Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 928 discussion

Several links below prove that option "B" is correct, regardless of the "NLB recreation" drawback. It's time to kick option C out (it was my first guess, I must confess) DDoS prevention, even though useful, is not required by the company. The company is interested SOLELY in prevent "unauthorized access" to the application. In the absence of more specific information, I came to the conclusion that the company detected some "weird ips" trying to access the application. After some investigation, I came to the conclusion that AWS Shield Advanced doesn't provide this feature for ips if they weren't previously involved in a DDoS attack. In an on-premises environment, I would setup a firewall rule with an allow list to accomplish this requirement, which is precisely what option "B" offers.

https://aws.amazon.com/blogs/containers/network-load-balancers-now-support-security-groups/

A - AWS WAF works at Layer 7 (application layer) and is designed for HTTP/HTTPS traffic, so WAF works only with Application Load Balancers (ALB), API Gateway, and CloudFront. C - Works but comes with unnecessary complexity and introduces architectural changes. So A & C are out. I'm actually torn between B and D. If the primary issue is unauthorized IP access and not large-scale DDoS attacks, then B might be the answer, but NLBs do not directly associate with security groups. Security groups are applied to the targets of the NLB (EC2 instances, IP addrs, or ALBs). Also, this is an architectural change. On the other hand, if the primary concern includes DDoS attacks, option D (AWS Shield Advanced) becomes more relevant but this is so much more expensive and may still be overkill for simple IP-based access control. I'm gonna go with D if it shows up in my exam.

Tricky one. About option A > AWS WAF does not support Network Load Balancers (NLBs) directly. NLBs operate at the transport layer (Layer 4), while AWS WAF is designed to work with Application Load Balancers (ALBs) at the application layer (Layer 7).....Given that the requirement is to improve application security for a Network Load Balancer with minimal architectural changes, the most appropriate solution would be Option B

shield is only for DDos attacks protection

The correct answer is D. Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts. Explanation: Option D: Correct. AWS Shield Advanced is designed to protect against DDoS attacks, which can be a source of unauthorized access attempts. It provides enhanced protection features for applications behind a Network Load Balancer, offering additional security measures without requiring significant architectural changes. By leveraging AWS Shield Advanced, the company can gain comprehensive DDoS protection tailored for use with their existing NLB setup. Option B: Incorrect. NLBs do not support security groups which are applicable to instances, not to the NLB itself. In addition, recreating the NLB to deal with unauthorized access attempts does not align with the requirement for minimal architectural change.

Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.

Real-time data processing normally use RTP Protocol which uses a range of ports to deliver audio and video streams. It doesn't specifically says HTTPS so i assume, it can't use WAF to control the traffic since it operates in HTTP/HTTPS Level only. Not designed for real-time: HTTP is primarily designed for request-response communication, which involves sending a request and then waiting for a full response, making it less efficient for continuous data streams needed in real-time applications

Why is it not A?

The answer should be D. It makes no sense to pick B for a public app in cases of DDoS, SGs wouldn't help with that. It's like, the closer the questions end, the more trolls left.

I don't think B is correct. if you only allow selected IPs to access then this company cannot host their video streaming service to the public. D should be the correct answer. AWS shield advanced if I rmb correctly prevent unauthorised attempts

Network Load Balancers (NLB) now supports security groups, enabling you to filter the traffic that your NLB accepts and forwards to your application. Using security groups, you can configure rules to help ensure that your NLB only accepts traffic from trusted IP addresses, and centrally enforce access control policies. This improves your application's security posture and simplifies operations

Answer is D

B is correct

Answer is B

https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/