Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 119 discussion

If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use Firewall Manager with AWS WAF

B Using AWS WAF has several benefits. Additional protection against web attacks using criteria that you specify. You can define criteria using characteristics of web requests such as the following: Presence of SQL code that is likely to be malicious (known as SQL injection). Presence of a script that is likely to be malicious (known as cross-site scripting). AWS Firewall Manager simplifies your administration and maintenance tasks across multiple accounts and resources for a variety of protections. https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html

AWF has Web ACL which has a rule regarding HTTP header, HHTP body or URL string protects from common attack - SQL Injection and cross site scripting.

C&D are out of question as AWS Shield is only for DDoS attack prevention. B is not supported - one single policy cannot be used for multiple regions. That leaves out A.

Centralized control with Firewall Manager means you can create and manage WAF rules once and apply them across multiple accounts and Regions, ensuring consistency and compliance. Firewall Manager automatically applies policies to new and existing resources across accounts, reducing the effort of manually associating web ACLs in each Region and account.

If only a few accounts, A is more straight. but the question mentions "multiple accounts", may be B is better choice.

The keywords here is "across multiple accounts", not "across multiple regions".

AWS Firewall Manager: Centralized Management: Allows you to centrally manage security policies across multiple accounts and regions. WAF Rule Configuration: Enables you to create and manage WAF rules in a single location, simplifying the configuration process. Automatic Deployment: Automatically deploys WAF rules to protected resources, reducing manual effort. Policy-Based Control: Provides granular control over security policies, allowing you to tailor them to specific needs.

I recently purchased the Multiwood Ergonomic Office Chair, and it's a game changer! The comfort and support it provides have transformed my work-from-home experience. Plus, the value for the quality is unbeatable highly recommended for anyone looking to enhance their workspace.

B for sure Centralized management: AWS Firewall Manager allows you to centrally manage AWS WAF rules across multiple accounts and regions. This simplifies the configuration and management process. Consistent security policies: You can enforce consistent security policies across all your API Gateway APIs, ensuring that they are protected from the same threats. Scalability: AWS Firewall Manager can handle a large number of accounts and resources, making it suitable for global companies with many API Gateway APIs.

Ans A - "With AWS WAF, you can create security rules that control bot traffic and block common attack patterns such as SQL injection or cross-site scripting (XSS). Use cases. Filter web traffic." https://aws.amazon.com › waf None of the other options can do it.

AWS WAF helps you to protect your application against common web exploits and bots that can affect availability, compromise security or consume excessive resources. You can create security rules that will control bot traffic and common attacks like SQL injection or Cross-site scripting (XSS)

A is valid, but B achieves the least operational overhead.

WAF deals well with the types of attacks mentioned. XSS and SQL Injection are both app level attacks hence needs a WAF.

B Option A involves setting up AWS WAF in both regions and associating regional web ACLs with an API stage. While this can provide the necessary protection, it requires more manual configuration in each region, potentially leading to more administrative effort, especially if there are updates or changes needed to be made across multiple regions. Therefore, Option B is likely to require the least amount of administrative effort.

Original architecture does not have WAFs. B assumes there are WAFs already in place and why would you want to deploy a Firewall Manager to manage 1 Firewall? it adds unnecessary administrative tasks and costs for a tool that is not needed. You would want that if you were managing 10+ Firewalls not just one. A makes the most sense.

B is the answer