Task Statement 1.2: Design secure workloads and applications.
📘AWS Certified Solutions Architect – (SAA-C03)
In AWS, external threat vectors are attacks or methods that come from outside your AWS environment. These are threats that target your applications, services, or data hosted on AWS. Understanding these is essential for designing secure workloads and applications.
Two common examples are DDoS attacks and SQL injection, but there are other threats too. Let’s go step by step.
1. DDoS (Distributed Denial of Service)
Definition:
A DDoS attack happens when multiple systems (often compromised computers called “bots”) send a huge amount of traffic to your AWS resources at the same time. The goal is to overload your service so legitimate users can’t access it.
How it works in an IT environment:
- Your website or API is hosted on AWS (e.g., on Amazon EC2 or Amazon ELB).
- Attackers flood it with requests.
- Your service becomes slow, unreachable, or crashes.
Key AWS protections:
- AWS Shield – Protects against DDoS attacks. Comes in two tiers:
- Shield Standard: Automatic protection for all AWS customers (no extra cost).
- Shield Advanced: Enhanced DDoS protection with detailed reporting and 24/7 support.
- Amazon CloudFront – A content delivery network (CDN) that helps absorb attack traffic before it reaches your servers.
- AWS WAF (Web Application Firewall) – Can block specific traffic patterns (e.g., from suspicious IP addresses).
Exam Tip: You may be asked how to design applications to withstand DDoS attacks using AWS services like Shield, WAF, and CloudFront.
2. SQL Injection
Definition:
SQL injection is a type of attack where an attacker sends malicious SQL code through an input field to manipulate your database.
How it works in an IT environment:
- Your web application asks users to log in.
- Instead of entering a normal username, an attacker types SQL commands like:
' OR '1'='1 - If your application is not secure, the database executes this code.
- The attacker can read, modify, or delete data they shouldn’t have access to.
Key AWS protections:
- Input Validation & Parameterized Queries: Always use prepared statements or ORM frameworks to prevent SQL code from being executed directly.
- AWS WAF: Can block malicious input patterns targeting SQL injection.
- Amazon RDS Security: Ensure databases are not publicly accessible, enforce IAM authentication, and use encryption to protect data at rest and in transit.
Exam Tip: AWS often asks about how to secure applications against SQL injection using WAF, parameterized queries, and database best practices.
3. Other Common External Threats
While DDoS and SQL injection are the main ones, you should also be aware of these:
| Threat | Explanation | AWS Protection |
|---|---|---|
| Cross-Site Scripting (XSS) | Attackers inject malicious scripts into web pages that other users view. | AWS WAF rules to block malicious scripts. |
| Phishing | Attackers trick users into giving credentials. | IAM policies, MFA, monitoring with Amazon GuardDuty. |
| Brute-force attacks | Attackers try many passwords to break into an account. | AWS WAF rate limiting, MFA, strong password policies. |
| Malware / Virus uploads | Malicious files uploaded to your environment. | S3 object scanning with Amazon Macie or custom antivirus solutions. |
4. Designing Secure Workloads Against External Threats
For the exam, you should understand best practices to reduce risk from external threats:
- Network Security
- Use Amazon VPC with subnets and security groups to control traffic.
- Limit exposure to the internet.
- Application Security
- Use input validation and WAF rules to block malicious requests.
- Keep software updated with patches.
- Identity and Access Management
- Use AWS IAM roles and policies for least-privilege access.
- Enable MFA for critical accounts.
- Monitoring and Response
- Enable Amazon GuardDuty to detect suspicious activity.
- Use AWS CloudTrail and CloudWatch for auditing and alarms.
- Data Protection
- Encrypt data at rest (KMS, S3 encryption) and in transit (TLS/HTTPS).
- Backup critical data.
✅ Key Points for the Exam
- External threat vectors are attacks from outside AWS targeting your applications.
- DDoS floods your service; protect with Shield, CloudFront, WAF.
- SQL injection targets databases; protect with parameterized queries, WAF, and secure RDS setups.
- Other threats include XSS, phishing, brute-force attacks, malware uploads.
- AWS best practices: secure network, secure application code, IAM policies, monitoring, encryption.
