ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 221 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 221
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company is designing the security architecture for a global latency-sensitive web application it plans to deploy to AWS. A security engineer needs to configure a highly available and secure two-tier architecture. The security design must include controls to prevent common attacks such as DDoS, cross-site scripting, and
SQL injection.
Which solution meets these requirements?

  • A. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • B. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
  • C. Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
  • D. Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by viestner at March 16, 2021, 5:23 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
DayQuil
Highly Voted 3 years, 7 months ago
A. Don't confuse this with C, as that is potentially an answer too. A is better because CloudFront adds extra protection as it sits in front of the ALB.
upvoted 19 times
ccieman2016
3 years, 1 month ago
you are sure, but don't forget, Letter A is answer because is necessary service like DDOS, it's possible with Shield advanced, and CF is correct there. Other tip in the question is "latency-sensitive" CF is better there too.
upvoted 4 times
ceros399
3 years, 1 month ago
Good point
upvoted 1 times
...
...
Dmosh
2 years ago
For me it's CloudFront as it mentiones "globally".
upvoted 1 times
...
...
cldy
Highly Voted 3 years, 7 months ago
A. - CloudFront for global ...
upvoted 8 times
...
pal40sg
Most Recent 1 year, 11 months ago
Selected Answer: A
If the requirement is to design a highly available and secure two-tier architecture for a global latency-sensitive web application, then option A could indeed be a suitable choice.
upvoted 1 times
...
ITGURU51
2 years ago
The application load balancer should be deployed in the public subnet. CloudFront can help balance the load which makes the solution highly available and more resilient against DDOS attacks. Also, the WAF helps prevent SQL injection, cross-site scripting and other web related exploits.
upvoted 1 times
ITGURU51
2 years ago
A is the answer.
upvoted 1 times
...
...
robertohyena
2 years, 4 months ago
Selected Answer: A
- CloudFront requires internet ALB - CloudFront will not work with internal ALB (answer B - private subnet ALB)
upvoted 3 times
...
DmitriIBM
2 years, 6 months ago
A is correct: CloudFront, ALB, and everything else from this point in private networks : EC2s for WebServer, Applications, Data. Ref: https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/web-application-architecture-on-aws-ra.pdf?did=wp_card&trk=wp_card
upvoted 1 times
...
sapien45
2 years, 8 months ago
Selected Answer: A
A is better than C in term of latency sensitivity because of CloudFront
upvoted 1 times
...
dcasabona
2 years, 9 months ago
Selected Answer: A
Option A.
upvoted 1 times
...
sapien45
2 years, 9 months ago
Selected Answer: A
latency-sensitive web application + global + reduces the surface attack =AWS Cloudfront
upvoted 1 times
...
ceros399
3 years, 1 month ago
Selected Answer: A
Ans = A
upvoted 1 times
...
DingjieDanielYang
3 years, 2 months ago
Isn't A and B identical? I will go with A
upvoted 1 times
Jonfernz
3 years ago
There will be no access to internet if your resources are only set up in private subnets. You need public subnets configured with nat gateways to allow outside communications for the private subnets.
upvoted 2 times
...
...
mx677
3 years, 2 months ago
Selected Answer: A
A : ALB must be internet-facing https://aws.amazon.com/cloudfront/getting-started/EC2/
upvoted 2 times
...
Pratham123
3 years, 3 months ago
A. Latency sensitive is key word for CF.
upvoted 1 times
...
Radhaghosh
3 years, 3 months ago
C --> Doesn't protect from DDoS. Answer A (With CloudFrond) --> Reduces the attack surface and most applicable Answer is A
upvoted 1 times
...
leu_alves_sch
3 years, 3 months ago
Selected Answer: B
Answer = B The question is asking for a two-tier solution. Isn't "A" a three-tier approch?
upvoted 1 times
TigerInTheCloud
3 years ago
It is still two-tier, CF and ALB in the public layer, and ASG in the private tier. normally three-tier has one more secured private tier for the sensitive data process/storage.
upvoted 1 times
...
...
DahMac
3 years, 6 months ago
ALB has to be public. ASG should be private. Use CF and Origin and WAF. Only A.
upvoted 4 times
...
vedratna
3 years, 7 months ago
A. Apart from Security, Global and latency sensitive are keywords here to use CloudFront
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago