allWhat additional steps will addressof the identified attack types while providing high availability and minimizing risk?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company runs an e-commerce platform with front-end and e-commerce tiers.Both tiers run on LAMP stacks with the front-end instances running behind a load balancing appliance that has a virtual offering on AWS.Currently, the Operations team uses SSH to log in to the instances to maintain patches and address other concerns.The platform has recently been the target of multiple attacks, including:✑ A DDoS attack.✑ An SQL injection attack.✑ Several successful dictionary attacks on SSH accounts on the web servers.The company wants to improve the security of the e-commerce platform by migrating to AWS.The company’s Solutions Architects have decided to use the following approach:✑ Code review the existing application and fix any SQL injection issues.✑ Migrate the web application to AWS and leverage the latest AWS Linux AMI to address initial security patching.✑ Install AWS Systems Manager to manage patching and allow the system administrators to run commands on all instances, as needed.

allWhat additional steps will addressof the identified attack types while providing high availability and minimizing risk?

Enable SSH access to the Amazon EC2 instances using a security group that limits access to specific IPs. Migrate on-premises MySQL to Amazon RDS Multi- AZ. Install the third-party load balancer from the AWS Marketplace and migrate the existing rules to the load balancer’s AWS instances. Enable AWS Shield Standard for DDoS protection.

Disable SSH access to the Amazon EC2 instances. Migrate on-premises MySQL to Amazon RDS Multi-AZ. Leverage an Elastic Load Balancer to spread the load and enable AWS Shield Advanced for protection. Add an Amazon CloudFront distribution in front of the website. Enable AWS WAF on the distribution to manage the rules.

Enable SSH access to the Amazon EC2 instances through a bastion host secured by limiting access to specific IP addresses. Migrate on-premises MySQL to a self-managed EC2 instance. Leverage an AWS Elastic Load Balancer to spread the load and enable AWS Shield Standard for DDoS protection. Add an Amazon CloudFront distribution in front of the website.

Disable SSH access to the EC2 instances. Migrate on-premises MySQL to Amazon RDS Single-AZ. Leverage an AWS Elastic Load Balancer to spread the load. Add an Amazon CloudFront distribution in front of the website. Enable AWS WAF on the distribution to manage the rules.

Explanations:

Enabling SSH access through security groups still leaves the instances vulnerable to dictionary attacks. AWS Shield Standard is not sufficient for advanced DDoS protection, and a third-party load balancer is unnecessary when AWS services like ELB already meet the requirements.

Disabling direct SSH access improves security. Migrating MySQL to Amazon RDS Multi-AZ enhances availability and resiliency. AWS Shield Advanced provides enhanced DDoS protection, and the combination of CloudFront and AWS WAF allows for better security management and protection against web application attacks, such as SQL injection.

While using a bastion host improves SSH security, managing MySQL on EC2 instead of RDS reduces scalability and reliability. AWS Shield Standard provides basic DDoS protection, but AWS Shield Advanced would be a better option for robust DDoS defense.

Disabling SSH access is correct, but migrating MySQL to RDS Single-AZ reduces high availability and fault tolerance. AWS Shield Standard alone is not enough for advanced DDoS protection, and AWS WAF without CloudFront is less effective at handling traffic management and web application protection.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 4 =