How should a solutions architect configure the web ACLs to meet these requirements?

By:
On:
In: SAP-C02
Tagged:
With: 0 Comments
A company has developed a web application.The company is hosting the application on a group of Amazon EC2 instances behind an Application Load Balancer.The company wants to improve the security posture of the application and plans to use AWS WAF web ACLs.The solution must not adversely affect legitimate traffic to the application.

How should a solutions architect configure the web ACLs to meet these requirements?

Set the action of the web ACL rules to Count. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Count to Block.

Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking.

Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs. Evaluate the rule groups by using Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.

Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Allow to Block.

Explanations:

Setting the action to Count allows monitoring of traffic without blocking legitimate requests initially. By analyzing logs for false positives, the rules can be refined, which helps ensure that legitimate traffic is not adversely affected. Once the rules are optimized, changing the action to Block provides enhanced security.

Relying solely on rate-based rules can lead to legitimate traffic being blocked if it exceeds the throttle limit. This approach does not sufficiently differentiate between legitimate spikes in traffic and actual malicious activity, potentially disrupting user access to the application.

Using only managed rule groups without evaluating their impact on legitimate traffic could result in false positives. While CloudWatch metrics can provide insights, this method does not include a process for adjusting the rules based on actual traffic behavior before implementing blocking actions.

Setting the action to Allow may lead to the application being exposed to threats. Without immediate blocking of malicious traffic, the application remains vulnerable. This approach also lacks a structured method for analyzing and refining rules to minimize false positives before changing to a Block action.

Leave a Reply

Your email address will not be published. Required fields are marked *

15 − 2 =