How should a solutions architect configure the web ACLs to meet these requirements?
Set the action of the web ACL rules to Count. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Count to Block.
Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking.
Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs. Evaluate the rule groups by using Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Allow to Block.
Explanations:
Setting the action of the web ACL rules to Count allows the company to monitor traffic without blocking any requests initially. By enabling AWS WAF logging, the company can analyze the traffic for false positives and adjust the rules accordingly. This gradual approach helps minimize the risk of impacting legitimate traffic while refining the rules. Once the rules are optimized, the action can be changed to Block to enhance security without affecting user experience.
Relying solely on rate-based rules with a high throttle limit may not address specific security threats like SQL injection or cross-site scripting. This approach may inadvertently block legitimate traffic if requests exceed the limit, leading to a poor user experience. Nested rules do not mitigate the risks associated with inadequate rule specificity.
Using only AWS managed rule groups and setting the action to Block could lead to legitimate traffic being blocked without proper analysis of the rules’ effectiveness. While AWS managed rules are effective, they may not perfectly fit every application’s needs. Monitoring through CloudWatch metrics or AWS WAF logs is not sufficient if the initial actions block legitimate traffic.
Setting the action of the web ACL rules to Allow with only custom rule groups does not provide any protection against malicious traffic initially. While analyzing requests for false positives is valuable, starting with an Allow action could leave the application vulnerable. Transitioning from Allow to Block without proper monitoring may lead to unintended disruptions of legitimate traffic.