exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 733 discussion

An education company is running a web application used by college students around the world. The application runs in an Amazon Elastic Container Service
(Amazon ECS) cluster in an Auto Scaling group behind an Application Load Balancer (ALB). A system administrator detects a weekly spike in the number of failed login attempts, which overwhelm the application's authentication service. All the failed login attempts originate from about 500 different IP addresses that change each week. A solutions architect must prevent the failed login attempts from overwhelming the authentication service.
Which solution meets these requirements with the MOST operational efficiency?

  • A. Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses
  • B. Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB
  • C. Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges
  • D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Jaypdv
Highly Voted 3 years, 2 months ago
Going with B. Rate-base rule in the WAF https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 23 times
...
evargasbrz
Most Recent 1 year, 11 months ago
Selected Answer: B
I'll go with B https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 1 times
...
breathingcloud
2 years, 1 month ago
The key here is IP Address changes every week, so that leaves the only suitable answer to B
upvoted 2 times
...
KengL
2 years, 6 months ago
D, coz rated rule only checking 5 minutes which wasn't mentioned in the question.
upvoted 1 times
...
tkanmani76
2 years, 10 months ago
A is right - https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/
upvoted 1 times
gnic
2 years, 3 months ago
which IP you will block? they change every week...
upvoted 1 times
...
...
AMKazi
2 years, 10 months ago
Ans: B - only rate base rule can be used in this situation. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 1 times
...
cldy
2 years, 11 months ago
B is correct.
upvoted 1 times
...
AzureDP900
2 years, 12 months ago
B is right .. The IP set match statement inspects the IP address of a web request against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from. By default, AWS WAF uses the IP address from the web request origin, but you can configure the rule to use an HTTP header like X-Forwarded-For instead. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 1 times
...
AzureDP900
3 years ago
I will go with B only!
upvoted 1 times
...
acloudguru
3 years ago
Selected Answer: B
B,WAF is designed for this kind of DDOS
upvoted 2 times
acloudguru
3 years ago
hope i can have this easy question in my exam
upvoted 2 times
...
...
andylogan
3 years, 1 month ago
It's B
upvoted 1 times
...
tgv
3 years, 1 month ago
BBB --- This is something that you can do with WAF and the fact that the IP addresses are changing you cannot set an IP set match rule
upvoted 1 times
...
WhyIronMan
3 years, 1 month ago
I'll go with B
upvoted 3 times
WhyIronMan
3 years, 1 month ago
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html
upvoted 2 times
blackgamer
3 years, 1 month ago
Yes , it is B
upvoted 1 times
...
...
...
vimgoru24
3 years, 1 month ago
B. You’d have hell of burden to manually blacklisting +500 IPs every week
upvoted 4 times
...
SJain50
3 years, 1 month ago
security can not explicitly deny. So going with B
upvoted 2 times
...
KittuCheeku
3 years, 1 month ago
B is the right answer
upvoted 1 times
...
hk436
3 years, 2 months ago
B is my answer!!
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...