Which solution will meet these requirements with the LEAST operational overhead?
Use security groups and network ACLs to secure the database and application servers.
Use AWS WAF to protect the application. Use RDS parameter groups to configure the security settings.
Use AWS Network Firewall to protect the application and the database.
Use different database accounts in the application code for different functions. Avoid granting excessive privileges to the database users.
Explanations:
Security groups and network ACLs control network access but do not address SQL injection or web-based attacks on the application itself.
AWS WAF can protect against SQL injection and other web-based attacks by filtering HTTP/S traffic to the application. RDS parameter groups manage database security settings but are not focused on preventing SQL injection in application traffic.
AWS Network Firewall provides network-level protection but does not specifically protect against web-based application attacks like SQL injection.
Using different database accounts with least privilege is a good practice but does not directly protect the application from SQL injection or web-based attacks.
As I see it, the answer is:
Use AWS WAF to protect the application. Use RDS parameter groups to configure the security settings.
In my experience, the answer is:
Use AWS WAF to protect the application. Use RDS parameter groups to configure the security settings.