Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions

Exam AWS Certified Solutions Architect - Professional topic 1 question 7 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 7
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

You've been hired to enhance the overall security posture for a very large e-commerce site. They have a well architected multi-tier application running in a VPC that uses ELBs in front of both the web and the app tier with static assets served directly from S3. They are using a combination of RDS and DynamoDB for their dynamic data and then archiving nightly into S3 for further processing with EMR. They are concerned because they found questionable log entries and suspect someone is attempting to gain unauthorized access.
Which approach provides a cost effective scalable mitigation to this kind of attack?

  • A. Recommend that they lease space at a DirectConnect partner location and establish a 1G DirectConnect connection to their VPC they would then establish Internet connectivity into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection into their application running in their VPC.
  • B. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier subnet.
  • C. Add a WAF tier by creating a new ELB and an AutoScaling group of EC2 Instances running a host-based WAF. They would redirect Route 53 to resolve to the new WAF tier ELB. The WAF tier would their pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the WAF tier Security Group
  • D. Remove all but TLS 1.2 from the web tier ELB and enable Advanced Protocol Filtering. This will enable the ELB itself to perform WAF functionality.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by didek1986 at March 13, 2021, 7:54 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Coffeinerd
3 weeks ago
Selected Answer: C
Weird question to be honest. A - Too expensive and complex B - Would not be really effective as it would require identifying and blocking IPs manually and IPs can change often - but is cost effective. C - Quite complex but would effectively work. D - Makes no sense.
upvoted 1 times
...
JPA210
7 months, 2 weeks ago
Selected Answer: B
To respect the cost-effective requirements I would go to B. C works, but is too complex, and there is another way to implement WAF in AWS without needing all that complexity.
upvoted 1 times
...
Greanny
8 months ago
I would go with B it says "someone" trying to gain access. Meaning we can just block the IP at the NACL level.
upvoted 1 times
...
rtguru
1 year, 4 months ago
the portion of C that states host based WAF doesn't make sense , but C sems to be the only option that comes close to a right answer. C would be my choice
upvoted 1 times
...
iamRohanKaushik
1 year, 6 months ago
Selected Answer: C
Answer is C.
upvoted 1 times
...
gameoflove
1 year, 6 months ago
Selected Answer: C
C is the right approach as WAF can be used to block the service however at Layer 7 from the Client IP source. this is my thought
upvoted 1 times
...
TigerInTheCloud
1 year, 9 months ago
Selected Answer: C
A is expensive, B is not scalable, and D is wrong. C is too wordy to read but seems not wrong.
upvoted 1 times
...
emmanuelodenyire
1 year, 11 months ago
Selected Answer: C
Let me go with C. I guess it's the only answer making sense here
upvoted 1 times
...
Mr_nobody79
2 years, 1 month ago
Selected Answer: C
It's C, but don't take it lightly. There's not such thing as a host-based AWS WAF. It's C because it's talking about a 3rd party WAF.
upvoted 2 times
...
Ddssssss
2 years, 3 months ago
There are many host based WAF solutions: Cloudfare, Imperva, Fortinet, etc. So C could be correct. I would not do it myself as there are better solutions than running EC2 instances with host based WAF.
upvoted 2 times
...
Murtazaarif
2 years, 4 months ago
What about being cost effective??
upvoted 2 times
...
lulz111
2 years, 7 months ago
This question seems to be wrong. For everyone saying C, there is no such thing as a " host-based WAF". The only option that is feasible is to block using a NACL but that isnt a very scalable approach, and they dont have a 'web tier'. I suspect the answers are not correctly described and that C needs tweaking to make sense.
upvoted 2 times
...
Akhil254
2 years, 10 months ago
C Correct
upvoted 2 times
...
kidd5
2 years, 11 months ago
C is correct, Use WAF.
upvoted 1 times
...
anandbabu
2 years, 11 months ago
i will go with B
upvoted 3 times
user0001
2 years, 3 months ago
it is B , seems no one read everything, they just see WAF and they fo with it ,regardless
upvoted 3 times
...
...
cldy
2 years, 11 months ago
How C? there is no host-based WAF...
upvoted 1 times
cldy
2 years, 11 months ago
or does it refer to a 3rd party waf and not the AWS WAF ...
upvoted 1 times
01037
2 years, 11 months ago
I'll go for C I guess it's third party. But Only C makes sense.
upvoted 1 times
...
...
...
thai
2 years, 11 months ago
C for sure
upvoted 2 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel