ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 183 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 183
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company’s public API runs as tasks on Amazon Elastic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months.

Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount.

A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency.

Which solution meets these requirements?

  • A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.
  • B. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.
  • C. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.
  • D. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by deegadaze1 at May 27, 2023, 7:25 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
dkx
Highly Voted 9 months, 3 weeks ago
C. Yes, because The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database. https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html A. No, because this does not prevent SQL injection attacks from reaching the ECS API service B. No, because with Bot Control, you can easily monitor, block, or rate limit bots such as scrapers, scanners, crawlers, status monitors, and search engines. https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html D. No, because because this is a reactive response after a SQL injection attack has occurred for new IP addresses
upvoted 10 times
...
career360guru
Most Recent 5 months ago
Selected Answer: C
Option C
upvoted 1 times
...
NikkyDicky
9 months, 3 weeks ago
Selected Answer: C
C 100%
upvoted 1 times
...
pupsik
10 months ago
Selected Answer: C
C for sure
upvoted 1 times
...
Alabi
10 months, 1 week ago
Selected Answer: C
C for sure
upvoted 1 times
...
nexus2020
10 months, 4 weeks ago
Selected Answer: C
C; the wording is bad. rule is block, and then set the acl to allow everything else that is not matching the block rule? B: if attacker knows what to attach, coming from a legitment IP, B will not be able to block it, but C can. D is crazy
upvoted 3 times
...
Snape
11 months ago
Selected Answer: C
Adding new rule for blocking requests which matches SQL database rule group is more 'operationally efficient' than manually scraping API logs and IP based blocking.
upvoted 3 times
ShinLi
11 months ago
why not B?
upvoted 1 times
...
...
AMEJack
11 months ago
Selected Answer: C
Answer is C
upvoted 1 times
...
Roontha
11 months ago
Answer : C https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html
upvoted 4 times
...
deegadaze1
11 months ago
B- is correct---> AWS WAF Bot Control
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago