ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 796 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 796
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A company uses a load balancer to distribute traffic to Amazon EC2 instances in a single Availability Zone. The company is concerned about security and wants a solutions architect to re-architect the solution to meet the following requirements:
✑ Inbound requests must be filtered for common vulnerability attacks.
✑ Rejected requests must be sent to a third-party auditing application.
✑ All resources should be highly available.
Which solution meets these requirements?

  • A. Configure a Multi-AZ Auto Scaling group using the application's AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Use Amazon Inspector to monitor traffic to the ALB and EC2 instances. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB. Use an AWS Lambda function to frequently push the Amazon Inspector report to the third-party auditing application
  • B. Configure an Application Load Balancer (ALB) and add the EC2 instances as targets. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB name and enable logging with Amazon CloudWatch Logs. Use an AWS Lambda function to frequently push the logs to the third-party auditing application.
  • C. Configure an Application Load Balancer (ALB) along with a target group adding the EC2 instances as targets. Create an Amazon Kinesis Data Firehose with the destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.
  • D. Configure a Multi-AZ Auto Scaling group using the application's AMI Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Create an Amazon Kinesis Data Firehose with a destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by techn00b at Dec. 29, 2021, 4:03 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
nsvijay04b1
2 years, 7 months ago
Selected Answer: D
B/C doesn't make sense. Between A & D , the Answer is 'D'. why ? 1. As WAF is front end , it is responsible for threats not ALB or EC2, its too late for threat analysis. 2. Inspector doesn't analyse ALB but EC2, ECR 3. WAF logging integrates with S3, KDF, Cloudwatch where as ALB access logs with S3 (no KDF) 4. WAF marketplace rules help threat detection
upvoted 4 times
...
Vinafec
2 years, 7 months ago
D almost looks good, but doesn't specify whether the third-party application is a supported target for Firehose. Or am I missing something?
upvoted 2 times
...
JohnPi
2 years, 8 months ago
Selected Answer: D
ALB logs go to S3 and WAF logs stream to Firehose
upvoted 1 times
...
dcdcdc3
2 years, 8 months ago
Selected Answer: D
why subscribe to managed WAF rules in marketplace: https://docs.aws.amazon.com/waf/latest/developerguide/marketplace-managed-rule-groups.html
upvoted 1 times
...
Yashar1691
2 years, 8 months ago
Selected Answer: A
A is correct
upvoted 2 times
Byrney
2 years, 7 months ago
Inspector scans EC2 instances, it won't detect if a request was blocked by WAF at the ALB
upvoted 2 times
...
...
gnic
2 years, 9 months ago
Selected Answer: A
It's A, you don't need Firehose here. https://docs.aws.amazon.com/inspector/v1/userguide/inspector_network-reachability.html
upvoted 2 times
...
foureye2004
2 years, 10 months ago
Just wonder why "Subscribe to AWS Managed Rules in AWS Marketplace" in option D
upvoted 1 times
...
hilft
2 years, 10 months ago
Do you need firehose for this task? you don't need anything real-time
upvoted 1 times
...
asfsdfsdf
2 years, 10 months ago
Selected Answer: D
A or D since the requirement here is for HA. Why not A? Amazon inspector is not for analyzing traffic from ALB - better to stream the ALB logging data to splunk and analyze it there.
upvoted 4 times
...
aandc
2 years, 11 months ago
vote D
upvoted 1 times
...
roka_ua
3 years, 2 months ago
Selected Answer: D
Vote D
upvoted 1 times
...
shotty1
3 years, 4 months ago
Selected Answer: D
I think it is D
upvoted 2 times
...
yvinisiupacuando
3 years, 4 months ago
Selected Answer: D
Firstly I doubt between A and B but in fact that is true that Amazon Inspector cannot monitor ALB traffic, it can only monitor EC2 activity so, this fact discards A, I'll go with D
upvoted 3 times
...
tkanmani76
3 years, 4 months ago
D is right - KDF can have 3rd party apps as destination - https://docs.aws.amazon.com/firehose/latest/dev/create-destination.html
upvoted 2 times
tkanmani76
3 years, 4 months ago
Additionally while A looks to be valid considering AWS Inspector can be deployed for scanning vulnerabilities, it supports only EC2. However choice A mentions - " Use Amazon Inspector to monitor traffic to the ALB and EC2 instances" - ALB is not supported by Inspector - hence Option A is invalid. https://aws.amazon.com/inspector/faqs/?nc=sn&loc=6
upvoted 1 times
...
...
pititcu667
3 years, 4 months ago
Selected Answer: A
only a and b mention the third party. between the two i choose a.
upvoted 1 times
peddyua
3 years, 3 months ago
amazon inspector is for inspecting code, not traffic.
upvoted 1 times
...
...
GeniusMikeLiu
3 years, 4 months ago
Selected Answer: D
D, we need detail WAF access logs, so use Kinesis Data Firehose.
upvoted 2 times
...
kubala
3 years, 5 months ago
Selected Answer: C
imho C
upvoted 1 times
yvinisiupacuando
3 years, 4 months ago
No way C is valid, it doesn't meet the "High Availability" Req.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel