Blacklisting URLs on EC2 Instances
Question
A company has set up a set of EC2 Instances behind an Application Load Balancer.
There seems to be a barrage of requests from a series of URLs.
You need to have these URLs blacklisted.
How can you achieve this in an ongoing manner?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
Options A and B are incorrect since these can be used to blacklist IPs.
Option D is incorrect since this cannot be used to prevent attacks from the Internet.
The AWS Documentation mentions the following.
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
AWS WAF gives you control over traffic to allow or block your web applications by defining customizable web security rules.
You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules designed for your specific application.
New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns.
Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
For more information on the AWS WAF, please refer to the below URL.
https://aws.amazon.com/waf/To blacklist URLs in an ongoing manner for EC2 instances behind an Application Load Balancer, the best solution would be to use a Web Application Firewall (WAF) by placing it in front of the load balancer. Hence, option C is the correct answer.
Here is a detailed explanation of each option and why WAF is the best solution:
Option A: Deny the URLs via the Security Groups for the Instance.
Security groups are used to control inbound and outbound traffic for EC2 instances. However, security groups work at the instance level, and it's not feasible to update the security group rules for each instance as URLs change. Moreover, security groups only allow or deny traffic based on the IP address and port number, but not based on the URL. Therefore, this option is not practical for blacklisting URLs.
Option B: Deny the URLs via the NACLs for the subnet.
Network Access Control Lists (NACLs) are used to control inbound and outbound traffic for subnets. NACLs work at the subnet level and can be used to block traffic from specific IP addresses or ranges. However, similar to security groups, NACLs do not work at the URL level. Additionally, updating NACL rules for each URL can be a tedious and time-consuming task. Therefore, this option is not practical for blacklisting URLs.
Option C: Put a WAF in front of the Application Load Balancer.
A WAF is a security solution that can inspect the incoming HTTP/HTTPS traffic and block requests based on predefined rules. By placing a WAF in front of the load balancer, all traffic that passes through the load balancer is inspected by the WAF, and requests that match the blacklisted URLs can be blocked. A WAF can be configured to update the list of blacklisted URLs dynamically, making it an effective solution for ongoing blacklisting.
Option D: Use AWS VPC Flow logs to prevent attacks from the URLs.
AWS VPC Flow logs provide detailed information about the traffic flows in a VPC. However, VPC Flow logs do not provide the ability to block traffic. They only provide visibility into the traffic that passes through the VPC. Therefore, this option is not practical for blacklisting URLs.
In conclusion, the best option to blacklist URLs in an ongoing manner for EC2 instances behind an Application Load Balancer is to use a WAF.
