ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS DevOps Engineer Professional All Questions

View all questions & answers for the AWS DevOps Engineer Professional exam
Go to Exam

Exam AWS DevOps Engineer Professional topic 1 question 195 discussion

Exam question from Amazon's AWS DevOps Engineer Professional
Question #: 195
Topic #: 1
[All AWS DevOps Engineer Professional Questions]

A company has a web application that users access over the internet. The web application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The EC2 instances are in an Auto Scaling group. The ALB is associated with a security group that allows traffic from the internet. The web application has a local cache on each EC2 instance.

During a recent security incident requests overloaded the web application and caused an outage for the company's customers. In response to the incident, the company added Amazon CloudFront in front of the web application. All customers now access the web application through CloudFront.

A DevOps engineer must implement a solution that routes all requests through CloudFront. The solution also must give the company the ability to block requests based on the content of the requests, such as header or body information.

Which combination of steps should the DevOps engineer take to meet these requirements? (Choose two.)

  • A. Create an AWS WAF web ACL. Associate the web ACL with the CloudFront distribution. Create rules for each type of traffic that the company wants to block.
  • B. Create new ALB listener rules on the existing listeners. Configure the new rules to allow or reject incoming traffic based on whether the host header matches the CloudFront fully qualified domain name (FQDN).
  • C. Create an AWS PrivateLink endpoint service for the ALB Configure the endpoint service to allow requests from CloudFront. Update the web application origin in CloudFront to use the newly created endpoint service's DNS name.
  • D. Create a CloudFront origin access identity (OAI) for the web application. Update the web application origin in CloudFront to use the OAI Update the ALB rules to check for the OAI and return an HTTP 403 error if the OAI header is not present.
  • E. Create an AWS Firewall Manager security policy. Attach the security policy to the CloudFront distribution. Use the security policy to attach AWS WAF rule groups for each type of traffic that the company wants to block.
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
by CloudFloater at March 1, 2023, 5:35 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
YR4591
1 year, 6 months ago
Selected Answer: AB
A and B. https://aws.amazon.com/about-aws/whats-new/2016/01/aws-waf-now-inspects-http-request-body-and-adds-size-constraint-condition/
upvoted 2 times
vn_thanhtung
1 year ago
Agree with AB. E more complex with use case
upvoted 1 times
...
...
Dgix
1 year, 6 months ago
AE. The other ones are incorrect.
upvoted 1 times
...
easytoo
2 years ago
A, B for me baby.
upvoted 1 times
...
merki
2 years ago
Selected Answer: AE
ChatGPT: The two steps that the DevOps engineer should take to meet the requirements are: A. Create an AWS WAF web ACL. Associate the web ACL with the CloudFront distribution. Create rules for each type of traffic that the company wants to block. E. Create an AWS Firewall Manager security policy. Attach the security policy to the CloudFront distribution. Use the security policy to attach AWS WAF rule groups for each type of traffic that the company wants to block.
upvoted 1 times
...
stalos
2 years, 2 months ago
Only AE: look at the question: t. The solution also must give the company the ability to block requests based on the content of the requests, such as header or body information. We need to block not only by header but also based on body (on demand). To do that we need security policy in firewall.
upvoted 1 times
YR4591
1 year, 6 months ago
This could be achieved also with WAF: https://aws.amazon.com/about-aws/whats-new/2016/01/aws-waf-now-inspects-http-request-body-and-adds-size-constraint-condition/
upvoted 1 times
...
...
joseribas89
2 years, 2 months ago
Selected Answer: AD
Option A is correct because it suggests creating an AWS WAF web ACL and associating it with the CloudFront distribution. AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. By creating a web ACL and associating it with CloudFront, the DevOps engineer can block requests based on the content of the requests, such as header or body information. Option D is correct because it suggests creating a CloudFront origin access identity (OAI) for the web application and updating the web application origin in CloudFront to use the OAI. By doing this, the ALB rules can be updated to check for the OAI and return an HTTP 403 error if the OAI header is not present, which ensures that all requests are routed through CloudFront.
upvoted 1 times
mgonblan
2 years ago
D is not correct, because OAI only can be used with aws S3. https://docs.aws.amazon.com/es_es/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai So I'm with A and E, because both says about WAF and Security policy. https://docs.aws.amazon.com/es_es/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-restricting-access-to-s3-oai
upvoted 1 times
...
...
CloudFloater
2 years, 2 months ago
Selected Answer: AB
agree, revising my pick to AB. ALB can do the content based routing better here.
upvoted 4 times
...
saeidp
2 years, 2 months ago
Selected Answer: AB
A and B for me
upvoted 4 times
...
CloudFloater
2 years, 2 months ago
Selected Answer: AE
Both options A and E provide ways to block requests based on the content of the requests
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago