ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 26 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 26
Topic #: 1
[All AWS Certified Security - Specialty Questions]

The Security Engineer is managing a web application that processes highly sensitive personal information. The application runs on Amazon EC2. The application has strict compliance requirements, which instruct that all incoming traffic to the application is protected from common web exploits and that all outgoing traffic from the EC2 instances is restricted to specific whitelisted URLs.
Which architecture should the Security Engineer use to meet these requirements?

  • A. Use AWS Shield to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
  • B. Use AWS Shield to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
  • C. Use AWS WAF to scan inbound traffic for web exploits. Use VPC Flow Logs and AWS Lambda to restrict egress traffic to specific whitelisted URLs.
  • D. Use AWS WAF to scan inbound traffic for web exploits. Use a third-party AWS Marketplace solution to restrict egress traffic to specific whitelisted URLs.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by glead32 at May 28, 2019, 7:04 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Moon
Highly Voted 3 years, 2 months ago
D is correct. Web Exploits are not DDoS, so AWS Shield is not correct.
upvoted 47 times
cloudprincipal
3 years, 2 months ago
Agreed, D is correct: WAF + a proxy from marketplace
upvoted 15 times
...
...
Kamran
Highly Voted 3 years, 2 months ago
Correct answer is D as it's for web exploits.
upvoted 12 times
...
Raphaello
Most Recent 9 months, 1 week ago
Selected Answer: D
D is correct.
upvoted 1 times
...
ITGURU51
1 year, 7 months ago
AWS Shield=DDos protection.
upvoted 3 times
...
yd_h
1 year, 8 months ago
Selected Answer: D
WAF - Layer 7 protection Shield - DDOS VPC Flow Logs - Not real time (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html) "...After you create a flow log, it can take several minutes to begin collecting and publishing data to the chosen destinations. Flow logs do not capture real-time log streams for your network interfaces"
upvoted 6 times
virtual
9 months, 4 weeks ago
"VPC Flow Logs - Not real time" => Good point
upvoted 2 times
...
...
TerrenceC
1 year, 10 months ago
An additional comment: Since the AWS Network Firewall service launched, you no longer need third-party software; AWS Network Firewall supports both unencrypted (HTTP) and encrypted (HTTPS) URL filtering.
upvoted 10 times
Robert0
1 year, 6 months ago
Correct, I think this question is a little bit outdated and it would have AWS Network Firewall as an answer.
upvoted 2 times
...
...
roguecloud
1 year, 10 months ago
Selected Answer: D
A. Shield is for DDoS. Flow logs & Lambda COULD scan, but not action without additional Infra. B. For DDoS (makes incorrect). Marketplace = could find a solution, but first part wrong. C. WAF part is correct, however as in (A) Flow Logs & Lambda will not work in isolation D. Correct Answer
upvoted 1 times
...
janvandermerwer
2 years, 1 month ago
Selected Answer: D
Question isn't clear - However, WAF will scan for various common threat patterns. VPC logs + lambda won't do the job either. So answer must be D.
upvoted 1 times
...
sapien45
2 years, 3 months ago
Selected Answer: D
First line of Product description : AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits and bots that may affect availability, compromise security, or consume excessive resources. https://aws.amazon.com/waf/
upvoted 2 times
...
teo2157
2 years, 7 months ago
Selected Answer: D
Reader comments
upvoted 1 times
...
ideoignus
2 years, 10 months ago
https://docs.aws.amazon.com/waf/latest/developerguide/ddos-advanced.html Shield Advanced is the only service than can protect EC2 with Elastic IP
upvoted 2 times
...
skipbaylessfor3
3 years, 1 month ago
Ok D makes sense as everyone hear suggests ; well it makes sense somewhat; how does WAF attach to EC2? It can't, and the question doesn't clarify that they're using ALB
upvoted 4 times
skipbaylessfor3
3 years, 1 month ago
Well I guess the only other option is Shield, and its not like Shield integrates directly with EC2 either, at least not that I know of... So I'm more comfortable with D now
upvoted 3 times
...
luis12345
1 year, 11 months ago
WAF does not attach to EC2. It is placed in front of the whole AWS architecture so is the first entry point for every request no matter what the destination is
upvoted 2 times
...
...
sanjaym
3 years, 1 month ago
Ans: D 100%
upvoted 1 times
...
NANDY666
3 years, 1 month ago
D is Correct
upvoted 2 times
...
cloud_magician
3 years, 1 month ago
D is the correct answer: AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security.
upvoted 2 times
...
Ayusef
3 years, 1 month ago
Its D, for sure. Wish they all were so straight forward!
upvoted 1 times
...
kalzht00
3 years, 1 month ago
it's D
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago