Mission Objective: Push the application security perimeter to the global edge. This architecture intercepts, inspects, and destroys malicious Layer 7 web traffic (like SQL injections) before it can ever reach the internal Virtual Private Cloud (VPC) infrastructure.
The primary success metric of this project is the automated destruction of OWASP vulnerabilities. By firing a simulated cyberattack at the infrastructure, we prove the perimeter actively defends the internal application.
| 🟢 State: Clean Traffic (Standard Request) | 🔴 State: Malicious Traffic (SQL Injection) |
|---|---|
|
|
Standard deployments place web servers directly on the public internet. This architecture treats the server like a high-value embassy, utilizing defense-in-depth to keep threats miles away from the front door.
- 🛂 The Border Checkpoint (CloudFront): Visitors cannot walk directly up to the embassy. They must stop at a global edge location miles down the road. This massive network absorbs DDoS impacts effortlessly.
- 🕵️ The Armed Guards (AWS WAF): Highly trained guards inspect every piece of incoming luggage. If they find a weapon on the OWASP watchlist, the visitor is immediately ejected at the border.
- 🚐 The Secure Shuttle (ALB): If the visitor is clean, they are placed on a secure, dedicated transport vehicle. The internal embassy doors are locked to everyone except this specific shuttle.
The Secure Routing Flow: Public Internet ➡️ Amazon CloudFront ➡️ AWS WAF Inspection ➡️ Application Load Balancer ➡️ Private Subnet (EC2)
- Global Edge Absorption: CloudFront masks the true origin IP address while simultaneously accelerating global content delivery.
- Automated Threat Mitigation: AWS WAF utilizes strict managed rule groups to actively block Known Bad Inputs and SQL Database manipulation attempts.
- Zero-Trust Routing: The internal Application Load Balancer is secured via a strict Security Group configuration that exclusively accepts traffic originating from CloudFront Prefix Lists.
The core of this defense relies on configuring AWS WAF Web ACLs with targeted managed rule groups, transitioning from passive observation ("Count") to active termination ("Block").
{
"Name": "AWSManagedRulesSQLiRuleSet",
"Priority": 1,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesSQLiRuleSet"
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "BlockSQLInjection"
}
}- Layer 7 Defense: Successfully engineered an infrastructure perimeter that mitigates OWASP Top 10 vulnerabilities without requiring application code refactoring.
- Traffic Manipulation: Prevented perimeter bypassing by locking the internal Load Balancer to the
com.amazonaws.global.cloudfront.origin-facingprefix list. - ASVS Compliance Alignment: Demonstrated architectural alignment with the Application Security Verification Standard by enforcing strict input validation at the network edge.
Project by Shreyas
Cloud Security Architect