creating a web ACL with an IP set match rule and connecting it to the Application Load Balancer (ALB), the solution can effectively block the failed login attempts originating from the changing set of IP addresses each week.
Here’s a detailed explanation of how this solution addresses the requirements with the most operational efficiency:
- IP Set Match Rule: AWS WAF allows creating IP set match rules, which can match incoming requests against a list of IP addresses or IP address ranges. This rule can be configured to block requests from the 500 different IP addresses that are causing the failed login attempts.
- Set Rule Action to Block: By setting the rule action to “Block,” AWS WAF will automatically block any requests originating from the specified IP addresses, preventing them from reaching the authentication service and overwhelming it.
- Connect Web ACL to ALB: The web ACL containing the IP set match rule can be associated with the Application Load Balancer (ALB) in front of the Amazon ECS cluster. This ensures that the WAF inspects and filters all incoming traffic before it reaches the application, providing a centralized and efficient protection mechanism.
- Operational Efficiency: AWS WAF is a fully managed service, which means that AWS handles the provisioning, deployment, and maintenance of the underlying infrastructure. This eliminates the need for manual infrastructure management, reducing operational overhead and increasing efficiency.
By leveraging AWS WAF’s IP set match rule and connecting the web ACL to the ALB, this solution provides an efficient and scalable way to block the failed login attempts without requiring any changes to the application code or deployment. Additionally, as the IP addresses change each week, the IP set can be easily updated in the WAF without disrupting the application’s operations.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.