Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 733 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 733
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

An education company is running a web application used by college students around the world. The application runs in an Amazon Elastic Container Service
(Amazon ECS) cluster in an Auto Scaling group behind an Application Load Balancer (ALB). A system administrator detects a weekly spike in the number of failed login attempts, which overwhelm the application's authentication service. All the failed login attempts originate from about 500 different IP addresses that change each week. A solutions architect must prevent the failed login attempts from overwhelming the authentication service.
Which solution meets these requirements with the MOST operational efficiency?

  • A. Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses
  • B. Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB
  • C. Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges
  • D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by gsw at April 30, 2021, 1:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
Jaypdv
Highly Voted 3 years ago
Going with B. Rate-base rule in the WAF https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 23 times
...
evargasbrz
Most Recent 1 year, 9 months ago
Selected Answer: B
I'll go with B https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 1 times
...
breathingcloud
1 year, 11 months ago
The key here is IP Address changes every week, so that leaves the only suitable answer to B
upvoted 2 times
...
KengL
2 years, 4 months ago
D, coz rated rule only checking 5 minutes which wasn't mentioned in the question.
upvoted 1 times
...
tkanmani76
2 years, 8 months ago
A is right - https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/
upvoted 1 times
gnic
2 years, 1 month ago
which IP you will block? they change every week...
upvoted 1 times
...
...
AMKazi
2 years, 8 months ago
Ans: B - only rate base rule can be used in this situation. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 1 times
...
cldy
2 years, 9 months ago
B is correct.
upvoted 1 times
...
AzureDP900
2 years, 10 months ago
B is right .. The IP set match statement inspects the IP address of a web request against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from. By default, AWS WAF uses the IP address from the web request origin, but you can configure the rule to use an HTTP header like X-Forwarded-For instead. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 1 times
...
AzureDP900
2 years, 10 months ago
I will go with B only!
upvoted 1 times
...
acloudguru
2 years, 10 months ago
Selected Answer: B
B,WAF is designed for this kind of DDOS
upvoted 2 times
acloudguru
2 years, 10 months ago
hope i can have this easy question in my exam
upvoted 2 times
...
...
andylogan
2 years, 11 months ago
It's B
upvoted 1 times
...
tgv
2 years, 11 months ago
BBB --- This is something that you can do with WAF and the fact that the IP addresses are changing you cannot set an IP set match rule
upvoted 1 times
...
WhyIronMan
2 years, 11 months ago
I'll go with B
upvoted 3 times
WhyIronMan
2 years, 11 months ago
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 2 times
blackgamer
2 years, 11 months ago
Yes , it is B
upvoted 1 times
...
...
...
vimgoru24
2 years, 11 months ago
B. You’d have hell of burden to manually blacklisting +500 IPs every week
upvoted 4 times
...
SJain50
2 years, 11 months ago
security can not explicitly deny. So going with B
upvoted 2 times
...
KittuCheeku
2 years, 12 months ago
B is the right answer
upvoted 1 times
...
hk436
3 years ago
B is my answer!!
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel