Tutorial / Cram Notes

Securing inbound traffic flows into AWS is a critical aspect of any cloud infrastructure strategy. AWS provides various services and features that allow you to safeguard your applications and data from unwanted and potentially harmful traffic. Some of the key services include AWS WAF, AWS Shield, and AWS Network Firewall. Understanding the differences and applicability of each service can help you design robust, secure network architectures for your AWS workloads.

AWS WAF (Web Application Firewall)

AWS WAF is a web application firewall that helps protect your web applications from common web exploits and bots that may affect availability, compromise security, or consume excessive resources. You can define customizable web security rules to control which traffic can reach your application. For example, you might want to block SQL injection attacks or attempts to exploit XSS vulnerabilities in your web applications.

AWS WAF allows you to:

  • Monitor HTTP and HTTPS requests that are forwarded to an Amazon CloudFront distribution, an Amazon API Gateway REST API, or an Application Load Balancer.
  • Create conditions such as the IP addresses that requests originate from, the values of query strings, or the request headers.
  • Combine conditions into rules and add the rules to a web access control list (web ACL).

An example of a simple rule to protect against SQL injection might look like the following (note this is a conceptual representation, not actual WAF code):

IF SQLi patterns detected in:
– Query string
– URI
– Body of the POST request
THEN
Block the request

AWS Shield

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides automatic inline mitigation techniques that minimize application downtime and latency. There are two tiers of AWS Shield – AWS Shield Standard and AWS Shield Advanced.

  • AWS Shield Standard: Automatically protects all AWS customers at no additional cost. It provides protection from attacks such as SYN/UDP floods, reflection attacks, and others that commonly target websites and applications.
  • AWS Shield Advanced: Offers advanced protection for internet-facing applications and extends the DDoS protection beyond Layer 3 and Layer 4 to also include application-layer (Layer 7) attacks. Shield Advanced also provides detection and mitigation against very large and sophisticated DDoS attacks, near-real-time visibility into attacks, and access to the AWS DDoS response team (DRT).

AWS Network Firewall

AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (Amazon VPCs). The service automatically scales with your network traffic, and offers flexible rules that are easy to set up and maintain. Network Firewall can stop both inbound and outbound traffic based on criteria you define.

Key features include:

  • Stateful rule evaluation for traffic at the packet, flow, and application-layer level.
  • Predefined rule groups for known patterns, like known malicious IP addresses, or for blocking specific countries.
  • Integration with AWS Firewall Manager for central configuration management.

Example use cases for AWS Network Firewall include segmentation within a VPC (for security zoning), blocking unwanted outbound traffic like known malicious IPs, and implementing strict controls for inbound traffic management.

Comparison of AWS WAF, AWS Shield, and AWS Network Firewall

Feature/Service AWS WAF AWS Shield AWS Network Firewall
Protection Scope HTTP/HTTPS traffic DDoS attacks L3, L4, and L7 traffic
Application Layer Layer 7 Layer 3/4 and 7 with Advanced Layer 3/4 and 7
Custom Rules Yes No (automatic); Yes with Advanced Yes
Managed Rules Yes No Yes (stateful & stateless)
Pricing Model Pay-as-you-go Free (Standard); Subscription (Advanced) Pay-as-you-go
Integration Points CloudFront, API Gateway, ALB Any AWS resource Amazon VPC
Response to Threats Manual and Automated rules Automatic mitigation; Manual with Advanced Manual rules

Integrating these services into your network provides a comprehensive defense strategy:

  • AWS WAF can be used to block harmful web traffic before it reaches your application.
  • AWS Shield, particularly the Advanced version, can provide additional peace of mind with enhanced DDoS protection and support.
  • AWS Network Firewall delivers a strong barrier that secures all traffic moving in and out of your Amazon VPC, providing the ability to inspect and filter traffic at multiple layers.

Choosing the right combination of AWS services to secure inbound traffic is key to maintaining a secure and robust network. Implementing these services effectively can also be an important aspect of preparing for the AWS Certified Advanced Networking – Specialty (ANS-C01) exam, as they represent critical knowledge in designing and implementing AWS-based networking solutions.

Practice Test with Explanation

True or False: AWS WAF can only be applied to Amazon CloudFront distributions and not to Application Load Balancers (ALBs).

  • A) True
  • B) False

Answer: B) False

Explanation: AWS WAF can be applied to both Amazon CloudFront distributions and Application Load Balancers, as well as Amazon API Gateway.

