Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 623 discussion

SQL Injection and Cross-Site Scripting = WAF so Either B or D. Both B and D are valid options but the question doesn't indicate a real need for CloudFront, so just use WAF with the API Gateway. Answer is B.

WAF helps with layer 7 attacks like SQL injection and XSS. Shield is helpful for DDOS attacks.

CloudFront no se elige por su caché ✅ No se elige por mejorar la latencia 🔐 Se elige porque es el único sitio donde puedes aplicar AWS WAF si usas REST API (v1) Entonces: Aunque CloudFront tenga caché y latencia optimizada, eso no es lo relevante aquí. Lo importante es que es el único recurso donde puedes colgar el WAF para proteger tu REST API.

Option B is technically sound and more straightforward if you only want to protect a specific API. Option D is more scalable and operationally efficient, especially if you're building a modern architecture with multiple services and want protection from the edge. The question uses the keyword "MOST operationally efficient," so option D is the best.

https://aws.amazon.com/blogs/compute/amazon-api-gateway-adds-support-for-aws-waf/

WAF is good enough for SQL Injection and Cross Site scripting so A is good A: AWS Shield (basic) is not for SQL injection C: Same as A D: Good solution and will work but it provides extra DDoS protection and caching which is not needed (as we don't know much about the API also)

Question asks for protection against SQL injection and XSS, both is provided by WAF (option B). D would work too, but it would add another layer (CloudFront) with benefits that nobody asked for (and that would cost money), thus it would IMO be less 'operationally efficient'.

D. Set up API Gateway with an Amazon CloudFront distribution. Configure AWS WAF in CloudFront. Option A (Configure AWS Shield) is a DDoS protection service but doesn't specifically address SQL injection and cross-site scripting attacks. Option B (Configure AWS WAF) alone is a valid option, but integrating it with CloudFront (Option D) provides additional benefits like improved performance through caching. Option C (Set up API Gateway with CloudFront and configure AWS Shield in CloudFront) might provide DDoS protection, but for SQL injection and cross-site scripting, AWS WAF is the more appropriate service.

SQL injection and cross-site scripting attacks = AWS WAF

B or D But no need for CloudFront

AWS WAF protect agains : Presence of SQL code that is likely to be malicious (known as SQL injection). Presence of a script that is likely to be malicious (known as cross-site scripting). AWS Shield provides protection against distributed denial of service (DDoS) attacks for AWS resources, at the network and transport layers (layer 3 and 4) and the application layer (layer 7). https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

Finally, I am here at the end. Thank you guys for your support!

B. Configure AWS WAF.

B is the correct. https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-xss-conditions.html