Which configuration steps should the security engineer take to accomplish this task?
Create a security group with a rule that denies inbound connections from 0.0.0.0/0 on port 80. Attach this security group to the ALB to overwrite more permissive rules from the ALB’s default security group.
Create a network ACL that denies inbound connections from 0.0.0.0/0 on port 80. Associate the network ACL with the VPC’s internet gateway.
Create a network ACL that allows outbound connections to the VPC IP range on port 443 only. Associate the network ACL with the VPC’s internet gateway.
Create a security group with a single inbound rule that allows connections from 0.0.0.0/0 on port 443. Ensure this security group is the only one associated with the ALB.
Explanations:
Security groups cannot “deny” traffic. They are only used to allow traffic, and they don’t overwrite other security groups. They are evaluated in an additive manner.
Network ACLs apply at the subnet level, and denying inbound connections on port 80 only on the VPC’s internet gateway would not prevent the ALB from mistakenly accepting HTTP traffic. ALBs are not directly associated with a network ACL.
Network ACLs are not responsible for controlling the protocols on the ALB. They apply at the subnet level, but this solution only limits outbound traffic, not inbound HTTP connections to the ALB.
Creating a security group that only allows inbound connections on port 443 and ensuring it is the only security group associated with the ALB ensures that only HTTPS traffic is accepted by the ALB.