Clns | PDF Host

SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 1. Introduction The AWS Web Application Firewall (WAF) protects web applications from common exploits and vulnerabilities such as SQL injection, cross-site scripting (XSS), and DDoS attacks.WhenintegratedwithanApplicationLoadBalancer(ALB),AWSWAFactsasa protectivelayerthatfiltersmaliciousrequestsbeforetheyreachbackendEC2instances. AWS WAF allows administrators to define customizable rules and managed rule groups to block, allow, or count web requests based on IP addresses, HTTP headers, body data, and query strings. This lab demonstrates how to implement AWS WAF with an ALB to secure web traffic for an application hosted on EC2 instances. 2. Objective Bytheend ofthislab,youwillbeableto: 1. CreateandconfigureanApplicationLoadBalancer(ALB)forwebtraffic. 2. DeployEC2instancesbehindtheALB. 3. CreateaWebACL(AccessControlList)inAWSWAF. 4. AssociatetheWAFWebACLwiththeALB. 5. TesttheWAFrulesandobserveblocked/allowedrequests. KeyLearningOutcome:UnderstandhowAWSWAFintegrateswithanApplicationLoad Balancer to secure HTTP/HTTPS traffic and mitigate web-based threats. ProblemStatement:DeployawebapplicationbehindanApplicationLoadBalancerand use AWS WAF to block specific IP addresses or malicious request patterns. 3. BlockDiagram/Architecture ArchitectureOverview 20230802037 1 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 1. VPCEnvironment o VPC:WAF-ALB-Lab-VPC(10.0.0.0/16) o TwopublicsubnetsindifferentAvailabilityZones. 2. ApplicationLoadBalancer(ALB) o Front-endforEC2webservers o Listener:HTTP(port80) o TargetGroup:WebApp-TG 3. AWSWAFWebACL o AssociatedwithALB o Containsrules:  BlockrequestsfromspecificIPs  BlockSQLinjection/XSSpatterns(ManagedRuleGroup) 4. EC2Instances o Backendwebservers(simpleHTMLpages) 5. UserTrafficFlow o User → ALB → WAFfiltering → EC2instances 20230802037 2 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 4. Procedure/StepswithScreenshots Prerequisites  AWSaccountwithadminprivileges  TworunningEC2instanceswithsimplewebserversinstalled  SecuritygroupsallowingHTTP(80)traffic Step 1: Launch Two EC2 Instances (Web Servers) Purpose:BackendserversfortheALBtoforwardtrafficto. Steps: 1. GotoAWSConsole → EC2 → Instances → LaunchInstances 2. Name:WebServer1 3. AMI:AmazonLinux2 4. InstanceType:t2.micro 5. KeyPair:Select/Create 6. NetworkSettings: o VPC:DefaultVPC o Subnet:Selectanypublicsubnet o Auto-assignPublicIP:Enable o SecurityGroup:Createnew → AllowHTTP(80)and SSH(22) 7. Launch Instance RepeatthesamestepsforWebServer2. 20230802037 3 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 20230802037 4 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Step2:InstallaWebServeronBothEC2Instances Commands: sudoyumupdate-y sudo yum install httpd -y sudosystemctlenablehttpd sudo systemctl start httpd echo"<h1>Hellofrom$(hostname)</h1>"|sudotee /var/www/html/index.html Step3:CreateaTargetGroup 20230802037 5 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Steps: 1. GotoTargetGroups → CreateTargetGroup 2. TargetType:Instances 3. Name:MyTargetGroup 4. Protocol:HTTP 5. Port:80 6. HealthCheckPath:/ 7. ClickNext 8. RegisterTargets: o SelectWebServer1andWebServer2 o ClickIncludeaspending ClickCreateTargetGroup 20230802037 6 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 20230802037 7 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Step4:CreateanApplicationLoadBalancer(ALB) Steps: 1. GotoEC2 → LoadBalancers → CreateLoadBalancer 2. SelectApplicationLoadBalancer 3. Name:MyALB 4. Scheme:Internet-facing 5. IPAddressType:IPv4 6. NetworkMapping: o SelectDefaultVPC o ChoosetwopublicsubnetsindifferentAvailabilityZones 7. SecurityGroups: o CreateanewSG → AllowHTTP(80) 8. Listeners: o Protocol:HTTP,Port: 80 20230802037 8 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: o DefaultAction:ForwardtoaTargetGroup 20230802037 9 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 20230802037 10 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Step5:TesttheALB Steps: 1. GotoLoadBalancers → MyALB 2. CopytheDNSName 3. Pasteitintoabrowser 4. Refreshmultipletimestoseeresponsesfromdifferentinstances Step6:CreateandConfigureAWSWAFWebACL 20230802037 11 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Steps: 1. GotoAWSConsole → WAF&Shield → Web ACLs → CreateWebACL 2. Name:MyWAF 3. AWSResourceType:Regionalresources 4. Region:Same as ALB 5. Add Rules: o Chooseeither(anyoneorcombination): AWSManagedRules Rule1:BlockSQLInjection • ClickAddmanagedrulegroup • Under AWS Managed Rule groups, choose AWSManagedRulesSQLiRuleSet • Action:Block • ClickAddrulegroup 6. DefaultAction:Allow 7. ClickNext 20230802037 12 