Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 213 discussion

C --- Read and understand the question. *The company needs to reduce its share of responsibility in managing, updating, and securing servers for its AWS environment* Go with AWS Shield advanced --This is a managed service that includes AWS WAF, custom mitigations, and DDoS insight.

By configuring AWS WAF rules and associating them with the ALB, the company can filter and block malicious traffic before it reaches the application. AWS WAF offers pre-configured rule sets and allows custom rule creation to protect against common vulnerabilities like XSS and SQL injection. Option B does not provide the necessary security and traffic filtering capabilities to protect against application-level attacks. It is more suitable for hosting static content rather than implementing security measures. Option C is focused on DDoS protection rather than application-level attacks like XSS or SQL injection. While AWS Shield Advanced does not address the specific requirements mentioned in the scenario. Option D involves maintaining and securing additional infrastructure, which goes against the requirement of reducing responsibility and relying on minimal operational staff.

AWS WAF is the most suitable for Application Level attacks like Cross Site Scripting and SQL Injection attacks.

Most of all, A and C are both available technically, right? So the point of question is not about technical posibility. Its about "share of the respoinsibility" which is intended to ask of which service provides "Support Plan" - AWS Shield Response Team (SRT)

A for sure

AWS Shield Advanced for DDoS Attacks and not SQL injection which is protected by AWS WAF

AWS WAF with managed rules.

Explanation: Option A: AWS WAF (Web Application Firewall) provides protection against common web exploits by allowing you to create rules that block common attack patterns such as SQL injection and cross-site scripting (XSS). By associating AWS WAF rules with the ALB, you can protect your application from these types of attacks without managing, updating, and securing servers yourself. AWS WAF is a managed service, so it reduces the operational overhead for the company. Option C: AWS Shield Advanced provides DDoS protection, but it doesn't include application-level protection like AWS WAF does.

If you read SQL Injection, Cross-site scripting >>> Always look for: WAF

This is confusing "The company needs to reduce its share of the responsibility in managing, updating, and securing servers for its AWS environment." But could be acheived when using WAF and AWS managed Rules.

A is the answer.

AWS Shield Advanced does not directly protect against XSS (cross-site scripting) or SQL injection attacks. It focuses on defending against Distributed Denial of Service (DDoS) attacks, which aim to overwhelm resources and disrupt availability.

S makes more sense as Shield Advanced (which actually contains WAF) doesn't provide any additional benefits apart from networks protection. WAF will still have to be configured. So just use WAF to fulfil the requirements.

You need to "configure AWS WAF rules and associate them with the ALB" which is A. AWS Shield Advance INTEGRATES with WAF, so you can manage WAF through Shield Advanced, but still you would need to set it up and configure rules, which C does not mention.

AWS Shield is not only DDos and it handle Layer 3 and layer 4 including AWS WAF so C should match.

AWS WAF helps you protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources. Protect against vulnerabilities and exploits such as SQL injection or Cross site scripting attacks.

To filter traffic and protect against application attacks like cross-site scripting and SQL injection, the company can use AWS Web Application Firewall with managed rules on the Application Load Balancer. This provides security with minimal infrastructure and operations overhead.