ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 474 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 474
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company runs an e-commerce platform with front-end and e-commerce tiers. Both tiers run on LAMP stacks with the front-end instances running behind a load balancing appliance that has a virtual offering on AWS. Currently, the Operations team uses SSH to log in to the instances to maintain patches and address other concerns. The platform has recently been the target of multiple attacks, including:
✑ A DDoS attack.
✑ An SQL injection attack.
✑ Several successful dictionary attacks on SSH accounts on the web servers.
The company wants to improve the security of the e-commerce platform by migrating to AWS. The company's Solutions Architects have decided to use the following approach:
✑ Code review the existing application and fix any SQL injection issues.
✑ Migrate the web application to AWS and leverage the latest AWS Linux AMI to address initial security patching.
✑ Install AWS Systems Manager to manage patching and allow the system administrators to run commands on all instances, as needed. all
What additional steps will address
of the identified attack types while providing high availability and minimizing risk?

  • A. Enable SSH access to the Amazon EC2 instances using a security group that limits access to specific IPs. Migrate on-premises MySQL to Amazon RDS Multi- AZ. Install the third-party load balancer from the AWS Marketplace and migrate the existing rules to the load balancer's AWS instances. Enable AWS Shield Standard for DDoS protection.
  • B. Disable SSH access to the Amazon EC2 instances. Migrate on-premises MySQL to Amazon RDS Multi-AZ. Leverage an Elastic Load Balancer to spread the load and enable AWS Shield Advanced for protection. Add an Amazon CloudFront distribution in front of the website. Enable AWS WAF on the distribution to manage the rules.
  • C. Enable SSH access to the Amazon EC2 instances through a bastion host secured by limiting access to specific IP addresses. Migrate on-premises MySQL to a self-managed EC2 instance. Leverage an AWS Elastic Load Balancer to spread the load and enable AWS Shield Standard for DDoS protection. Add an Amazon CloudFront distribution in front of the website.
  • D. Disable SSH access to the EC2 instances. Migrate on-premises MySQL to Amazon RDS Single-AZ. Leverage an AWS Elastic Load Balancer to spread the load. Add an Amazon CloudFront distribution in front of the website. Enable AWS WAF on the distribution to manage the rules.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by awsec2 at Sept. 23, 2019, 7:44 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
donathon
Highly Voted 3 years, 8 months ago
B A: Does not need third party load balancer. C: SSH should be disabled and commands run from System Manager. SQL needs to be more highly available and not on a single EC2 instance. D: DB should be multi-AZ. DDOS protection needs Shield.
upvoted 21 times
Asds
3 years, 8 months ago
Agree on B Additionally and to be more precise : CF gives protection over DDOS through Shield, D only lacks Multi-AZ hence
upvoted 4 times
...
...
hilft
Most Recent 2 years, 10 months ago
WAF and SHIELD.
upvoted 1 times
...
aandc
2 years, 11 months ago
Selected Answer: B
AWS Systems Manager -> can disable SSH D does not mention DDOS
upvoted 1 times
...
bfal
3 years, 2 months ago
still on why B is wrong Leverage an Elastic Load Balancer to spread the load ? load of what ? Amazon RDS multi-AZ, would you put LB in front of these, if this doable? or just use DNS to lb?
upvoted 1 times
...
bfal
3 years, 2 months ago
How else would you connect to the instance if you disable SSH access ? how would you disable SSH access? Correct answer is C. B is wrong, so AWS WAF will be used to "manage" rules on the distribution??? which rules?
upvoted 1 times
bfal
3 years, 2 months ago
I take it back, you can access through AWS session manager, but I still think connecting through the bastion host has mitigated the risk, so C is still correct in my view
upvoted 1 times
...
...
bfal
3 years, 2 months ago
C is correct. Why would you want to disabled ssh access? Best practice is to connect through a bastion host, so do that, and whitelist.
upvoted 1 times
...
Ni_yot
3 years, 3 months ago
B for me. Shield advance for DDOS protection and disabling ssh give more protection.
upvoted 1 times
...
KiraguJohn
3 years, 5 months ago
I will go with B but how will they maintain the patches if they cannot use SSH to login to the instances?
upvoted 1 times
AkaAka4
3 years, 5 months ago
With System Manager? I think it's mentioned in the question, it's one of the actions that they have already taken.
upvoted 1 times
...
...
AzureDP900
3 years, 6 months ago
B is right answer
upvoted 1 times
...
DeathFrmAbv
3 years, 7 months ago
This one was way too predictable, only B has both HIGH AVAILABILITY AND ADDITIONAL SECURITY
upvoted 2 times
...
WhyIronMan
3 years, 7 months ago
I'll go with B
upvoted 2 times
...
ss160700
3 years, 7 months ago
You cannot simply disable SSH.
upvoted 1 times
memester
3 years, 7 months ago
Yeah you can? Just close port 22 and then use session manager to connect instead of SSH
upvoted 4 times
...
...
Waiweng
3 years, 7 months ago
It's B
upvoted 3 times
...
01037
3 years, 7 months ago
B is the correct answer
upvoted 1 times
...
Kian1
3 years, 7 months ago
going with B
upvoted 2 times
...
Ebi
3 years, 7 months ago
B D could be an answer as well, only issue is Single AZ
upvoted 4 times
...
binhdx
3 years, 7 months ago
B forsure
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel