What should the Security Engineer do to meet these requirements?
Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.
Explanations:
This option effectively implements an Application Load Balancer (ALB) that can route traffic to the existing EC2 instances while using AWS WAF to protect against SQL injection attacks. Applying WAF rules to the ALB will filter and block malicious requests, addressing the vulnerabilities without requiring significant changes to the legacy system. Redirecting Route 53 to the ALB maintains normal operations, and updating security groups enhances security by preventing direct access to the EC2 instances.
While this option uses Amazon CloudFront to route traffic and AWS WAF to protect against SQL injection, it only specifies one EC2 instance as the origin, which does not utilize the existing load balancing across multiple EC2 instances. This could lead to an uneven distribution of traffic and does not align with the current architecture using Route 53 weighted load balancing. Additionally, implementing CloudFront may require more effort and testing than the necessary solution.
Although updating the source code may eventually fix the SQL injection vulnerability, this approach requires significant effort and time, including code review, testing, and redeployment of the application. Given the 24-hour timeframe to secure the system, this option is impractical as it disrupts normal operations and may introduce additional risks during the update process.
This option removes internet access to the SQL database port, which is a good security measure but does not directly address the SQL injection vulnerability in the application itself. While creating a WAF web ACL is a positive step, applying it to the EC2 instances instead of an ALB or CloudFront does not provide the same level of protection. Furthermore, the step of restoring the security group settings could lead to potential risks if the vulnerability remains unaddressed.
As far as I’m aware, the answer is:
Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.