Comprehensive Study Guide: External Threat Vectors & AWS Security Mitigation

This guide covers the identification of external threat vectors, such as DDoS and SQL injection, and the specific AWS services designed to mitigate these risks at various layers of the OSI model.

Learning Objectives

• Identify common external threat vectors including DDoS, SQL injection, and HTTP floods.
• Differentiate between AWS Shield Standard and AWS Shield Advanced capabilities.
• Explain how AWS WAF protects against application-layer (Layer 7) attacks.
• Determine the appropriate security service (WAF, Shield, NACL, or Security Group) for specific attack scenarios.
• Understand the role of the AWS DDoS Response Team (DRT) in Shield Advanced.

Key Terms & Glossary

• DDoS (Distributed Denial of Service): A malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
• SQL Injection: A type of vulnerability where an attacker inserts malicious SQL code into a query, potentially allowing them to view, modify, or delete database data.
• Layer 3/4 Attacks: Infrastructure-layer attacks (Network/Transport) such as SYN floods or UDP reflection that target network bandwidth.
• Layer 7 Attacks: Application-layer attacks (HTTP/HTTPS) that target specific web application functions, such as "HTTP Floods" or login page brute forcing.
• False Positive: A security alert that incorrectly flags legitimate traffic as malicious.

The "Big Idea"

Defense in Depth: Security in AWS is not a single "on/off" switch. It requires a layered approach where AWS Shield handles the infrastructure floods at the edge, AWS WAF inspects the specific "intent" of web requests at the application level, and VPC Security Components (NACLs/Security Groups) provide the final gatekeeping for your specific instances. This multi-layered strategy ensures that even if one layer is bypassed, others are in place to mitigate the threat.

Formula / Concept Box

Hierarchical Outline

1. Infrastructure Layer Protection (Layers 3 & 4)
   • AWS Shield Standard: Automatic protection for all AWS customers; targets SYN floods and UDP reflection.
   • VPC Security Groups: Stateful firewalls for instances; used to restrict traffic to known ports (e.g., blocking port 3306 for databases).
   • Network ACLs: Stateless subnet-level protection; useful for blocking specific malicious IP ranges.
2. Application Layer Protection (Layer 7)
   • AWS WAF (Web Application Firewall): Rules-based inspection for Application Load Balancers (ALB), CloudFront, and API Gateway.
   • AWS Shield Advanced: Integrates with WAF and provides 24/7 access to the DDoS Response Team (DRT).
3. Threat Vector Specifics
   • SQL Injection: Mitigated via WAF rules that inspect query strings.
   • HTTP Floods: Managed by WAF rate-based rules or Shield Advanced automated mitigation.

Visual Anchors

Threat Mitigation Flow

OSI Security Mapping

\begin{tikzpicture}[node distance=1.5cm] \draw (0,0) rectangle (6,0.8) node[midway] {Layer 7: Application (WAF / Shield Adv)}; \draw (0,1) rectangle (6,1.8) node[midway] {Layer 4: Transport (Shield Std / SG)}; \draw (0,2) rectangle (6,2.8) node[midway] {Layer 3: Network (Shield Std / NACL)};

\draw[thick, ->] (-1,0.4) -- (-1,2.4) node[midway, left, rotate=90] {External Threats}; \draw[thick, <-] (7,0.4) -- (7,2.4) node[midway, right, rotate=270] {AWS Protection}; \end{tikzpicture}

Definition-Example Pairs

• UDP Reflection Attack: An attacker sends a small UDP request with a spoofed source IP to a server, which then "reflects" a much larger response to the victim.
  • Example: Using an open NTP server to flood a company's EC2 instance with massive amounts of time-sync data.
• SQL Injection (SQLi): Attacker inputs SQL syntax into a web form.
  • Example: Typing ' OR '1'='1 into a login password field to bypass authentication and gain admin access.
• HTTP Flood: A Layer 7 DDoS attack where the attacker sends a massive number of GET or POST requests to a specific URL.
  • Example: Thousands of bots refreshing a "Search" page simultaneously to exhaust the database's CPU.

Worked Examples

Scenario 1: Protecting a Public SQS Endpoint

Problem: You have a distributed application using a public SQS endpoint. How do you prevent unauthorized access to the queue from external attackers? Solution:

1. IAM Policies: Use identity-based policies to ensure only authorized IAM users can call SendMessage.
2. SQS Access Policies: Add a resource-based policy to restrict access to specific IP ranges or VPC endpoints.

[!IMPORTANT] Note that Security Groups and NACLs cannot be applied to public SQS endpoints directly as they are managed services outside your VPC.

Scenario 2: Blocking SQL Injection for EC2 Web Servers

Problem: You run a MySQL-backed web app on six EC2 instances. How do you stop SQL injection? Solution:

1. ALB Integration: Place the EC2 instances behind an Application Load Balancer (ALB).
2. WAF Association: Attach AWS WAF to the ALB.
3. Rule Configuration: Enable the AWS Managed Rule set for SQL injection to inspect all incoming payloads.

Checkpoint Questions

1. Which AWS service should you use to block a specific malicious IP address from reaching an entire subnet?
2. True or False: AWS Shield Standard protects against Layer 7 HTTP flood attacks.
3. What is the main benefit of AWS Shield Advanced "Cost Protection" during a DDoS attack?
4. Can AWS WAF be used with a Network Load Balancer (NLB)?

▶Click to reveal answers

1. Network ACL (NACL). It is stateless and acts at the subnet level.
2. False. Shield Standard covers Layers 3 and 4 only. Layer 7 requires WAF or Shield Advanced.
3. Scaling Refunds. It covers the costs associated with resource scaling (like Auto Scaling or ALB usage) triggered by illegitimate DDoS traffic.
4. No. WAF integrates with Application Load Balancers (ALB), CloudFront, API Gateway, and AppSync.