ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 278 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 278
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has implemented AWS WAF and Amazon CloudFront for an application. The application runs on Amazon EC2 instances that are part of an Auto
Scaling group. The Auto Scaling group is behind an Application Load Balancer (ALB).
The AWS WAF web ACL uses an AWS Managed Rules rule group and is associated with the CloudFront distribution. CloudFront receives the request from AWS
WAF and the uses the ALB as the distribution's origin.
During a security review, a security engineer discovers that the infrastructure is susceptible to a large, layer 7 DDoS attack.
How can the security engineer improve the security at the edge of the solution to defend against this type of attack?

  • A. Configure the CloudFront distribution to use the Lambda@Edge feature. Create an AWS Lambda function that imposes a rate limit on CloudFront viewer requests. Block the request if the rate limit is exceeded.
  • B. Configure the AWS WAF web ACL so that the web ACL has more capacity units to process all AWS WAF rules faster.
  • C. Configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded.
  • D. Configure the CloudFront distribution to use AWS WAF as its origin instead of the ALB.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by stamford at Aug. 25, 2021, 9:20 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
1awssec
Highly Voted 3 years, 8 months ago
C. "The AWS WAF API supports security automation such as blacklisting IP addresses that exceed request limits, which can be useful for mitigating HTTP flood attacks." > https://aws.amazon.com/blogs/security/how-to-protect-dynamic-web-applications-against-ddos-attacks-by-using-amazon-cloudfront-and-amazon-route-53/
upvoted 10 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
Why to write code for Lambda@Edge to rate-limit request at the time we already have WAF enabled?! Correct answer is C.
upvoted 1 times
...
pk0619
2 years ago
Selected Answer: C
Rate based rules on AWS WAF are super effective!
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
To improve the security at the edge of the solution to defend against a large, layer 7 DDoS attack, the security engineer can configure AWS WAF with a rate-based rule that imposes a rate limit that automatically blocks requests when the rate limit is exceeded. So the correct answer would be option C.
upvoted 2 times
...
boooliyooo
2 years, 5 months ago
Selected Answer: C
Option A, configuring the CloudFront distribution to use the Lambda@Edge feature to impose a rate limit on viewer requests, is a valid solution for DDoS protection, but it may not be the most efficient or effective option in this case. This option requires additional resources and complexity in terms of configuring and managing the Lambda function, and it may not be able to scale to handle a large-scale DDoS attack. Option C, configuring AWS WAF with a rate-based rule that imposes a rate limit, is a more efficient and effective solution as it directly addresses the threat of a layer 7 DDoS attack by limiting the number of requests that can be made to the application. Option D, configuring the CloudFront distribution to use AWS WAF as its origin, is not a valid solution as it does not address the problem of DDoS attack.
upvoted 1 times
...
sapien45
2 years, 10 months ago
Selected Answer: C
Why create a lambda function when WAF rate based rule does the job for you
upvoted 3 times
...
dcasabona
2 years, 11 months ago
Selected Answer: A
For sure option C solves the issue, but I think that lamdba@edge rate limit can also be implemented: https://github.com/jkahn117/aws-edge-blocking...
upvoted 2 times
...
seyik
3 years, 2 months ago
C. https://docs.aws.amazon.com/whitepapers/latest/guidelines-for-implementing-aws-waf/ddos-attacks-at-layer-7.html
upvoted 2 times
...
FreshNess
3 years, 3 months ago
Selected Answer: C
c !!!!!!!!!!!!!!!!!!!!!!!
upvoted 2 times
...
AWS_Dude
3 years, 4 months ago
Correct Answer: C A sounds like it would be correct since the question is asking about improving security at the "edge" and the answer includes "lambda@edge" so it's easy to think oh this is right but its not. I don't think lambda functions can impose rate limiting on requests by themselves.
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
C is the answer.
upvoted 1 times
...
hk436
3 years, 8 months ago
C is my answer.!
upvoted 1 times
...
kiev
3 years, 8 months ago
C for me is the answer. Use WAF rate based rule to limit the amount of requests from a particular location.
upvoted 2 times
...
fais1985
3 years, 9 months ago
For Layer 7 DDos Attacks, it should be either WAF or AWS Sheild, we need to reconsider the answers here, , B or C Looks closer to right Answer
upvoted 1 times
...
dumma
3 years, 9 months ago
A is right
upvoted 1 times
dumma
3 years, 7 months ago
Sorry it's C
upvoted 1 times
...
...
stamford
3 years, 9 months ago
Is it C?
upvoted 4 times
babaseun
3 years, 8 months ago
I go with C
upvoted 1 times
...
CloudMasterGuru
3 years, 8 months ago
C for rate-limit option. It would then remove the requirement of any lambda@edge to perform rate limiting functionality
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel