ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 152 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 152
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is operating an open-source software platform that is internet facing. The legacy software platform no longer receives security updates. The software platform operates using Amazon Route 53 weighted load balancing to send traffic to two Amazon EC2 instances that connect to an Amazon RDS cluster. A recent report suggests this software platform is vulnerable to SQL injection attacks, with samples of attacks provided. The company's Security Engineer must secure this system against SQL injection attacks within 24 hours. The Security Engineer's solution must involve the least amount of effort and maintain normal operations during implementation.
What should the Security Engineer do to meet these requirements?

  • A. Create an Application Load Balancer with the existing EC2 instances as a target group. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the ALB. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to the ALB. Update security groups on the EC2 instances to prevent direct access from the internet.
  • B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the distribution. Test to ensure the vulnerability has been mitigated, then redirect the Route 53 records to point to CloudFront.
  • C. Obtain the latest source code for the platform and make the necessary updates. Test the updated code to ensure that the vulnerability has been mitigated, then deploy the patched version of the platform to the EC2 instances.
  • D. Update the security group that is attached to the EC2 instances, removing access from the internet to the TCP port used by the SQL database. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. Test to ensure the vulnerability has been mitigated, then restore the security group to the original setting.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by PeppaPig at Aug. 29, 2020, 6:04 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
PeppaPig
Highly Voted 3 years, 9 months ago
A is correct B: wrong. CDN is not needed here plus that attacker can continue the sql injection attack on the EC2 instances just bypassing CloudFront C. Might work, but requires much more efforts D. Wrong because WAF dose not apply to EC2 instances
upvoted 19 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: A
A is the correct answer
upvoted 1 times
...
nisam12
1 year, 12 months ago
A is the correct answer but at the end of the day, we have to do C if they want to use the platform.
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
Answer A is the best choice best of the overall network design. AWS recommends using security groups to limit the attack radius. The WAF is needed to prevent SQL injection. Also, it is considered a best practice to balance the http requests coming in from the internet. Therefore A.
upvoted 1 times
...
huyrk102
2 years, 4 months ago
Selected Answer: A
A. Agreed with @Radhaghosh
upvoted 1 times
...
Fyssy
2 years, 6 months ago
Selected Answer: B
ELBs are intended to load balance across EC2 instances in a 'single' region. Whereas DNS load-balancing (Route 53) is intended to help balance traffic 'across' regions. So they are both load balancers.
upvoted 1 times
...
sapien45
2 years, 11 months ago
Selected Answer: A
Wording is weird : sends traffic to two Amazon EC2 instances connected to an Amazon RDS cluster through Amazon Route 53 weighted load balancing
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
Selected Answer: A
Option A. --> Perfect has everything required B. Create an Amazon CloudFront distribution specifying one EC2 instance as an origin. --> Not a good design C. Obtain the latest source code for the platform --> Not possible, mentioned in the question D. Create an AWS WAF web ACL containing rules that protect the application from this attack, then apply it to the EC2 instances. --> WAF can't be attached directly to EC2
upvoted 4 times
...
szl0144
3 years, 5 months ago
The question showns in my exam
upvoted 2 times
...
kiev
3 years, 7 months ago
A. The key for me is updating security group
upvoted 3 times
...
Kdosec
3 years, 8 months ago
The question really make us confused with the requirement "must involve the least amount of effort and maintain normal operations during implementation." If you select A with add all existing EC2 instances as target group to ALB, it is not sure maintain normal operations. It should move only one EC2 instance for testing first. That is why B answer is followed best practice in implementation but B is not mention about create security group. With me, A is reasonable but it is not 100% true.
upvoted 1 times
...
refuz
3 years, 8 months ago
A - because in B it doesn't update the security group to prevent internet traffic to access the EC2 instance C - it`s possible, but the time frame is short D - WAF works only with ELB and CF
upvoted 2 times
...
Dic
3 years, 8 months ago
A, it doesnt mention the platform is web service or not while CF only serve web
upvoted 1 times
...
kj07
3 years, 9 months ago
WAF applies to ELB and CF, but CF is not required in this scenario. Answer: A
upvoted 1 times
...
Tester3
3 years, 9 months ago
A for sure
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel