Exam AWS Certified Security - Specialty topic 1 question 61 discussion

Correct answer is D. C is incorrect. The key for the answer is "in the future". If you include all the 100s of IP, the attack will come from other new IPs. The attack will not be stopped. Moreover, it is unmanageable. D is correct. Put a IPS on each instance. An IDS like OSSEC or Wazuh can be centralize managed. The IPS will dynamically add IPs to the blacklist

How Network ACL can help with level 7 attacks? Install intrusion prevention software (IPS) on each instance. - No?

NACL to deny hundreds on IP's? Good luck with that! Best answer is D.

To reduce the potential impact of layer 7 brute-force attacks on your distributed web application, the BEST approach is: **B. Update security groups to deny traffic from the originating source IP addresses.** Here's why: 1. **Security Groups:** Security groups operate at the instance level and provide fine-grained control over inbound and outbound traffic. By updating your security groups to deny traffic from the specific source IP addresses associated with the brute-force attacks, you can effectively block those attackers while allowing legitimate traffic to reach your instances.

Answer D: Once the attack is over layer 7, it means that bad guy is brute forcing directly da application port. It seems crazy use ACL to deny hundred of IPs, and the question has a key point: "Prevent against future attacks". We can supose that's attacks will come from new IPs. Because that, I bet D.

D While network ACLs and security groups play important roles in network security, in this scenario where there are numerous IP addresses involved, relying on intrusion prevention software (IPS) installed on each instance provides a more comprehensive and effective solution to reduce the potential impact of the brute-force attacks on your distributed web application.

https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/ first mentioned by praveenaws I don't think neither C nor D are good solutions, but since we have a article that explicitly say "if you have identified Internet IP addresses or ranges that are unwanted or potentially abusive, you can block them from reaching your application with a deny rule." the I'd say that's the the answer

Since the attack is happening at layer 7, we can safely eliminate security groups and NACL's as a viable solution. Intrusion Detection Systems (IDS) can be used to detect layer 7 attacks. IDS monitors network traffic searching for suspicious activity and known threats, sending up alerts when it finds such items. The IPS sensor analyzes at Layer 2 to Layer 7 the payload of the packets for more sophisticated embedded attacks that might include malicious data.

D is the correct one although it is no sense to install an IPS in each instance, imagine that you have 200 instances...C is clearly wrong because NACLs inspect IP and Port. Ports aren't available in the Network Layer (Layer 3) - just IPs. However, they are available in the Transport Layer (Layer 4). So it's Layer 4 - the Transport Layer

The maximum rules in NACL is 40 and since it is already 100+ ips , the option is D

As there are 100 of IPs henceforth IPS is the best available option

NACL does not work on layer 7.

D for sure. NACLs and the other services would run into management overhead issues quite rapidly. Especially if the attack base increased to say 500 ip addresses... What if 2000 ip addresses start connecting - That would bea lot of work to add the entries in, even if NACL limits could support it.

It mentions layer 7 so in this scenario, it would be NACl

- Brute force is not an intrusion. Brute force can be minimized by a DDoS firewall, not by IPS.

https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/ Configuring security groups and network ACLs in Amazon VPC is an effective tool to help reduce the attack surface of your applications. The approaches may seem similar, but each has an important role in surface area reduction. This is especially important in a DDoS context because security groups allow you to define the traffic that will be allowed access to resources within your applications, and network ACLs allow you to define the port, protocol, and source of traffic that should be explicitly denied at the subnet leve

answer is D hundreds of IP NACL can not support