The AWS Shield service provides automatic protection against:

  • A) Distributed Denial of Service (DDoS) attacks.
  • B) SQL Injection
  • C) Cross-site scripting (XSS)
  • D) All of the above

Answer: A) Distributed Denial of Service (DDoS) attacks.

Explanation: AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Which AWS service enables you to implement stateful traffic inspection?

  • A) AWS WAF
  • B) AWS Shield
  • C) AWS Network Firewall
  • D) AWS Direct Connect

Answer: C) AWS Network Firewall

Explanation: AWS Network Firewall is a managed service that enables you to deploy stateful traffic inspection at scale for your virtual private clouds (VPCs).

True or False: AWS WAF requires manual intervention to update rules and protections based on emerging threats.

  • A) True
  • B) False

Answer: B) False

Explanation: AWS WAF can be integrated with services like AWS Managed Rules for AWS WAF, where rules are automatically updated based on threats.

AWS Network Firewall can be used to:

  • A) Monitor SSL/TLS encrypted traffic.
  • B) Filter content.
  • C) Impose rules based on domain names.
  • D) All of the above.

Answer: D) All of the above.

Explanation: AWS Network Firewall supports various features, including monitoring SSL/TLS encrypted traffic, filtering content, and imposing rules based on domain names.

True or False: AWS Shield Advanced provides expanded DDoS attack protection for any application running on AWS, with no limits on attack volume.

  • A) True
  • B) False

Answer: A) True

Explanation: AWS Shield Advanced provides expanded DDoS protection with no scaling limitations concerning the size of the DDoS attack.

Which of the following is NOT a feature of AWS WAF?

  • A) Customizable web security rules
  • B) Real-time traffic monitoring
  • C) Automatic encryption of data traffic
  • D) Integration with AWS services like ALB and Amazon API Gateway

Answer: C) Automatic encryption of data traffic

Explanation: AWS WAF does not handle encryption of data traffic; it focuses on filtering traffic based on customizable web security rules and integrates with specific AWS services for traffic monitoring.

AWS Shield Standard is automatically enabled for all AWS customers at no additional charge to protect against which types of attacks?

  • A) DDoS attacks
  • B) Phishing attacks
  • C) Man-in-the-middle attacks
  • D) Viruses and malware

Answer: A) DDoS attacks

Explanation: AWS Shield Standard provides basic protection against DDoS attacks for all AWS customers at no extra cost.

True or False: AWS Network Firewall supports both inbound and outbound traffic filtering rules.

  • A) True
  • B) False

Answer: A) True

Explanation: AWS Network Firewall allows for the creation of inbound and outbound traffic filtering rules to help protect VPC resources.

When integrating AWS WAF with Amazon CloudFront, the protected resources can be:

  • A) Only in the AWS region where the WAF is deployed.
  • B) Distributed globally.
  • C) Limited to the United States.
  • D) Exclusive to AWS Edge locations.

Answer: B) Distributed globally.

Explanation: When AWS WAF is used with Amazon CloudFront, it can protect resources distributed globally as CloudFront is a global Content Delivery Network (CDN) service.

AWS Network Firewall is a managed service for:

  • A) Endpoint protection
  • B) VPCs
  • C) DDoS mitigation
  • D) Data encryption

Answer: B) VPCs

Explanation: AWS Network Firewall is a managed service that is designed to provide network protection for your Amazon VPCs.

True or False: AWS WAF is capable of rate-based rule enforcement to protect against high request volumes that may indicate a DDoS attack.

  • A) True
  • B) False

Answer: A) True

Explanation: AWS WAF offers rate-based rules that allow it to block IP addresses that send requests at a rate that exceeds a defined threshold, which helps in mitigating DDoS attacks.

Interview Questions

What is AWS WAF and how does it help in securing inbound traffic flows?

AWS WAF is a web application firewall that helps protect web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. It offers customizable web security rules that allow you to block, allow, or monitor (count) web requests based on conditions such as IP addresses, HTTP headers, HTTP body, URI strings, and more.

Can you explain how AWS Shield protects AWS resources, and what is the difference between AWS Shield Standard and AWS Shield Advanced?

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service. AWS Shield Standard offers basic protection for all AWS customers at no additional cost and is designed to protect against most common, frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced provides additional protection against larger and more sophisticated attacks, and it offers features like enhanced DDoS protection, 24×7 access to the AWS DDoS Response Team (DRT), and financial protection against DDoS-related spikes in your AWS bill.

Describe how you would go about implementing a Network Firewall in an AWS environment.

