Securing Inbound Traffic Flows into AWS

This study guide focuses on the critical mechanisms and services used to protect AWS environments from external threats. Mastering these tools is essential for the AWS Certified Advanced Networking - Specialty (ANS-C01) exam.

Learning Objectives

After studying this guide, you should be able to:

• Differentiate between AWS WAF, AWS Shield, and AWS Network Firewall.
• Select the appropriate security service based on the OSI layer (Layer 3/4 vs. Layer 7).
• Configure stateful and stateless filtering using Security Groups and Network ACLs (NACLs).
• Manage security policies at scale across multiple accounts using AWS Firewall Manager.
• Identify common web exploits such as SQL injection (SQLi) and Cross-Site Scripting (XSS).

Key Terms & Glossary

• Web ACL (Access Control List): A set of rules in AWS WAF that defines which web requests to allow or block.
• SQL Injection (SQLi): A web exploit where malicious SQL code is inserted into input fields to manipulate a backend database.
• Cross-Site Scripting (XSS): An attack where malicious scripts are injected into otherwise benign and trusted websites.
• Stateless Filtering: A firewall method where each packet is treated in isolation (e.g., NACLs); you must explicitly allow return traffic.
• Stateful Filtering: A method where the firewall remembers the state of active connections (e.g., Security Groups); return traffic is automatically allowed.

The "Big Idea"

[!IMPORTANT] The core philosophy of inbound security in AWS is Defense in Depth. No single service provides 100% protection. Instead, AWS uses a layered approach: Shield handles DDoS at the edge, WAF inspects HTTP/S traffic for application-layer attacks, Network Firewall inspects VPC-level traffic, and Security Groups provide the final line of defense at the instance level.

Formula / Concept Box

Hierarchical Outline

• Perimeter Security
  • AWS Shield: DDoS mitigation at the edge.
  • AWS WAF: Application-layer filtering for CloudFront, ALB, and API Gateway.
• VPC Infrastructure Security
  • AWS Network Firewall: Inspecting traffic between subnets or from the Internet Gateway (IGW).
  • NACLs: The first line of defense at the subnet boundary.
• Instance/Resource Security
  • Security Groups: Granular control for EC2, RDS, and Lambda.
• Governance & Scaling
  • Firewall Manager: Centrally managing WAF, Shield, and SG policies across an AWS Organization.

Visual Anchors

Inbound Traffic Hierarchy

Stateless vs. Stateful Logic

Definition-Example Pairs

• AWS WAF Custom Rules

  • Definition: User-defined conditions to filter traffic based on IP addresses, HTTP headers, or body content.
  • Example: Blocking all traffic from a specific country (Geo-blocking) because your application only serves users in the UK.

• Shield Advanced Proactive Response

  • Definition: An AWS SRT (Shield Response Team) feature that automatically contacts you or takes action during a suspected DDoS.
  • Example: A massive sudden spike in UDP traffic triggers the SRT to apply custom mitigations before your infrastructure is overwhelmed.

• Firewall Manager Policy

  • Definition: A set of rules deployed across multiple accounts to ensure a baseline security posture.
  • Example: Mandating that every ALB in your AWS Organization must have a specific WAF Web ACL attached to block common botnets.

Worked Examples

Scenario: Securing a Web Application on ALB

Goal: Protect a web application against SQL injection and high-volume Layer 7 DDoS attacks.

1. Deployment of AWS Shield Advanced: Enable Shield Advanced on the Application Load Balancer (ALB). This provides cost protection for scaling and access to the Shield Response Team.
2. AWS WAF Association: Create a Web ACL in AWS WAF and associate it with the ALB.
3. Rule Configuration:
   • Add AWS Managed Rules for "Core Rule Set" and "SQL Database" protection.
   • Configure a Rate-based Rule (e.g., 2,000 requests per 5 minutes) to block IPs that are attempting to flood the site.
4. Logging: Enable WAF logging to an S3 bucket or Kinesis Data Firehose for audit trails and analysis.

Checkpoint Questions

1. Which service would you use to block a specific HTTP Header modification attack?
2. True or False: If you allow inbound traffic on port 80 in a Security Group, you must also allow outbound traffic on ephemeral ports for the response to work.
3. What is the difference between AWS WAF and AWS Network Firewall regarding traffic inspection?
4. How does AWS Firewall Manager integrate with AWS Organizations?

Muddy Points & Cross-Refs

• WAF vs. Network Firewall: Many confuse these. WAF is exclusively for HTTP/S (Layer 7) and is application-aware. Network Firewall is for the whole VPC (Layer 3-7) and can filter protocols like SSH, FTP, or custom TCP/UDP traffic.
• NACL Rule Order: NACLs use numbered rules (100, 200, etc.) and are evaluated in order. If Rule 100 allows and Rule 200 denies, the traffic is allowed. Always leave gaps (e.g., use increments of 100) for future rules.
• Stateful Responses: Remember that Security Groups are stateful. This is a common exam trap where they ask if you need to open outbound ports for a web server to return data—you do not for Security Groups, but you do for NACLs.

Comparison Tables