Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 217 discussion

Only A and D cover the requirement for high availability. A uses Inspector, which is a vulnerability scanner and does not monitor traffic. So - even that I don't like the complexity of D - this remains the only option

I was confused between A and D, but seems WAF can deliver logs to Firehose https://docs.aws.amazon.com/waf/latest/developerguide/logging-kinesis.html

Compared to A, prioritize AWS Kinesis over third-party auditing applications

D is good option but as the question does not mention about 3rd party auditing app it may not be possible to directly integrate it with Firehose. One may have to use http api to push the logs - as this is not mentioned I will go with Option B.

It's D, makes most sense,

This is such a mal formed question... You see, nowhere in the question we are told about customer's application. However we are told they want ALL their resources highly available. B would be sooo much better if there wasn't that "All resources should be highly available." because, seriously, D is not the best in my opinion. We don't know much what applications they use, what third party auditing application and so on... Anyway, it might be D after all, but oh my...

Correct D.

its a D

ASG in Multiple AZ. WAF and WAF logs with kinesis

"enable logging by selecting the Kinesis Data Firehose as the destination"--- how can ALB write logs directly to Kinesis??? it should be CW logs group any links for help??

Amazon inspector does NOT inspect traffic coming to an Application Load Balancer (ALB)

D is correct answer Inbound requests must be filtered for common vulnerability attacks -> WAF Rejected requests must be sent to a third-party auditing application-> Enable access log and use kinesis stream to send logs to third party All resources should be highly available -> Muti AZ auto scaling group.

Inspector does not filter inbound traffic for attack signatures, this is what WAF is for

B and C do not provide HA. D is similar to A but lacks Inspector -> "Amazon Inspector automatically discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure."

a-a-a-a-a-a-a-a multi-az for HA

I got with D. The reason to go with D is because other options ABC are wrong. 1. It says use Amazon Inspector to inspect traffic to ALB. This is wrong. Amazon inspector does NOT inspect traffic coming to an Application Load Balancer (ALB). Amazon Inspector is a security assessment service that helps you analyze the security and compliance of your EC2 instances and applications running on them. To inspect traffic coming to an ALB, you can consider using other services such as AWS WAF (Web Application Firewall) or AWS Shield. AWS WAF allows you to define rules to filter and block malicious traffic targeting your ALB. B - Does NOT talk about HA as it is asked in ques C - Does NOT talk about HA as it is asked in ques

Option B and C does NOT talk about HA. Its between A and D ..