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 20230802037 13 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: 20230802037 14 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Step7:AssociateWebACLwiththeALB Steps: 1. IntheAssociatedAWSResourcessection,chooseApplicationLoadBalancer 2. SelectMyALB 3. ClickAdd 4. ClickNext → ReviewandCreate Step8:TestWAFFunctionality 20230802037 15 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: ImplementAWSWAFwithApplicationLoadBalancer (ALB) FacultyName: Mr.ShreyasMavale Sign: Steps: 1. RevisittheALBDNSURLinabrowser 2. AttemptpatternsthatWAFblocks(e.g.,SQLinjectionstring'?id=1OR1=1') 3. Verifyblockedrequestsunder: o WAF → WebACLs → MyWAF → Requests 5. Result/Conclusion KeyFindings 1. AWSWAFsuccessfullyfilteredandblockedunwantedwebrequests. 2. IntegrationwithALBprovidedcentralizedprotectionformultipleEC2instances. 3. ManagedrulesetsautomaticallyprotectedagainstOWASPTop10vulnerabilities. 4. Loggingandmetricsenabledproactivesecuritymonitoring. Conclusion This lab successfully demonstrated how to implement AWS WAF with an Application Load Balancer. The Web ACL effectively filtered malicious traffic using both managed and custom rules. By associating WAF with ALB, web applications were secured at the edge before traffic reached backend servers — ensuring compliance, availability, and data protection. 20230802037 16 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: CheckandVerifytheComplianceStatusofSecurity Groups using AWS Config FacultyName: Mr.ShreyasMavale Sign: 1. Introduction Inmoderncloudenvironments,maintainingsecuritycomplianceiscriticalforprotecting infrastructureagainstmisconfigurationsandunauthorizedaccess.AWS provides AWS Config, a fully managed service that continuously monitors and records AWS resource configurations and evaluates them against desired security and operational baselines. A common security concern is over-permissive Security Groups, such as allowing inbound access from 0.0.0.0/0 to sensitive ports (e.g., 22 SSH or 3389 RDP). Using AWS Config, we can automatically detect non-compliant Security Groups and take corrective action. ThislabdemonstrateshowtouseAWSConfigtocheckandverifythecompliancestatus of Security Groups, ensuring that they follow defined best-practice rules for inbound access control. 2. Objective Bytheend ofthislab,youwillbeableto: 1. UnderstandthepurposeofAWSConfigincontinuouscompliancemonitoring. 2. EnableandconfigureAWSConfiginaspecificregion. 3. RecordandmonitorSecurityGroupresources. 4. ApplyamanagedAWSConfigruletodetectopenSecurityGroups. 5. EvaluatecomplianceresultsforeachSecurityGroup. 6. Interpretnon-compliantfindingsandunderstandremediationoptions. KeyLearningOutcome: GainpracticalexperienceusingAWSConfigtoassessandenforcecomplianceofAWS Security Groups. 20230802037 17 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: CheckandVerifytheComplianceStatusofSecurity Groups using AWS Config FacultyName: Mr.ShreyasMavale Sign: ProblemStatement: CreateaSecurityGroupinaVPCandintentionallyconfigureaninsecurerule(e.g.,SSH opentoall).UseAWSConfigtoevaluatecomplianceagainstamanagedruleand verify whether the Security Group is marked as compliant or non-compliant. 3. BlockDiagram/Architecture ArchitectureOverview 1. AWSAccountEnvironment o Region:us-east-1(N.Virginia) o ServicesUsed:VPC,EC2,SecurityGroup,AWSConfig 2. VPCSetup o VPCCIDR:10.0.0.0/16 o Subnet:10.0.1.0/24 o InternetGatewayattached 3. SecurityGroup o SG-ComplianceTest o InboundRule:SSH(22)from0.0.0.0/0 ← Intentionalnon-compliance 4. AWSConfig o ConfigurationRecorderandDeliveryChannelenabled o S3BucketforConfigdata(aws-config-lab-bucket) o ManagedRuleApplied:INCOMING_SSH_DISABLEDorrestricted-ssh o EvaluationResults:Compliant/non-compliantstatus 20230802037 18 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: CheckandVerifytheComplianceStatusofSecurity Groups using AWS Config FacultyName: Mr.ShreyasMavale Sign: 4. Procedure/StepswithScreenshots Prerequisites  ActiveAWSaccountwithadministrativepermissions.  AWSS3bucketcreatedforConfigdatastorage.  BasicfamiliaritywithEC2andSecurityGroups. Step1:CreateaVPCandSubnet 1. InVPC Console → CreateVPC o Nametag:VPC-ConfigLab o IPv4CIDR:10.0.0.0/16 o ClickCreateVPC 20230802037 19 SchoolofComputerScience,EngineeringandApplications(SCSEA) B.TechTY (CCSA) Subject:CloudNetworkingandSecurity NameoftheStudent: SAMRIDDHIROHITYADAV PRN 20230802037 TitleofPractical: CheckandVerifytheComplianceStatusofSecurity Groups using AWS Config FacultyName: Mr.ShreyasMavale Sign: 2. InSubnets → CreateSubnet o VPC:VPC-ConfigLab o SubnetCIDR:10.0.1.0/24 o AvailabilityZone:us-east-1a o ClickCreateSubnet 20230802037 20