To implement an AWS Network Firewall, first create a firewall policy that outlines the stateful and stateless rule groups for traffic inspection. Then define the firewall by associating the policy with a VPC and selecting the subnets where the firewall endpoints will be placed. Finally, configure route tables to direct the desired traffic through the firewall endpoints. AWS Network Firewall automatically scales with traffic flows, providing high availability and easy management within an AWS environment.

What are the core components of AWS WAF, and how do they interact to provide protection?

Core components of AWS WAF include web ACLs (Access Control Lists), rules, and rule groups. A web ACL acts as a container for rules and rule groups, which contain conditions used to target specific traffic. Rules can be either custom-defined by the user or managed by AWS or AWS Marketplace sellers. When a request is received, AWS WAF evaluates it against the rules in order, allowing or blocking requests based on the conditions set in each rule.

How does AWS Network Firewall differ from security groups and network access control lists (NACLs)?

AWS Network Firewall is a stateful, managed, firewall service for Virtual Private Cloud (VPC) that provides fine-grained control over network traffic. Unlike security groups, which are stateful and operate at the instance level, or NACLs which are stateless and operate at the subnet level, AWS Network Firewall allows you to specify comprehensive, stateful firewall rules across all traffic flowing in and out of a VPC.

What is the purpose of managed rule groups in AWS WAF, and how can they benefit an organization?

Managed rule groups in AWS WAF are a set of pre-configured rules maintained by AWS, AWS Marketplace sellers, or AWS Partner Network (APN) partners. They provide ready-made protection against common threats like SQL injection, XSS, or known bad IPs. These rule groups are updated to react to new threats as they emerge, providing a resource-efficient way for organizations to maintain robust security without the need for in-depth web traffic expertise.

How can you integrate AWS WAF with Amazon CloudFront, and what are the benefits of this integration?

AWS WAF can be directly integrated with Amazon CloudFront by associating a web ACL with a CloudFront distribution. The benefit of this integration is that it puts security protection at the edge of AWS’s network, providing low latency and improved performance. Moreover, it helps in defending against attacks before they reach the web application or origin servers, reducing the potential for damage and resource consumption.

How do you configure AWS Shield to protect against DDoS attacks?

AWS Shield Standard is automatically enabled for all AWS customers, so no configuration is needed to get basic protection. However, for advanced protection with AWS Shield Advanced, you can subscribe to the service and select the resources you want to protect, such as Elastic IP addresses, CloudFront distributions, and Route 53 hosted zones. You can then define DDoS protection plans, engage the DDoS Response Team, and optionally configure alarms and metrics through Amazon CloudWatch for real-time monitoring.

What metrics should you monitor to identify potential security threats or DDoS attacks within an AWS environment?

Metrics to monitor include network traffic anomalies, such as spikes in incoming requests, request rates from individual IP addresses, HTTP error codes indicating rejection of requests, or a high number of dropped packets. Additionally, for AWS deployments, keeping an eye on CloudWatch metrics such as `IncomingRequestCount` or `RequestCountPerTarget`, and utilizing AWS-specific metrics like `DDoSDetected` and `DDoSAttackVolume` can help identify potential DDoS attacks early on.

In what scenarios would you choose AWS Network Firewall over AWS WAF or vice versa?

AWS WAF is more suited for application layer protection (OSI Layer 7) and is used to inspect HTTP/HTTPS traffic for web applications, whereas AWS Network Firewall is a stateful firewall service for OSI Layers 3 (Network) and 4 (Transport), allowing for broader traffic inspection capabilities, including non-HTTP protocols. You would choose AWS Network Firewall when you need to protect against threats across a wide range of network protocols and port options, whereas AWS WAF would be the choice for fine-tuned web application protection.

0 0 votes
Article Rating
Subscribe
Notify of
guest
39 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Gabriela Vidal
6 months ago

Great blog post! Really helped clarify AWS WAF for me.

Edward Martin
6 months ago

For those preparing for the ANS-C01, how important is understanding AWS Shield?

شایان موسوی

I have been using AWS Network Firewall and it’s a game-changer for VPC security!

Dana Oliver
6 months ago

Can someone confirm if AWS WAF works well with Application Load Balancers?

Jesús Marín
6 months ago

Does AWS Shield Advanced provide more value than just using AWS Shield Standard?

Andrea Arevalo
6 months ago

The blog was really informational, thanks for sharing.

Franklin Myers
7 months ago

I’m still a bit confused about the pricing models for AWS WAF. Any guidance?

Rashmitha Kavser
6 months ago

Thanks for the post, I feel more prepared for my AWS exam now!

39
0
Would love your thoughts, please comment.x
()
x