Which AWS service can help secure the application and block the malicious traffic?

AWS Shield Standard and AWS Shield Advanced provide protections against Distributed Denial of Service (DDoS) attacks for AWS resources at the network and transport layers (layer 3 and 4) and the application layer (layer 7). A DDoS attack is an attack in which multiple compromised systems try to flood a target with traffic. A DDoS attack can prevent legitimate end users from accessing the target services and can cause the target to crash due to overwhelming traffic volume.

AWS Shield provides protection against a wide range of known DDoS attack vectors and zero-day attack vectors. Shield detection and mitigation is designed to provide coverage against threats even if they are not explicitly known to the service at the time of detection.

Classes of attacks that Shield detects include the following:

• Network volumetric attacks (layer 3) – This is a sub category of infrastructure layer attack vectors. These vectors attempt to saturate the capacity of the targeted network or resource, to deny service to legitimate users.

• Network protocol attacks (layer 4) – This is a sub category of infrastructure layer attack vectors. These vectors abuse a protocol to deny service to the targeted resource. A common example of a network protocol attack is a TCP SYN flood, which can exhaust connection state on resources like servers, load balancers, or firewalls. A network protocol attack can also be volumetric. For example, a larger TCP SYN flood may intend to saturate the capacity of a network while also exhausting the state of the targeted resource or intermediate resources.

• Application layer attacks (layer 7) – This category of attack vector attempts to deny service to legitimate users by flooding an application with queries that are valid for the target, such as web request floods.

Contents

• AWS Shield Standard overview
• AWS Shield Advanced overview
  • AWS Shield Advanced protected resources
  • AWS Shield Advanced capabilities and options
  • Deciding whether to subscribe to AWS Shield Advanced and apply additional protections
• Examples of DDoS attacks
• How AWS Shield detects events
  • Detection logic for infrastructure layer threats
  • Detection logic for application layer threats
  • Detection logic for multiple resources in an application
• How AWS Shield mitigates events
  • Mitigation features
  • AWS Shield mitigation logic for CloudFront and Route 53
  • AWS Shield mitigation logic for AWS Regions
  • AWS Shield mitigation logic for AWS Global Accelerator standard accelerators
  • AWS Shield Advanced mitigation logic for Elastic IPs
  • AWS Shield Advanced mitigation logic for web applications

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It enables you to configure a set of rules (called a web access control list (web ACL)) that allow, block, or count web requests based on customizable web security rules and conditions that you define. For more information, see How AWS WAF Works.

You can use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, requests that contain malicious SQL code, or requests that contain malicious script.

You can also create rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body (limited to the first 8 KB). Additionally, you can create rules to block attacks from specific user agents, bad bots, and content scrapers. For example, you can use rate-based rules to specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period.

AWS WAF is your first line of defense against web exploits. When AWS WAF is enabled on an API, AWS WAF rules are evaluated before other access control features, such as resource policies, IAM policies, Lambda authorizers, and Amazon Cognito authorizers. For example, if AWS WAF blocks access from a CIDR block that a resource policy allows, AWS WAF takes precedence and the resource policy isn't evaluated.

To enable AWS WAF for your API, you need to do the following:

1. Use the AWS WAF console, AWS SDK, or CLI to create a Regional web ACL that contains the desired combination of AWS WAF managed rules and your own custom rules. For more information, see Getting Started with AWS WAF and Creating and Configuring a Web Access Control List (Web ACL).

   API Gateway requires a Regional web ACL.

2. Associate the AWS WAF Regional web ACL with an API stage. You can do this by using the AWS WAF console, AWS SDK, or CLI or by using the API Gateway console, AWS SDK, or CLI.

To associate an AWS WAF regional Web ACL with an API Gateway API stage using the API Gateway console

To use the API Gateway console to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, use the following steps:

1. Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway.

2. In the APIs navigation pane, choose the API, and then choose Stages.

3. In the Stages pane, choose the name of the stage.

4. In the Stage Editor pane, choose the Settings tab.

5. To associate a Regional web ACL with the API stage:

   1. In the AWS WAF web ACL dropdown list, choose the Regional web ACL that you want to associate with this stage.

      If the web ACL you need doesn't exist yet, choose Create WebACL. Then choose Go to AWS WAFto open the AWS WAF console in a new browser tab and create a Regional web ACL. Then return to the API Gateway console to associate the web ACL with the stage.

6. Choose Save Changes.

Associate an AWS WAF regional Web ACL with an API Gateway API stage using the AWS CLI

To use the AWS CLI to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, call the associate-web-acl command, as in the following example:

aws waf-regional associate-web-acl \
--web-acl-id 'aabc123a-fb4f-4fc6-becb-2b00831cadcf' \
--resource-arn 'arn:aws:apigateway:{region}::/restapis/4wk1k4onj3/stages/prod'

Associate an AWS WAF regional web ACL with an API stage using the AWS WAF REST API

To use the AWS WAF REST API to associate an AWS WAF Regional web ACL with an existing API Gateway API stage, call the AssociateWebACL command, as in the following example:

import boto3
 
waf = boto3.client('waf-regional')
 
waf.associate_web_acl(
    WebACLId='aabc123a-fb4f-4fc6-becb-2b00831cadcf',
    ResourceArn='arn:aws:apigateway:{region}::/restapis/4wk1k4onj3/stages/prod'
)

Which of these AWS services can be used to protect your web applications from malicious requests from specific IP addresses?

Which service helps to protect your website from all types of malware attacks AWS?

Which AWS service helps identify malicious or unauthorized activities in AWS accounts and workloads?

Which AWS services are involved with security?