Q15 — AWS DOP-C02 Ch.3

Question 15 of 100 | ← Chapter 3

A DevOps engineer uses AWS WAF to manage web ACLs across AWS accounts. The DevOps engineer wants to ensure AWS WAF is enabled for the Application Load Balancer (ALB) serving the application in each account. The DevOps engineer uses an AWS CloudFormation template to deploy a single ALB and AWS WAF as part of each application stack deployment. After deployment, AWS WAF must be automatically added to the ALB. Which solution meets these requirements with the MOST operational efficiency?

Correct Answer: A. Enable AWS Config. Add the managed rule 'alb-waf'. Create an AWS Systems Manager Automation document to associate AWS WAF with the ALB. Edit the rule to enable automatic remediation and select the Systems Manager Automation document as the remediation action.

Explanation

Managing AWS WAF association with ALB requires continuous monitoring and automated remediation. AWS Config supports managed rules to detect compliance status—for example, verifying whether an ALB is associated with a specified Web ACL. When AWS Config detects noncompliance (e.g., ALB missing WAF association), it can trigger automatic remediation using a Systems Manager Automation document to perform the association. This event-driven, native-service approach ensures timeliness and minimizes operational overhead. Option A defines detection via a managed rule and implements correction via automation with automatic remediation—achieving a closed-loop, efficient solution. Other options rely on polling or custom logic, increasing latency and complexity.